Experimental ambient

api/v1alpha1/istiocontrolplane.gen.json

@@ -2312,6 +2312,11 @@
           },
           "sidecarInjector": {
             "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration"
+          },
+          "ambientTopology": {
+            "description": "ambientTopology deploys and configures an ambient topology",
+            "type": "boolean",
+            "nullable": true
           }
         }
       },

api/v1alpha1/istiocontrolplane.pb.html

@@ -295,6 +295,17 @@ <h2 id="IstioControlPlaneSpec">IstioControlPlaneSpec</h2>
 <td>
 <p>Standalone sidecar injector configuration.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="IstioControlPlaneSpec-ambientTopology">
+<td><code>ambientTopology</code></td>
+<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
+<td>
+<p>ambientTopology deploys and configures an ambient topology</p>
+
 </td>
 <td>
 No

api/v1alpha1/istiocontrolplane.proto

@@ -122,6 +122,8 @@ message IstioControlPlaneSpec {
     string networkName = 23;
     // Standalone sidecar injector configuration.
     SidecarInjectorConfiguration sidecarInjector = 24;
+    // ambientTopology deploys and configures an ambient topology
+    google.protobuf.BoolValue ambientTopology = 25;
 }
 
 enum ModeType {

build/fixup_structs/main.go

@@ -76,7 +76,7 @@ var (
 	regexJSONTagIllegal = regexp.MustCompile(`json\:"_`)
 )
 
-//nolint: gocognit
+// nolint: gocognit
 func main() {
 	var filePath string
 

config/crd/bases/istio-operator-crds.gen.yaml

@@ -54,6 +54,9 @@ spec:
           properties:
             spec:
               properties:
+                ambientTopology:
+                  nullable: true
+                  type: boolean
                 caAddress:
                   type: string
                 caProvider:
@@ -9184,6 +9187,9 @@ spec:
           properties:
             spec:
               properties:
+                ambientTopology:
+                  nullable: true
+                  type: boolean
                 caAddress:
                   type: string
                 caProvider:

config/manager/kustomization.yaml

@@ -5,3 +5,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: ghcr.io/banzaicloud/istio-operator
+  newTag: v2.16.0

controllers/istiocontrolplane_controller.go

@@ -1,6 +1,5 @@
 /*
 Copyright 2021 Cisco Systems, Inc. and/or its affiliates.
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
@@ -64,6 +63,7 @@ import (
 	"github.com/banzaicloud/istio-operator/v2/internal/components/meshexpansion"
 	"github.com/banzaicloud/istio-operator/v2/internal/components/resourcesyncrule"
 	"github.com/banzaicloud/istio-operator/v2/internal/components/sidecarinjector"
+	"github.com/banzaicloud/istio-operator/v2/internal/components/ztunnel"
 	"github.com/banzaicloud/istio-operator/v2/internal/models"
 	"github.com/banzaicloud/istio-operator/v2/internal/util"
 	"github.com/banzaicloud/istio-operator/v2/pkg/k8sutil"
@@ -289,6 +289,12 @@ func (r *IstioControlPlaneReconciler) reconcile(ctx context.Context, icp *servic
 	}
 	componentReconcilers = append(componentReconcilers, cniReconciler)
 
+	ztunnelReconciler, err := NewComponentReconciler(r, ztunnel.NewChartReconciler, r.Log.WithName("ztunnel"))
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	componentReconcilers = append(componentReconcilers, ztunnelReconciler)
+
 	meshExpansionReconciler, err := NewComponentReconciler(r, meshexpansion.NewChartReconciler, r.Log.WithName("meshexpansion"))
 	if err != nil {
 		return ctrl.Result{}, err

deploy/charts/istio-operator/crds/istio-operator-crds.gen.yaml

@@ -54,6 +54,9 @@ spec:
           properties:
             spec:
               properties:
+                ambientTopology:
+                  nullable: true
+                  type: boolean
                 caAddress:
                   type: string
                 caProvider:
@@ -9184,6 +9187,9 @@ spec:
           properties:
             spec:
               properties:
+                ambientTopology:
+                  nullable: true
+                  type: boolean
                 caAddress:
                   type: string
                 caProvider:

