Experimental Support for ambient on Windows

[keithmattix]

Part of istio/istio#27893. Istio CNI piece is at istio/istio#55216

More information to follow in an upcoming IstioDay talk as well as a blog post, but in summary: we've made substantial progress towards support Istio on Windows, and we decided the time is right to share where we are with the community! After discussing with the rest of Istio TOC, we have agreed that a long-lived experimental branch is the best place for this code to live for now as we work towards productionizing it and getting CI set up.

What works

• in pod traffic redirection
• HBONE upgrade
• waypoint forwarding
• ZDS communication with ztunnel

What doesn't work

• DNS proxying (haven't tested, redirection in CNI isn't implemented)
• Communicating with istiod via DNS (windows host process pods can't resolve via kube-dns)
• Tests that rely on creating a netns programmatically (pre-WS2025, I don't think this is possible because of how compartments and namespaces work)
• Probably more stuff I'm forgetting

I'm opening this PR as a draft for folks to take a look and comment on the diff/approach before merging it into the experimental branch. Feel free to reach out with any questions or concerns. Welcome to Istio, Windows!

[istio-testing]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[istio-policy-bot]

😊 Welcome @keithmattix! This is either your first contribution to the Istio ztunnel repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[bleggett]

Why not make this an optional in WorkloadInfo?

[keithmattix]

Honestly I think it was in an earlier draft of this, but I can't remember why the shift. Agreed that an optional is much cleaner

[keithmattix]

Ah, I remember now, it was because I wanted to model it like the auxiliary data (i.e. the FD) from the unix domain socket communication. I don't really have any preference, and went ahead and just stuck it on workload_info

[howardjohn]

What happened to a "small 60 line change" 😛

Good stuff. Will take a look soon

[grnmeira]

Minor issue here where it doesn't print anything when powershell fails to execute the script (eg. because of permission policies).

       Ok(output) => {
            if output.status.success() {
                for line in String::from_utf8(output.stdout).unwrap().lines() {
                    // Each line looks like `istio.io/pkg/version.buildGitRevision=abc`
                    if let Some((key, value)) = line.split_once('=') {
                        let key = key.split('.').last().unwrap();
                        println!("cargo:rustc-env=ZTUNNEL_BUILD_{key}={value}");
                    } else {
                        println!("cargo:warning=invalid build output {line}");
                    }
                }
            } else {
                println!(
                    "cargo:warning=build info script failed (stderr): {}",
                    String::from_utf8(output.stderr)
                        .unwrap()
                        .replace("\r\n", "")
                );
            }
        }

[keithmattix]

not stale

[keithmattix]

Not stale

[grnmeira]

@howardjohn @craigbox @therealmitchconnors can we get the Ztunnel experimental branch in as well? Thank you!

[craigbox]

Doesn't look like it needs a docs maintainer.

[ilrudie]

didn't get time to dive in but approving onto the experimental branch