Proto commits in istio/ztunnel

These 46 commits are when the Protocol Buffers files have changed:

Commit:44605a6
Author:Istio Automation
Committer:GitHub

[release-1.30] add support for cidrs in ztunnel (#1848) * add CIDR support Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fix up tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> * make gen Signed-off-by: Ian Rudie <ian.rudie@solo.io> * improved testing for IPv6 and DS Signed-off-by: Ian Rudie <ian.rudie@solo.io> * benchmark vip matching Signed-off-by: Ian Rudie <ian.rudie@solo.io> * namespace-local services with less specific CIDR should be preferred over a more-specific CIDR from another namespace Signed-off-by: Ian Rudie <ian.rudie@solo.io> * replace complex inlined type with RankedMatch Signed-off-by: Ian Rudie <ian.rudie@solo.io> * in case you have conservative package managers (but, just use containers instead pls) Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> Co-authored-by: Ian Rudie <ian.rudie@solo.io>

The documentation is generated from this commit.

Commit:f617a40
Author:Ian Rudie
Committer:GitHub

add support for cidrs in ztunnel (#1839) * add CIDR support Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fix up tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> * make gen Signed-off-by: Ian Rudie <ian.rudie@solo.io> * improved testing for IPv6 and DS Signed-off-by: Ian Rudie <ian.rudie@solo.io> * benchmark vip matching Signed-off-by: Ian Rudie <ian.rudie@solo.io> * namespace-local services with less specific CIDR should be preferred over a more-specific CIDR from another namespace Signed-off-by: Ian Rudie <ian.rudie@solo.io> * replace complex inlined type with RankedMatch Signed-off-by: Ian Rudie <ian.rudie@solo.io> * in case you have conservative package managers (but, just use containers instead pls) Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>

The documentation is generated from this commit.

Commit:78788e7
Author:Ian Rudie
Committer:GitHub

add extensions to wds authorization (#1827) * add extensions to wds authorization Signed-off-by: Ian Rudie <ian.rudie@solo.io> * updates for test initialization with new fields Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>