docs/ambient/ambient.md

@@ -0,0 +1,52 @@
+# Ambient topology with the istio-operator
+This guide will walk through the process of configuring an ambient topology
+with this repo's istio-operator similar to what is described in the upstream 
+documentation [Istio documentation](https://preliminary.istio.io/latest/docs/ops/ambient/getting-started/)
+Most of the steps in this guide just reference the upstream guide.
+
+## Setup:
+
+### Create a multinode cluster 
+### Build and Install the Istio Operator:
+1. Pull the branch with teh ambient changes
+2. Build the image 
+```
+make docker-build
+```
+3. Deploy the Operator
+```
+make deploy
+```
+4. Apply ambient `IstioControlPlane` Custom Resource to the `istio-system` namespace:
+```
+kubectl -n=istio-system apply -f docs/ambient/icp-ambient.yaml
+```
+### Install the bookinfo application:
+Follow the same steps as the upstream guide.
+#### Label the namespace
+Follow the same steps as the upstream guide.
+#### Test connection using the ingress gateway on the ACTIVE-1 cluster:
+Follow the same steps as the upstream guide.
+
+## Debugging 
+Ambient replace the envoy proxy with a purpose built Rust proxy so debugging is quite different.  Here are some commands and links:
+```
+istioctl pc workload ztunnel-8cvt2.istio-system
+```
+```
+kubectl exec -it ztunnel-xn2tl -n istio-system curl localhost:15000/config_dump 
+```
+```
+kubectl exec -it ztunnel-xn2tl -n istio-system curl localhost:15020/metrics
+```
+Link to Istio blog [Ztunnel debug](https://istio.io/latest/blog/2023/rust-based-ztunnel/)
+
+Note:
+With ambient it is not uncommon to think everything is working because communication is happening entirely within Kubernetes networking with no traffic being 
+redirected to the ztunnels pods or handled by Istio at all.   
+
+## Issues
+There seem to be some race conditions as traffic is not always blocked
+appropriately by the L4 authorization policy.  This commonly
+occurs on the initial install.  Deleting the bookinfo application
+and re-installing fixes the issue. 

