Supports MCP service configuration protocol and SNI, along with various other fixes. (alibaba#1369)

Author: johnlanni

Diff for: api/kubernetes/customresourcedefinitions.gen.yaml

@@ -284,6 +284,10 @@ spec:
                       type: string
                     port:
                       type: integer
+                    protocol:
+                      type: string
+                    sni:
+                      type: string
                     type:
                       type: string
                     zkServicesPath:

Diff for: api/networking/v1/mcp_bridge.pb.go

@@ -64,4 +64,6 @@ message RegistryConfig {
   string consulServiceTag = 15;
   int64  consulRefreshInterval = 16;
   string authSecretName = 17;
+  string protocol = 18;
+  string sni = 19;
 }

Diff for: api/networking/v1/mcp_bridge.proto

@@ -284,6 +284,10 @@ spec:
                       type: string
                     port:
                       type: integer
+                    protocol:
+                      type: string
+                    sni:
+                      type: string
                     type:
                       type: string
                     zkServicesPath:
@@ -302,3 +306,4 @@ spec:
     subresources:
       status: {}
 
+---

Diff for: envoy/envoy

@@ -180,7 +180,7 @@ template:
         {{- end }}
         - name: config
           mountPath: /etc/istio/config
-        - name: istio-ca-root-cert
+        - name: higress-ca-root-cert
           mountPath: /var/run/secrets/istio
         - name: istio-data
           mountPath: /var/lib/istio/data
@@ -266,7 +266,7 @@ template:
               expirationSeconds: 43200
               path: istio-token
     {{- end }}
-    - name: istio-ca-root-cert
+    - name: higress-ca-root-cert
       configMap:
     {{- if .Values.global.enableHigressIstio }}
         name: istio-ca-root-cert

Diff for: helm/core/crds/customresourcedefinitions.gen.yaml

@@ -21,7 +21,10 @@ type Protocol string
 const (
 	TCP         Protocol = "TCP"
 	HTTP        Protocol = "HTTP"
+	HTTP2       Protocol = "HTTP2"
+	HTTPS       Protocol = "HTTPS"
 	GRPC        Protocol = "GRPC"
+	GRPCS       Protocol = "GRPCS"
 	Dubbo       Protocol = "Dubbo"
 	Unsupported Protocol = "UnsupportedProtocol"
 )
@@ -32,8 +35,14 @@ func ParseProtocol(s string) Protocol {
 		return TCP
 	case "http":
 		return HTTP
+	case "https":
+		return HTTPS
+	case "http2":
+		return HTTP2
 	case "grpc", "triple", "tri":
 		return GRPC
+	case "grpcs":
+		return GRPCS
 	case "dubbo":
 		return Dubbo
 	}
@@ -51,7 +60,7 @@ func (p Protocol) IsTCP() bool {
 
 func (p Protocol) IsHTTP() bool {
 	switch p {
-	case HTTP, GRPC:
+	case HTTP, GRPC, GRPCS, HTTP2, HTTPS:
 		return true
 	default:
 		return false
@@ -60,7 +69,16 @@ func (p Protocol) IsHTTP() bool {
 
 func (p Protocol) IsGRPC() bool {
 	switch p {
-	case GRPC:
+	case GRPC, GRPCS:
+		return true
+	default:
+		return false
+	}
+}
+
+func (i Protocol) IsHTTPS() bool {
+	switch i {
+	case HTTPS, GRPCS:
 		return true
 	default:
 		return false

Diff for: helm/core/templates/_pod.tpl

@@ -23,3 +23,7 @@ const KnativeIngressCRDName = "ingresses.networking.internal.knative.dev"
 const KnativeServicesCRDName = "services.serving.knative.dev"
 
 const ManagedGatewayController = "higress.io/gateway-controller"
+
+const RegistryTypeLabelKey = "higress-registry-type"
+
+const RegistryNameLabelKey = "higress-registry-name"

Diff for: istio/istio

@@ -53,6 +53,7 @@ import (
 	extlisterv1 "github.com/alibaba/higress/client/pkg/listers/extensions/v1alpha1"
 	netlisterv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
 	"github.com/alibaba/higress/pkg/cert"
+	higressconst "github.com/alibaba/higress/pkg/config/constants"
 	"github.com/alibaba/higress/pkg/ingress/kube/annotations"
 	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/configmap"
@@ -628,8 +629,8 @@ func (m *IngressConfig) convertServiceEntry([]common.WrapperConfig) []config.Con
 	if m.RegistryReconciler == nil {
 		return nil
 	}
-	serviceEntries := m.RegistryReconciler.GetAllServiceEntryWrapper()
-	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
+	serviceEntries := m.RegistryReconciler.GetAllServiceWrapper()
+	IngressLog.Infof("Found mcp serviceEntries %v", serviceEntries)
 	out := make([]config.Config, 0, len(serviceEntries))
 	for _, se := range serviceEntries {
 		out = append(out, config.Config{
@@ -638,6 +639,10 @@ func (m *IngressConfig) convertServiceEntry([]common.WrapperConfig) []config.Con
 				Name:              se.ServiceEntry.Hosts[0],
 				Namespace:         "mcp",
 				CreationTimestamp: se.GetCreateTime(),
+				Labels: map[string]string{
+					higressconst.RegistryTypeLabelKey: se.RegistryType,
+					higressconst.RegistryNameLabelKey: se.RegistryName,
+				},
 			},
 			Spec: se.ServiceEntry,
 		})
@@ -703,6 +708,32 @@ func (m *IngressConfig) convertDestinationRule(configs []common.WrapperConfig) [
 		destinationRules[serviceName] = dr
 	}
 
+	if m.RegistryReconciler != nil {
+		drws := m.RegistryReconciler.GetAllDestinationRuleWrapper()
+		IngressLog.Infof("Found mcp destinationRules: %v", drws)
+		for _, destinationRuleWrapper := range drws {
+			serviceName := destinationRuleWrapper.ServiceKey.ServiceFQDN
+			dr, exist := destinationRules[serviceName]
+			if !exist {
+				destinationRules[serviceName] = destinationRuleWrapper
+			} else if dr.DestinationRule.TrafficPolicy != nil {
+				portTrafficPolicy := destinationRuleWrapper.DestinationRule.TrafficPolicy.PortLevelSettings[0]
+				portUpdated := false
+				for _, portTrafficPolicy := range dr.DestinationRule.TrafficPolicy.PortLevelSettings {
+					if portTrafficPolicy.Port.Number == portTrafficPolicy.Port.Number {
+						portTrafficPolicy.Tls = portTrafficPolicy.Tls
+						portUpdated = true
+						break
+					}
+				}
+				if portUpdated {
+					continue
+				}
+				dr.DestinationRule.TrafficPolicy.PortLevelSettings = append(dr.DestinationRule.TrafficPolicy.PortLevelSettings, portTrafficPolicy)
+			}
+		}
+	}
+
 	out := make([]config.Config, 0, len(destinationRules))
 	for _, dr := range destinationRules {
 		sort.SliceStable(dr.DestinationRule.TrafficPolicy.PortLevelSettings, func(i, j int) bool {
@@ -727,6 +758,7 @@ func (m *IngressConfig) convertDestinationRule(configs []common.WrapperConfig) [
 			Spec: dr.DestinationRule,
 		})
 	}
+
 	return out
 }
 
@@ -1034,16 +1066,27 @@ func (m *IngressConfig) AddOrUpdateMcpBridge(clusterNamespacedName util.ClusterN
 	}
 	if m.RegistryReconciler == nil {
 		m.RegistryReconciler = reconcile.NewReconciler(func() {
-			metadata := config.Meta{
+			seMetadata := config.Meta{
 				Name:             "mcpbridge-serviceentry",
 				Namespace:        m.namespace,
 				GroupVersionKind: gvk.ServiceEntry,
 				// Set this label so that we do not compare configs and just push.
 				Labels: map[string]string{constants.AlwaysPushLabel: "true"},
 			}
+			drMetadata := config.Meta{
+				Name:             "mcpbridge-destinationrule",
+				Namespace:        m.namespace,
+				GroupVersionKind: gvk.DestinationRule,
+				// Set this label so that we do not compare configs and just push.
+				Labels: map[string]string{constants.AlwaysPushLabel: "true"},
+			}
 			for _, f := range m.serviceEntryHandlers {
 				IngressLog.Debug("McpBridge triggerd serviceEntry update")
-				f(config.Config{Meta: metadata}, config.Config{Meta: metadata}, istiomodel.EventUpdate)
+				f(config.Config{Meta: seMetadata}, config.Config{Meta: seMetadata}, istiomodel.EventUpdate)
+			}
+			for _, f := range m.destinationRuleHandlers {
+				IngressLog.Debug("McpBridge triggerd destinationRule update")
+				f(config.Config{Meta: drMetadata}, config.Config{Meta: drMetadata}, istiomodel.EventUpdate)
 			}
 		}, m.localKubeClient, m.namespace)
 	}
@@ -1489,7 +1532,7 @@ func constructBasicAuthEnvoyFilter(rules *common.BasicAuthRules, namespace strin
 	}, nil
 }
 
-func QueryByName(serviceEntries []*memory.ServiceEntryWrapper, serviceName string) (*memory.ServiceEntryWrapper, error) {
+func QueryByName(serviceEntries []*memory.ServiceWrapper, serviceName string) (*memory.ServiceWrapper, error) {
 	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
 	for _, se := range serviceEntries {
 		if se.ServiceName == serviceName {
@@ -1499,7 +1542,7 @@ func QueryByName(serviceEntries []*memory.ServiceEntryWrapper, serviceName strin
 	return nil, fmt.Errorf("can't find ServiceEntry by serviceName:%v", serviceName)
 }
 
-func QueryRpcServiceVersion(serviceEntry *memory.ServiceEntryWrapper, serviceName string) (string, error) {
+func QueryRpcServiceVersion(serviceEntry *memory.ServiceWrapper, serviceName string) (string, error) {
 	IngressLog.Infof("Found http2rpc serviceEntry %s", serviceEntry)
 	IngressLog.Infof("Found http2rpc ServiceEntry %s", serviceEntry.ServiceEntry)
 	IngressLog.Infof("Found http2rpc WorkloadSelector %s", serviceEntry.ServiceEntry.WorkloadSelector)

Diff for: pkg/common/protocol.go

@@ -52,6 +52,15 @@ type WrapperGateway struct {
 	Host          string
 }
 
+func CreateMcpServiceKey(host string, portNumber int32) ServiceKey {
+	return ServiceKey{
+		Namespace:   "mcp",
+		Name:        host,
+		ServiceFQDN: host,
+		Port:        portNumber,
+	}
+}
+
 func (w *WrapperGateway) IsHTTPS() bool {
 	if w.Gateway == nil || len(w.Gateway.Servers) == 0 {
 		return false

Diff for: pkg/config/constants/constants.go

@@ -920,12 +920,7 @@ func (c *controller) storeBackendTrafficPolicy(wrapper *common.WrapperConfig, ba
 	if common.ValidateBackendResource(backend.Resource) && wrapper.AnnotationsConfig.Destination != nil {
 		for _, dest := range wrapper.AnnotationsConfig.Destination.McpDestination {
 			portNumber := dest.Destination.GetPort().GetNumber()
-			serviceKey := common.ServiceKey{
-				Namespace:   "mcp",
-				Name:        dest.Destination.Host,
-				Port:        int32(portNumber),
-				ServiceFQDN: dest.Destination.Host,
-			}
+			serviceKey := common.CreateMcpServiceKey(dest.Destination.Host, int32(portNumber))
 			if _, exist := store[serviceKey]; !exist {
 				if serviceKey.Port != 0 {
 					store[serviceKey] = &common.WrapperTrafficPolicy{

Diff for: pkg/ingress/config/ingress_config.go

@@ -900,12 +900,7 @@ func (c *controller) storeBackendTrafficPolicy(wrapper *common.WrapperConfig, ba
 	if common.ValidateBackendResource(backend.Resource) && wrapper.AnnotationsConfig.Destination != nil {
 		for _, dest := range wrapper.AnnotationsConfig.Destination.McpDestination {
 			portNumber := dest.Destination.GetPort().GetNumber()
-			serviceKey := common.ServiceKey{
-				Namespace:   "mcp",
-				Name:        dest.Destination.Host,
-				Port:        int32(portNumber),
-				ServiceFQDN: dest.Destination.Host,
-			}
+			serviceKey := common.CreateMcpServiceKey(dest.Destination.Host, int32(portNumber))
 			if _, exist := store[serviceKey]; !exist {
 				if serviceKey.Port != 0 {
 					store[serviceKey] = &common.WrapperTrafficPolicy{

Diff for: pkg/ingress/kube/common/controller.go

@@ -64,7 +64,7 @@ func (c ServiceEntryGenerator) Generate(proxy *model.Proxy, w *model.WatchedReso
 			return serviceEntries[i].CreationTimestamp.Before(serviceEntries[j].CreationTimestamp)
 		})
 	}
-	return generate(proxy, serviceEntries, w, updates, false, false)
+	return generate(proxy, serviceEntries, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }
 
 func (c ServiceEntryGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -82,7 +82,7 @@ type VirtualServiceGenerator struct {
 func (c VirtualServiceGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	virtualServices := c.Environment.List(gvk.VirtualService, model.NamespaceAll)
-	return generate(proxy, virtualServices, w, updates, false, false)
+	return generate(proxy, virtualServices, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }
 
 func (c VirtualServiceGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -100,7 +100,7 @@ type DestinationRuleGenerator struct {
 func (c DestinationRuleGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	rules := c.Environment.List(gvk.DestinationRule, model.NamespaceAll)
-	return generate(proxy, rules, w, updates, false, false)
+	return generate(proxy, rules, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }
 
 func (c DestinationRuleGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -118,7 +118,7 @@ type EnvoyFilterGenerator struct {
 func (c EnvoyFilterGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	filters := c.Environment.List(gvk.EnvoyFilter, model.NamespaceAll)
-	return generate(proxy, filters, w, updates, false, false)
+	return generate(proxy, filters, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }
 
 func (c EnvoyFilterGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -154,7 +154,7 @@ type WasmPluginGenerator struct {
 func (c WasmPluginGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	wasmPlugins := c.Environment.List(gvk.WasmPlugin, model.NamespaceAll)
-	return generate(proxy, wasmPlugins, w, updates, false, false)
+	return generate(proxy, wasmPlugins, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }
 
 func (c WasmPluginGenerator) GenerateDeltas(proxy *model.Proxy, push *model.PushContext, updates *model.PushRequest,