Commit:c409465
Author:zirain
Committer:GitHub

Experimental windows ambient rebase master branch (#1816) * remove git tag (#1559) * update how io errors are being generated to fix clippy issues (#1564) Signed-off-by: ilrudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1563) * Automator: update common-files@master in istio/ztunnel@master (#1568) * Allow dynamic configuration of thread count (#1566) * Allow dynamic configuration of thread count * fix flakes * don't send to empty address (#1570) * don't send to empty address * add test * Automator: update common-files@master in istio/ztunnel@master (#1571) * Automator: update common-files@master in istio/ztunnel@master (#1572) * remove invalid test cases from parsing of ZTUNNEL_WORKER_THREADS (#1576) Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1577) * Automator: update common-files@master in istio/ztunnel@master (#1578) * tls: add PQC compliance policy (#1561) * tls: add PQC compliance policy Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add global lazy variable PQC_ENABLED Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add unused_imports and dead_code to PQC_ENABLED declaration Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Automator: update common-files@master in istio/ztunnel@master (#1582) * Improved Service Resolution (#1562) * initial idea for improved resolution Signed-off-by: ilrudie <ian.rudie@solo.io> * handle preferred service namespace; unit testing Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: ilrudie <ian.rudie@solo.io> Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1583) * Multinetwork/Support remote networks for services with waypoints (#1565) * Multinetwork/Support remote networks for services with waypoints Currently `build_request` when it sees a service with a waypoint resolves the waypoint backend and routes request there using regular HBONE. In multi network scenario though the waypoint may have workload on a remote network and to reach it we have to go through E/W gateway and use double HBONE. This change enables handling of services with waypoint on a remote network. Some of the assumptions that were used when I prepared this change: 1. We assume uniformity of configuration (e.g., if service X in local cluster has a waypoint, then service X in remote network also has a waypoint, if waypoint is service addressable, then it's using service to address waypoint both locally and on remote network) 2 Split-horizon representation of waypoint workloads, just like with any regular workloads and services (e.g., in the local cluster instead of an actual waypoint workload pointing to a pod on another network we will have a "proxy" representation that just has network gateway). Both of those can be in hanled by the controlplane (e.g., controlplane can generate split-horizon workloads and when configuration is non-uniform, just filter out remote configs for remote networks), though we don't yet have a complete implementation. Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Return an error instead of panicking Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Update comments in src/proxy/outbound.rs Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Update comments in src/proxy/outbound.rs Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Add a debug assert to provide a bit more context to the error in tests Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Fix formatting Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Added a few debug logs to be able to trace when a workload on a remote network is picked Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> --------- Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> * increasing limit for open files (#1586) * increasing limit for open files * suggestion from PR * adding comment * Update src/main.rs Co-authored-by: Daniel Hawton <daniel@hawton.org> --------- Co-authored-by: Daniel Hawton <daniel@hawton.org> * Buffer inner h2 streams (#1580) * Buffer h2 streams * Tests * naming * Review simplify code * Automator: update common-files@master in istio/ztunnel@master (#1589) * Automator: update common-files@master in istio/ztunnel@master (#1595) * Automator: update common-files@master in istio/ztunnel@master (#1596) * Automator: update common-files@master in istio/ztunnel@master (#1597) * Automator: update common-files@master in istio/ztunnel@master (#1598) * adopt rcgen 14 (#1599) * adopt rcgen 14 Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt fuzz Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * respect IPV6 setting for DNS server (#1601) * Automator: update common-files@master in istio/ztunnel@master (#1604) * chore - clippy cleanup (#1610) * fix build.rs Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clippy Signed-off-by: Ian Rudie <ian.rudie@solo.io> * remove swap Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1607) * Update rust version and dependencies (#1614) * Update rust version and dependencies * fix mismatch * drop criterion ver * bump * Automator: update common-files@master in istio/ztunnel@master (#1615) * Automator: update common-files@master in istio/ztunnel@master (#1618) * fix: upgrade pprof to version 0.15.0 to fix GHSA-2gh3-rmm4-6rq5/CVE-2025-53605. Creator of upstream patch to fix CVE issue: https://github.com/tikv/pprof-rs/commit/3d4e69631bb2103061b602da1146d0d8c3794e6c (#1606) Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev> * Automator: update common-files@master in istio/ztunnel@master (#1619) * Automator: update common-files@master in istio/ztunnel@master (#1621) * Update ztunnel profiling doc (#1620) * Update ztunnel profiling doc * reset the numbers to 1 since markdown auto-renders them in order * Automator: update common-files@master in istio/ztunnel@master (#1622) * Add open file metrics (#1626) * Add open file metrics * Lint * use /dev/fd and subtract one from fd count * import ordering * Automator: update common-files@master in istio/ztunnel@master (#1628) * initial impl for passthrough services (#1627) * initial impl for passthrough services Signed-off-by: Ian Rudie <ian.rudie@solo.io> * make gen Signed-off-by: Ian Rudie <ian.rudie@solo.io> * tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1635) * retain valid certs on fetch failures (#1567) * retain valid certs on fetch failures * better unit tests. - fetches now records failed attempts as well. - validate that valid certificate are retained across fetch attempts despite ca failures * minor tweaks as per review comments. * Automator: update common-files@master in istio/ztunnel@master (#1638) * Automator: update common-files@master in istio/ztunnel@master (#1639) * Automator: update common-files@master in istio/ztunnel@master (#1640) * admin: allow symbols in jemalloc pprof (#1636) Otherwise its pretty useless. Manually tested this makes heap profiles work * Set timeouts and keepalive (#1641) * set timeouts * Listener takes socket config * Make certificate DER fields public (#1646) * logs: disable spammy DNS logs (#1649) These logs are crazy, like 5 lines per DNS query. We turned them off but an update changed the log target. Not sure what backports we need * Automator: update common-files@master in istio/ztunnel@master (#1653) * Automator: update common-files@master in istio/ztunnel@master (#1654) * Automator: update common-files@master in istio/ztunnel@master (#1655) * fix small typo (#1647) Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Bumps deps (#1623) * Bumps deps * fixup * fix * fmt * rfmt * fmt and 1.90 * their way * Automator: update common-files@master in istio/ztunnel@master (#1661) * Automator: update common-files@master in istio/ztunnel@master (#1670) * Bump cargo deps (#1669) * removing CNAME record answer for wildcards (#1664) * removing CNAME record answer for wildcards * removing unnused trace * fixing unit test * removing unused fild/type * make gen * metrics: fix accept header negotiation (#1681) Basically `get_all` does NOT unconditionally split a header that has been sent on 1 line by the client. This breaks kube-prometheus-stack * Automator: update common-files@master in istio/ztunnel@master (#1685) * Set socket options outside trace! (#1689) * Automator: update common-files@master in istio/ztunnel@master (#1696) * Set keepalives on outbound connections (#1688) * Set keepalives on outbound connections * mut * Update tonic/prost crates to 0.14.x (#1687) The only relevant breaking change is that `prost::Message` is no longer a supertrait of `fmt::Debug`, so that bound is added in the few places that need it. * Automator: update common-files@master in istio/ztunnel@master (#1700) * Fix clippy lint errors (#1701) * Fix clippy lint errors Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Ordering Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Automator: update common-files@master in istio/ztunnel@master (#1702) * Automator: update common-files@master in istio/ztunnel@master (#1705) * provide test to verify socket options set (#1690) * metrics: fix dns histogram (#1706) * canonical wds service (#1704) * initial impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * improvements to the impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * implement preferred service namespace handling Signed-off-by: Ian Rudie <ian.rudie@solo.io> * lints Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit for canonical service Signed-off-by: Ian Rudie <ian.rudie@solo.io> * cleanup old commented reference code Signed-off-by: Ian Rudie <ian.rudie@solo.io> * comment about canonical's purpose Signed-off-by: Ian Rudie <ian.rudie@solo.io> * add issue link for deprecation of preferred_service_namespace Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit to assert that namespace-local Service definitions are preferred over canonical Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * dry run auth (#1659) * dry run auth * lint * Expose client config builder for workload TLS (#1710) Add WorkloadCertificate::client_config to build a rustls ClientConfig using the existing verifier and root store, so callers can customize SNI/ALPN without duplicating TLS config construction. Existing outbound behavior remains unchanged. * feat: implement crl support in ztunnel (#1660) * feat: implements ca-crl support in zTunnel Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: drains connection only for revoked cert Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * feat: revokes affected inbound connections only Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: refactors crl watcher Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: rejects new connections only Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: clr validation only at the HBONE layer Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: use rustls-webpki for CRL validation Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: validates CRL using webpki instead of custom implementation. Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: addresses review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: implements CRL validation entirely with webpki's verify_for_usage method. Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: reverts verify_for_usage Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: removes comment Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: address review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: fixes lock Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: uses Option rather than extra var Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: addresses review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: fixes merge conflict Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> --------- Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * add support for TLSv1.2 (#1711) by setting `TLS12_ENABLED` to `true`, ztunnel will negotiate TLSv1.2 or 1.3. Fixes #1296 until we have FIPS-140-3 support in istiod. * Automator: update common-files@master in istio/ztunnel@master (#1716) * enhance ztunnel metrics (#1695) * enhance ztunnel metrics Signed-off-by: Lucas Copi <lucas.copi@solo.io> * make gen Signed-off-by: Lucas Copi <lucas.copi@solo.io> * change socket labels, review fixes Signed-off-by: Lucas Copi <lucas.copi@solo.io> * use gauge metric for socket tracking Signed-off-by: Lucas Copi <lucas.copi@solo.io> * expand connection falure checking Signed-off-by: Lucas Copi <lucas.copi@solo.io> * fix cargo issues Signed-off-by: Lucas Copi <lucas.copi@solo.io> * make gen Signed-off-by: Lucas Copi <lucas.copi@solo.io> * remove unneeded direction label Signed-off-by: Lucas Copi <lucas.copi@solo.io> * remove unused enum Signed-off-by: Lucas Copi <lucas.copi@solo.io> * downcast error for metrics Signed-off-by: Lucas Copi <lucas.copi@solo.io> --------- Signed-off-by: Lucas Copi <lucas.copi@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1721) * Change log level from info to debug for "response received" (#1723) * Embed test data files to enable running tests outside source tree (#1720) * Embed test data files to enable running tests outside source tree Several unit tests depend on external files via relative paths, causing failures when the test binary is executed from a different directory than the source tree (e.g. in CI environments that copy binaries to isolated locations). This change: - Embed test data files at compile time using `include_str!` - Adds `temp_file_with_content()` helper function for tests requiring file paths - Uses `AuthSource::StaticToken` for CA client tests - Moves tempfile from dev-dependencies to optional dependency activated by the testing feature Affected tests: - config::tests::config_from_proxyconfig - identity::caclient::tests::{empty_chain, fetch_certificate, wrong_identity} - state::workload::tests::local_client Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * small change `make gen` Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1726) * Add x forwarded network header (#1728) * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Actually check value of origin header Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove incorrect TODO Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Update src/proxy.rs Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Complete the rename Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Find/replace was too ambitious Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fix inverted logic Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Automator: update common-files@master in istio/ztunnel@master (#1737) * Ambient Multicluster Telemetry (#1734) * Add addtl codeowners for experimental (#1732) Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * More baggage support (#1731) * baggage * Use baggage for cross-cluster * fix unit tests * Fix namespaced tests. Remove extra code. * cleanup a bit * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * lint * Codeowners * Fix rebase --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove experimental codeowners Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Address review comments (#1738) * Address PR comments Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com> * PQC: openssl crypto provider support (#1743) * PQC: openssl crypto provider support ztunnel must be both compiled and ran with openssl >= 3.5.0. Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * allow unusual byte groupings for openssl version detection Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * running 'make gen' Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> --------- Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1750) * Automator: update common-files@master in istio/ztunnel@master (#1758) * prioritize canonical services on inbound (#1746) * prioritize canonical services on inbound * delete MatchReason * fix itertools thing * continue not return * drop continue for into_iter * as deref * gencheck * dry-run no allow policies match (#1745) * dry-run no allow policies match Signed-off-by: Ian Rudie <ian.rudie@solo.io> * authpol logging macro + env var to allow info log level if desired Signed-off-by: Ian Rudie <ian.rudie@solo.io> * move macro to better location Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clean up Signed-off-by: Ian Rudie <ian.rudie@solo.io> * update tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1763) * handle peer_addr() failure gracefully (#1764) * proxy: handle peer_addr() failure gracefully instead of panicking Replace .expect("must receive peer addr") with proper error handling in outbound and socks5 proxy paths. A client can send RST immediately after the TCP handshake completes, causing getpeername(2) to return ENOTCONN on the already-queued socket. The previous .expect() converted this transient OS-level error into a panic that killed the Tokio task. - outbound: match on peer_addr(), log debug and return early on error - socks5/handle_socks_connection: same pattern - socks5/negotiate_socks_connection: use ? operator (From<io::Error> for SocksError already exists) Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * i socket: avoid panic in orig_dst_addr diagnostic log peer_addr() and local_addr() inside the warn!() in orig_dst_addr() were called with .unwrap(), which could panic if the socket became unavailable before the log statement was reached. Replace with .map(...).unwrap_or_else() so the warning logs "N.A." instead of crashing when the address cannot be retrieved. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1765) * Automator: update common-files@master in istio/ztunnel@master (#1770) * Bump the cargo group across 2 directories with 4 updates (#1771) Bumps the cargo group with 2 updates in the / directory: [bytes](https://github.com/tokio-rs/bytes) and [time](https://github.com/time-rs/time). Bumps the cargo group with 4 updates in the /fuzz directory: [bytes](https://github.com/tokio-rs/bytes), [tracing-subscriber](https://github.com/tokio-rs/tracing), [time](https://github.com/time-rs/time) and [crossbeam-channel](https://github.com/crossbeam-rs/crossbeam). Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](https://github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1) Updates `time` from 0.3.44 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](https://github.com/time-rs/time/compare/v0.3.44...v0.3.47) Updates `bytes` from 1.10.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](https://github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1) Updates `tracing-subscriber` from 0.3.19 to 0.3.22 - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.19...tracing-subscriber-0.3.22) Updates `time` from 0.3.37 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](https://github.com/time-rs/time/compare/v0.3.44...v0.3.47) Updates `crossbeam-channel` from 0.5.14 to 0.5.15 - [Release notes](https://github.com/crossbeam-rs/crossbeam/releases) - [Changelog](https://github.com/crossbeam-rs/crossbeam/blob/master/CHANGELOG.md) - [Commits](https://github.com/crossbeam-rs/crossbeam/compare/crossbeam-channel-0.5.14...crossbeam-channel-0.5.15) --- updated-dependencies: - dependency-name: bytes dependency-version: 1.11.1 dependency-type: direct:production dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: direct:production dependency-group: cargo - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect dependency-group: cargo - dependency-name: tracing-subscriber dependency-version: 0.3.22 dependency-type: indirect dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: indirect dependency-group: cargo - dependency-name: crossbeam-channel dependency-version: 0.5.15 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Automator: update common-files@master in istio/ztunnel@master (#1777) * fix TLSv1.2 support by adding missing ciphersuites (#1779) It turns out that Istio's SPIFFE certs use ECDSA certificates, which only became a problem once I started testing against waypoint proxies. This adds the missing CipherSuites (which are still FIPS-compliant of course) to unblock Waypoint->ZTunnel communication. * expand dependabot (#1778) Signed-off-by: Daniel Hawton <daniel.hawton@solo.io> * Dont log error on broken pipe (#1784) * Automator: update common-files@master in istio/ztunnel@master (#1788) * Automator: update common-files@master in istio/ztunnel@master (#1792) * Automator: update common-files@master in istio/ztunnel@master (#1799) * Automator: update common-files@master in istio/ztunnel@master (#1800) * Automator: update common-files@master in istio/ztunnel@master (#1802) * Automator: update common-files@master in istio/ztunnel@master (#1810) * identity: reload CA root cert channel on file change (#1775) * RootCertManager: Add new CrlCertManager-like struct Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * caclient: rebuild channel when root cert changes Use the new RootCertManager to rebuild the TLS gRPC channel when a root cert change is noted. Need to add some fields to store the information to rebuild the channel. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * small adaptations Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Some unit tests Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * solve some compilation problems Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * delete is_dirty as it is not used Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * some clippy adjustments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * adding some comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * addressing comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * log write lock wait time after TLS channel rebuild Add write_lock_wait_ms to the debug log emitted after a successful root cert hot-reload, so contention on the RwLock is observable in logs without requiring additional instrumentation. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * update after merge master branch Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: ilrudie <ian.rudie@solo.io> Signed-off-by: Ian Rudie <ian.rudie@solo.io> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev> Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> Signed-off-by: Lucas Copi <lucas.copi@solo.io> Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Daniel Hawton <daniel.hawton@solo.io> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: Ian Rudie <ian.rudie@solo.io> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: John Howard <john.howard@solo.io> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Krinkin, Mike <krinkin.m.u@gmail.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> Co-authored-by: Gustavo Meira <grnmeira@users.noreply.github.com> Co-authored-by: Daniel Hawton <daniel@hawton.org> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: Kyle Steere <kbsteere@users.noreply.github.com> Co-authored-by: Arka Bhattacharya <21124287+find-arka@users.noreply.github.com> Co-authored-by: deveshdama <87668846+deveshdama@users.noreply.github.com> Co-authored-by: Mantas Matelis <me@mantasmatelis.com> Co-authored-by: Tamir Duberstein <tamird@gmail.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Mike Zappa <michael.zappa@gmail.com> Co-authored-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: lcopi <lucas.copi@solo.io> Co-authored-by: Ram Vennam <ram.vennam@solo.io> Co-authored-by: Jose Luis Ojosnegros <jojosneg@redhat.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com> Co-authored-by: Zuzana Miklánková <zmiklank@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daniel Hawton <daniel.hawton@solo.io>

Commit:21a13f5
Author:zirain
Committer:zirain

Merge branch 'master' into experimental-windows-ambient

Commit:44a8ae2
Author:Steven Jin
Committer:GitHub

dry run auth (#1659) * dry run auth * lint

Commit:34a82f7
Author:Ian Rudie
Committer:GitHub

canonical wds service (#1704) * initial impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * improvements to the impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * implement preferred service namespace handling Signed-off-by: Ian Rudie <ian.rudie@solo.io> * lints Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit for canonical service Signed-off-by: Ian Rudie <ian.rudie@solo.io> * cleanup old commented reference code Signed-off-by: Ian Rudie <ian.rudie@solo.io> * comment about canonical's purpose Signed-off-by: Ian Rudie <ian.rudie@solo.io> * add issue link for deprecation of preferred_service_namespace Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit to assert that namespace-local Service definitions are preferred over canonical Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>

Commit:9050c4f
Author:Ian Rudie
Committer:GitHub

initial impl for passthrough services (#1627) * initial impl for passthrough services Signed-off-by: Ian Rudie <ian.rudie@solo.io> * make gen Signed-off-by: Ian Rudie <ian.rudie@solo.io> * tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>

Commit:604d90d
Author:Keith Mattix II
Committer:GitHub

Experimental Support for ambient on Windows (#1461) * Get a complete build Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Update workloadmanager and remove UnixStream; use TcpStream * Deal with lack of DNS Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Complete e2e HBONE and passthrough! Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fixup Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Add windows image building instructions Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fix compilation Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Update build.rs Co-authored-by: Gustavo Meira <grnmeira@users.noreply.github.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Jeremy L. Morris <jeremylevanmorris@gmail.com> Co-authored-by: Gustavo Meira <grnmeira@users.noreply.github.com>

Commit:9e3c8cf
Author:John Howard
Committer:GitHub

wds: implement capacity (#1472) Ztunnel side impl of https://github.com/istio/istio/pull/55284

Commit:00b7410
Author:John Howard
Committer:GitHub

Resync proto with istio/istio (#1434) This fell out of date

Commit:eda6461
Author:John Howard
Committer:GitHub

authorization: implement new serviceAccounts field (#1402)

Commit:c23771b
Author:Keith Mattix II
Committer:Keith Mattix II

Get to a working build again Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

Commit:4a5300c
Author:Jeremy L. Morris

merge in Keith's stash and deal with merge conflicts

Commit:9803ea4
Author:Jeremy L. Morris

ran cargo fmt and updated workloadmanager and related references

Commit:5ecaea9
Author:keithmattix

Stash Signed-off-by: keithmattix <keithmattix@microsoft.com>

Commit:cb56b5b
Author:John Howard
Committer:GitHub

Add support for `publishNotReadyAddresses` (#1231) * Add support for `publishNotReadyAddresses` * rename

Commit:6d58d57
Author:John Howard
Committer:GitHub

Add support for hostnetwork pods (#1216) This goes along with https://github.com/istio/istio/pull/52191. Most of the change is in Istiod, the only real change here is to stop indexing the workload address if it is a host network pod. In terms of user facing behavior, this means that if I call a host-network pod directly (NOT via service), then it will not associate with the workload. If this were to happen, we would effectively be associating it with an arbitrary host network pod on the same node; there is no way to distinguish these. In practice, hostnetwork pods cannot be HBONE, so this ensures that we consistently get "unknown" as the telemetry info rather then a random pod. This is encoded in the new test. There is additional misc trace level logging improvements that helped me debug/develop this.

Commit:8458d66
Author:John Howard
Committer:GitHub

Support ip_families field in service (#1161) * Support ip_families field in service * Move to service level

Commit:e2bcfbe
Author:John Howard
Committer:GitHub

Drop unused field in WDS (#1159) This is cleanup from an earlier change on Istio side. This is deadcode. workload.proto changes are copy+paste from Istio

Commit:2d2ad04
Author:Istio Automation
Committer:GitHub

Don't use trust_domain in zds (#1091) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Co-authored-by: Benjamin Leggett <benjamin.leggett@solo.io>

Commit:4ff9897
Author:Ben Leggett
Committer:GitHub

Don't use trust_domain in zds (#1088) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>

Commit:f918a76
Author:John Howard
Committer:GitHub

Implement locality aware load balancing (#868) * Implement locality aware load balancing Fixes https://github.com/istio/ztunnel/issues/862 * Update docs * Add tests and pick better names * fixes

Commit:e570cd8
Author:Steven Landow
Committer:GitHub

proxy protocol for sandwich (#850) * PROXY protocol sandwich * move app tunnel to GatewayAddress * Revert "move app tunnel to GatewayAddress" This reverts commit 24184d0bac4c38366a38edc9f152ace890da2f10. * fix fuzz lockfile * fix test

Commit:2907fd3
Author:Yuval Kohavi
Committer:GitHub

proxy: validate ZDS provided workload service account when asserting rbac (#777) * proxy: assert rbac using workload uid instead of destination ip * pr feedback: - match workload properties after fetching by network addr - cleanup data structures * introduce ProxyRbacContext for assert_rbac, so we can use it with the new connection manager. * make fix * cleanup * add tests

Commit:bcdce3f
Author:Jeremy L. Morris
Committer:GitHub

Add waypoint to Service proto definition in WDS (#823)