docs/ambient/icp-ambient.yaml

@@ -0,0 +1,127 @@
+# A sample ICP that can be used to test ambient with the
+# istio-operator.  Search for Ambient to see key parameters
+apiVersion: servicemesh.cisco.com/v1alpha1
+kind: IstioControlPlane
+metadata:
+  name: icp-v116x-sample
+  namespace: istio-system
+spec:
+  version: 1.16.1
+  mode: ACTIVE
+  meshID: mesh1
+  networkName: network1
+  logging:
+    level: "default:info"
+  mountMtlsCerts: false
+  meshExpansion:
+    enabled: false
+  istiod:
+    deployment:
+      replicas:
+        min: 1
+        max: 5
+        count: 1
+      resources:
+        requests:
+          cpu: 500m
+          memory: 2048Mi
+      nodeSelector: {}
+      affinity: {}
+      tolerations: []
+      podMetadata:
+        labels: {}
+        annotations: {ambient.istio.io/redirection: disabled}
+      securityContext: {}
+    enableAnalysis: false
+    enableStatus: false
+    externalIstiod:
+      enabled: false
+    traceSampling: 1.0
+    enableProtocolSniffingOutbound: true
+    enableProtocolSniffingInbound: true
+    certProvider: ISTIOD
+    spiffe:
+      operatorEndpoints:
+        enabled: false
+  proxy:
+    privileged: false
+    enableCoreDump: false
+    logLevel: "WARNING"
+    componentLogLevel: "misc:error"
+    clusterDomain: "cluster.local"
+    holdApplicationUntilProxyStarts: false
+    lifecycle: {}
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 2000m
+        memory: 1024Mi
+    includeIPRanges: "*"
+    excludeIPRanges: ""
+    excludeInboundPorts: ""
+    excludeOutboundPorts: ""
+  proxyInit:
+    cni:
+      enabled: true
+      daemonset:
+    resources:
+      limits:
+        cpu: 2000m
+        memory: 1024Mi
+      requests:
+        cpu: 10m
+        memory: 10Mi
+  telemetryV2:
+    enabled: true
+  # Ambient notes - Setting this to true is primary trigger
+  # Important that the correct istio service name is passed
+  # to ztunnel pod - may require manual override.
+  ambientTopology: true
+  sds:
+    tokenAudience: "istio-ca"
+  proxyWasm:
+    enabled: false
+  watchOneNamespace: false
+  caAddress: ""
+  distribution: "official"
+  containerImageConfiguration:
+    # Ambient notes - need to use images that include ambient support
+    hub: docker.io/istio
+    tag: 1.18.0-alpha.0
+    imagePullPolicy: IfNotPresent
+  httpProxyEnvs:
+    httpProxy: ""
+    httpsProxy: ""
+    noProxy: ""
+  meshConfig:
+    proxyListenPort: 15001
+    connectTimeout: 10s
+    protocolDetectionTimeout: 5s
+    ingressClass: istio
+    ingressService: imgw-sample
+    ingressControllerMode: STRICT
+    ingressSelector: imgw-sample
+    enableTracing: false
+    accessLogFile: /dev/stdout
+    accessLogFormat: ""
+    accessLogEncoding: TEXT
+    enableEnvoyAccessLogService: false
+    disableEnvoyListenerLog: false
+    defaultConfig:
+      configPath: ./etc/istio/proxy
+      binaryPath: /usr/local/bin/envoy
+      serviceCluster: istio-proxy
+      drainDuration: 45s
+      parentShutdownDuration: 60s
+      proxyAdminPort: 15000
+      controlPlaneAuthPolicy: MUTUAL_TLS
+      concurrency: 2
+    outboundTrafficPolicy:
+      mode: ALLOW_ANY
+    enableAutoMtls: true
+    trustDomain: cluster.local
+    trustDomainAliases: []
+    rootNamespace: istio-system
+    dnsRefreshRate: 5s

go.mod

@@ -41,6 +41,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.1
 	github.com/hexops/gotextdiff v1.0.3
 	github.com/iancoleman/strcase v0.2.0
+	google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03
 	google.golang.org/protobuf v1.28.0
 	gotest.tools/v3 v3.0.3
 )
@@ -167,7 +168,6 @@ require (
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 // indirect
 	google.golang.org/grpc v1.47.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect

internal/assets/assets.go

@@ -56,6 +56,11 @@ var (
 	//go:embed manifests/resource-sync-rule/templates/_helpers.tpl
 	resourceSyncRule embed.FS
 	ResourceSyncRule = GetSubFS(resourceSyncRule, "manifests/resource-sync-rule")
+
+	//go:embed manifests/ztunnel
+	//go:embed manifests/ztunnel/templates/_helpers.tpl
+	ztunnelChart embed.FS
+	ZtunnelChart = GetSubFS(ztunnelChart, "manifests/ztunnel")
 )
 
 func GetSubFS(fsys fs.FS, dir string) (subFS fs.FS) {

internal/assets/manifests/istio-cni/templates/clusterrole.yaml

@@ -14,6 +14,8 @@ rules:
   - nodes
   verbs:
   - get
+  - list
+  - watch
 ---
 {{- if .Values.cni.repair.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1

internal/assets/manifests/istio-cni/templates/configmap-cni.yaml

@@ -22,6 +22,7 @@ data:
           "type": "istio-cni",
           "log_level": {{ quote .Values.cni.logLevel }},
           "log_uds_address": "__LOG_UDS_ADDRESS__",
+          {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}}
           "kubernetes": {
               "kubeconfig": "__KUBECONFIG_FILEPATH__",
               "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }},