Skip to content

feat(outbound): Use the policy API for opaq routing #3306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 21 commits into from
Nov 7, 2024
Merged

feat(outbound): Use the policy API for opaq routing #3306

merged 21 commits into from
Nov 7, 2024

Conversation

@zaharidichev
Copy link
Member

@zaharidichev zaharidichev commented Oct 29, 2024

This work (based on the early sketch seen here) changes the opaq routing stack to use not only profiles routing but to consider client policy responses as well. The way this is done is that we use the opaq:Routes type to express the routing information our stack contains. This type is geared towards the client-policy API. Whenever we need to use the profiles response, we simply translate its contents to a client-policy one.

Notable changes in this PR are:

  • we introduce an OpaqSidecar type that holds opaq::Routes objects which are routes that have been constructed from either profiles or policy response
  • during the construction of the OpaqSidecar we consider profiles responses only if there are extra targets in the response (in order to support TrafficSplit functionality). In any other case we prefer the policy response.

Signed-off-by: Zahari Dichev [email protected]

@zaharidichev zaharidichev mentioned this pull request Oct 29, 2024
Closed
olix0r
olix0r reviewed Oct 30, 2024
View reviewed changes
@zaharidichev
remove opaq:LogicalAddr (#3309)
b58c169 
Signed-off-by: Zahari Dichev <[email protected]>
@zaharidichev
use ServerAddr in place of Addr
00bf497 
Signed-off-by: Zahari Dichev <[email protected]>
@zaharidichev
nits
7831eac 
Signed-off-by: Zahari Dichev <[email protected]>
@olix0r olix0r self-assigned this Nov 4, 2024
olix0r
olix0r reviewed Nov 4, 2024
View reviewed changes
olix0r
olix0r reviewed Nov 4, 2024
View reviewed changes
olix0r
olix0r reviewed Nov 5, 2024
View reviewed changes
olix0r
olix0r reviewed Nov 5, 2024
View reviewed changes
olix0r and others added 2 commits November 5, 2024 09:34
@olix0r
feat(client-policy): only allow one opaq route (#3320)
a481143 
Because the opaq route mocks its selection logic, the first route returned by
the API will always be used. This means that all subsequent routes are
incoherent and cannot be selected.

There's no value in preserving incoherent states in the proxy, so it's
preferable to initially require that the control plane only returns one opaq
route.

This change removes some of the unused matching types and simplifies the opaq
router to only handle one route.
@zaharidichev
simplify logical
29f43b9 
Signed-off-by: Zahari Dichev <[email protected]>
@zaharidichev zaharidichev mentioned this pull request Nov 5, 2024
Merged
@zaharidichev zaharidichev changed the title policy: refactor opaq stack to use use client-policy policy: refactor opaq stack to use client-policy Nov 5, 2024
@olix0r olix0r marked this pull request as ready for review November 6, 2024 16:45
@olix0r olix0r requested a review from a team as a code owner November 6, 2024 16:45
olix0r
olix0r reviewed Nov 7, 2024
View reviewed changes
olix0r
olix0r approved these changes Nov 7, 2024
View reviewed changes
@olix0r olix0r changed the title policy: refactor opaq stack to use client-policy feat(outbound): Use the policy API for opaq routing Nov 7, 2024
olix0r added 2 commits November 7, 2024 19:44
@olix0r
chore(outbound): set "serviceprofile" route metadata
9a6a2d5 
When synthesizing outbound routes from a service profile, we need to set the
route metadata. We currently use the parent reference.

This change updates these route reference to use a 'serviceprofile' default
route to indicate that it is synthesized. In a followup change, we should
correct this to prefer serviceprofile metadata returned via the API.
@olix0r
feat(outbound): Use the policy API for opaq routing
02f2739 
The OutboundPolicy API is able to express configuration for opaq routing, but
the proxy only currently uses the ServiceProfile to configure routing. To
support configuring routing via the Gateway API's TCPRoute, we need to begin
using the OutboundPolicy API to configure opaq routing without breaking
existing configurations that use profiles.

With this change, the outbound proxy is updated so that route configurations are
required for the proxy to handle outbound opaq traffic. Route configurations may
be provided by:

* The Profile API, when it returns an Endpoint, so that the proxy synthesizes a
  route configuration that forwards traffic to the endpoint.
* The Profile API, when it returns a traffic split configuration, so that the
  proxy synthesizes a route configuration that forwards traffic over backend
  services.
* The OutboundPolicy API when it returns opaq routes.

When no routes are returned by the API, the proxy fails to route the
connections.

Follow up changes will enhance this functionality with metrics and improved
metadata.
@olix0r olix0r enabled auto-merge (squash) November 7, 2024 19:48
@olix0r olix0r merged commit 7eadac4 into main Nov 7, 2024
17 checks passed
@olix0r olix0r deleted the zd/opaq-client-policy-refactor branch November 7, 2024 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olix0r olix0r olix0r approved these changes

Assignees

@olix0r olix0r

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zaharidichev @olix0r