Commit:bc68182
Author:Yuval Kohavi
Committer:GitHub

inpod redirection mode (#747) * inpod * make fix * git apply <(curl ...) * typo * pr comments * make gen * remove NoSnapshotPresent * due to how iptables redirect works, we need to configure the dns address (so we can set it to 127.0.0.1) * improve log msg * make gen * 1 bit for inpod mark. accept mark from env * send hello message * Apply suggestions from code review Co-authored-by: John Howard <howardjohn@google.com> * remote mocks * make non-mocked tests not run if not root * protocol.rs: - remove workload_processor_helpers sub module - remove the need for iovs_buf; Code restructured so that buffer var is not borrowed * fix clippy notes * make gen * git apply * pr comments: - move admin handler from metrics - feed metrics to inpod instead of registry - remove inpod prefix from metrics - change mark to 1337 * be explicit about what's a uid vs String * pr comments: - better error message when mark fails - minor clean-ups * - change mark in redirect script for namespaced tests - fix tests * remove pub from inpod * allow for SO_REUSEPORT note that SO_REUSEPORT only work if both old and new ztunnel have the same uid * Change log level on stream end in src/inpod/workloadmanager.rs Co-authored-by: John Howard <howardjohn@google.com> * tests for port re-use --------- Co-authored-by: John Howard <howardjohn@google.com>

Commit:a1c799e
Author:j2gg0s
Committer:GitHub

Fix typos in doc/comment by https://github.com/crate-ci/typos (#748)

Commit:1eddf6a
Author:Keith Mattix II
Committer:GitHub

Add oneway tls port to waypoint (#692) * Add port for hbone single TLS Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove optional proto Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Add default fields Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Make gen Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

Commit:5940467
Author:Keith Mattix II
Committer:Keith Mattix II

Remove optional proto Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

Commit:647b57a
Author:Keith Mattix II
Committer:GitHub

Add port for hbone single TLS (#682) * Add port for hbone single TLS Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use port 15003 for single TLS Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

Commit:539ff43
Author:Kevin Dorosh
Committer:GitHub

Implement on-demand hostname for Workloads (#612) * WIP implement hostname Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> WIP testing to see what it would take to get something working Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> Begin dns resolution WIP Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Refactor UID as key for endpoints in service Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Add back removed per-pod hostname code Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Implement repeated polling in async DNS Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Cargo clippy Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Use util to get system forwarder Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Improve clarity of different hostname fields on workload Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Allow custom nameservers for system fordwarder Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Make gen Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Remove async_hostname; just reuse hostname on the workload Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Move load_balance() to DemandProxyState and make async in prep for on-demand impl Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Messy POC: on-demand DNS initiated on request path Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * No need for delay in direct test now since we have on demand DNS Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * WIP: begin to filter DNS polling based on recent requests received Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * WIP: ensure we only call load_balance() once per outgoing request Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * WIP: make a second request to smoke check cache hits are working (they are) Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * WIP: flatten some of task context logic, and don't blow away last_queried time from poller Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: add metrics for on-demand DNS cache hits and misses Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: begin using resolver instead of forwarder Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: optimize to only poll if we recevied another request during DNS TTL Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: remove polling DNS optimization until initial PR is approved Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: ipv6 support Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR still WIP: flatten some code Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR comments Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Refresh once per 30s if we have no dns records Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * More accurate comment Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * More accurate comment Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * More accurate comment Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * More accurate comment Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR comment; remove unneeded clone Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR comment; set_gateway_address does not need to be a method Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR comment; only call set_gateway_address once for waypoints Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * PR comments; move dns cfg/opts to DemandProxyState, rename some things Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Add endpoints, even for workloads that don't have an address Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * No reason to return join handle since we aren't joining several handles Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Flatten extra await Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> --------- Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io>

Commit:bc65fea
Author:Nathan Mittler
Committer:GitHub

Remove unused vip field (#583) This field was removed by https://github.com/istio/istio/pull/45764 and https://github.com/istio/ztunnel/pull/572. The control plane is no longer sending it and the field has been removed from the proto.

Commit:ea748c6
Author:Nathan Mittler
Committer:GitHub

Update API for headless services (#572) Preferring service keys rather than VIPs for referencing services from workload. Also, change requirements to allow both addresses and hostnames for addressing a headless service.

Commit:a3fd66a
Author:Kevin Dorosh
Committer:GitHub

Update `Workload` primary xds key to UID (#529) * Test repeated addresses on workload Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Move workloads to Arc Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Move workloads_by_uid to Arc Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update UID api Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update workload primary xds key to UID Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Load balance to all workload IPs randomly Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Don't unwrap error while collecting Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Add service builder to namespaced tests Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Don't include pod IP as suffix in example UIDs Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update proto/workload.proto Co-authored-by: John Howard <howardjohn@google.com> --------- Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> Co-authored-by: John Howard <howardjohn@google.com>

Commit:e36680f
Author:Kevin Dorosh
Committer:GitHub

Ambient xds evolution (#486) * WIP * Finish ambient xds workload evolution based on https://docs.google.com/document/d/1V5wkeBHbLSLMzAMbwFlFZNHdZPyUEspG4lHbnB0UaCg/edit#heading=h.qpcs4a7wyicb Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Search for waypoint workload by service VIPs too Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Search all service endpoints for determining if we bypassed waypoint Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Cargo fmt /fuzz * Implement fetch_address() Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Implement find_waypoint() Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Fix misleading name for function that gets waypoint svc ip Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Better internal representation for GatewayAddress Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Implement TryFrom for GatewayAddress Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Simpler insert or create new map Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Minor refactor to XdsService -> Service Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Fix bug with stale staged endpoints cleanup Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * cargo clippy Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * First pass network address services Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update to use network address as key for staged vips Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update some proto comments Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * NetworkAddressKey is more generic, not just service secondary key Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * NetworkAddress for fetch Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * More to NetworkAddress Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Stop hard coding the network Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update GatewayAddress to use network-prefixed keys for lookup Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update workload field protocol to tunnel_protocol Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update inbound cert provider to use configured network Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Clean up some formatting Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Stronger test assertion for load balancing Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Implement custom serde for NetworkAddress since it keys a map Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Clarify network assumptions on inbound requests Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Simplify check_waypoint function and return noisy error for unsupported feature Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Flatten indentation with more idiomatic code Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Rename internal representation of native_tunnel too Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Don't lock twice when we only need to once Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Remove some unnecessary clones when fetching by NetworkAddress Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update some more comments with clarifying network assumptions Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Don't confuse myself, instead use better variable names Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Default network should be empty string Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Service can select workloads in other networks Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Check if request came from gateway before attempting lookup Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Don't specify values that match the default Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * DRY check_gateway Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Add UID to proto for workloads in remote networks with unknown IP Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Improve test coverage for config dump Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update comment on services to be more complete Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update api to reflect DNS resolution by ztunnel per workload Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Remove OpaqueEndpoint Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Update service primary xds key to namespace/hostname Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Use NetworkAddress for workload_to_vip Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Improve test coverage and fix endpoint propagation bug on service upsert Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Share more code so service endpoints is optional on local yaml test config Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Store services on the heap so mutations are shared across maps Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Dedup unneeded workload_to_vip insertions Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Better name for internal service maps so config dump is clearer Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Flatten functions so they are easier to read Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Ensure we clean up map indexing properly for services on upsert Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> * Fix test to ensure local config has unique svc hostnames Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io> --------- Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io>

Commit:8074321
Author:Ian Rudie
Committer:GitHub

sample changes to proto (#501) * sample changes to proto Signed-off-by: ilrudie <ian.rudie@solo.io> * add/updates comments in proto for clarity Signed-off-by: ilrudie <ian.rudie@solo.io> --------- Signed-off-by: ilrudie <ian.rudie@solo.io>

Commit:3aa10e6
Author:Yossi Mesika
Committer:GitHub

Get and use Cluster ID from the WDS (#439)

Commit:a4a66bc
Author:John Howard
Committer:GitHub

Add health status (#374) Replaces https://github.com/istio/istio/pull/43085

Commit:0e123ea
Author:John Howard
Committer:GitHub

Handle upstream proto renames (#324) * Handle upstream proto renames * fmt

Commit:65225bb
Author:Steven Landow
Committer:GitHub

parse proxy config (#294) * parse proxy config * status port * lint * and_then * wip * use yaml merging * cleanup err handling * more cleanup + test * abandon prost gen for proxyconfig * cleanup

Commit:f385be4
Author:John Howard
Committer:GitHub

implement L4 AuthorizationPolicy (#297) * Initial RBAC implementation This commit introduces the first iteration of L4 AuthorizationPolicy support. * Policies are read over XDS and converted to a new internal type. These are indexed by namespace * Inbound requests check against applicable policies and send 401 in the HBONE response when they fail to match * Current matching algorithm is fairly efficient (TODO: benchmarks), but not optimized (one could imagine a trie like implementation; today it is a linear search). * add tests * redundant clones

Commit:d652ecb
Author:John Howard
Committer:GitHub

xds: pass metadata, including NODE_NAME (#256)

Commit:f4cb475
Author:Zhonghu Xu
Committer:GitHub

Make waypoint_addresses vec (#147) * Update waypoint_addresses to Vec * Fix liny

Commit:40e9998
Author:John Howard
Committer:GitHub

Add support for reading from local file instead of XDS (#28) * Add support for reading from local file instead of XDS * Update for new Istiod proto * apply local comments

Commit:f8b91c9
Author:John Howard

Initial import of code