More baggage support#1731
Merged
istio-testing merged 17 commits intoistio:experimental-ambient-multicluster-telemetryfrom Jan 23, 2026
Merged
More baggage support#1731istio-testing merged 17 commits intoistio:experimental-ambient-multicluster-telemetryfrom
istio-testing merged 17 commits intoistio:experimental-ambient-multicluster-telemetryfrom
Conversation
istio-testing
added
the
size/XL
Contributor
|
nit: can you submit this to the experimental-ambient-multicluster-telemetry branch instead of master? |
Contributor
|
@Stevenjin8: The following test failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Stevenjin8
commented
Jan 21, 2026
src/proxy/inbound.rs
Outdated
Comment on lines
+454
to
+457
| // if from_gateway { | ||
| // connection_result_builder = | ||
| // connection_result_builder.with_derived_source(&derived_source); | ||
| // } |
Contributor
Author
There was a problem hiding this comment.
Suggested change
| // if from_gateway { | |
| // connection_result_builder = | |
| // connection_result_builder.with_derived_source(&derived_source); | |
| // } |
Stevenjin8
commented
Jan 21, 2026
| let mut local = self.locality.0.unwrap_or_default(); | ||
| local.destination_region = w.region.clone().into(); | ||
| local.destination_zone = w.zone.clone().into(); | ||
| self.locality = OptionallyEncode(Some(local)); |
Contributor
Author
There was a problem hiding this comment.
kinda confused if locality is the locality of server, client, or reporter
Contributor
There was a problem hiding this comment.
Locality encodes both source and destination locality. When you call with_destination or with_derived_destination you need to update the destination labels, keeping the source label as-is, and when you call with_source you need to update source fields, while keeping the destination fields as they were.
Contributor
|
@Stevenjin8 I think this should go into the experimental branch instead of master. |
Stevenjin8
changed the base branch from
master
to
experimental-ambient-multicluster-telemetry
keithmattix
reviewed
Jan 21, 2026
.devcontainer/devcontainer.json
Outdated
| { | ||
| "name": "istio build-tools", | ||
| "image": "gcr.io/istio-testing/build-tools:master-32187b891c5e9353c42b45ab386fb5afeb2f1c6b", | ||
| "image": "gcr.io/istio-testing/build-tools:master-116bd1273dfc5d27136461597f5ff54f535f416b", |
Contributor
There was a problem hiding this comment.
A rebase once #1728 will probably fix this and other unrelated changes
Contributor
There was a problem hiding this comment.
Ah wait actually, don't rebase since we're on experimental branch. You can probably just drop these changes
Contributor
|
@Stevenjin8 can you add me, @grnmeira and @krinkinmu to codeowners for this branch so we can iterate faster? Also, we apparently don't have ztunnel tests on experimental branches |
Stevenjin8
force-pushed
the
telemetry/baggage
branch
from
1f3bbb0 to
1775cba
Compare
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
…ource header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
… from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
… telemetry/baggage
keithmattix
approved these changes
Jan 22, 2026
Stevenjin8
force-pushed
the
telemetry/baggage
branch
from
1775cba to
37a9308
Compare
istio-testing
merged commit 2740d4b
into
istio:experimental-ambient-multicluster-telemetry
2 checks passed
keithmattix
approved these changes
Jan 23, 2026
istio-testing
pushed a commit
that referenced
this pull request
Jan 28, 2026
* Add addtl codeowners for experimental (#1732) Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * More baggage support (#1731) * baggage * Use baggage for cross-cluster * fix unit tests * Fix namespaced tests. Remove extra code. * cleanup a bit * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * lint * Codeowners * Fix rebase --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove experimental codeowners Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Address review comments (#1738) * Address PR comments Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com>
keithmattix
added a commit
to keithmattix/ztunnel
that referenced
this pull request
Jan 28, 2026
* Add addtl codeowners for experimental (istio#1732) Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * More baggage support (istio#1731) * baggage * Use baggage for cross-cluster * fix unit tests * Fix namespaced tests. Remove extra code. * cleanup a bit * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * lint * Codeowners * Fix rebase --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove experimental codeowners Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Address review comments (istio#1738) * Address PR comments Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com>
istio-testing
pushed a commit
that referenced
this pull request
Jan 28, 2026
* Add addtl codeowners for experimental (#1732) * More baggage support (#1731) * baggage * Use baggage for cross-cluster * fix unit tests * Fix namespaced tests. Remove extra code. * cleanup a bit * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE * Add comment explaining single HBONE codepath and tests for x-origin-source header * Rename header from x-origin-source to x-istio-origin-source * Rename header to x-istio-origin-network and refocus test on double HBONE * Add test back * Use inbound x-istio-origin-network to know whether traffic originates from the gateway * fmt * lint * Codeowners * Fix rebase --------- * Cargo fmt * Remove experimental codeowners * Address review comments (#1738) * Address PR comments * Cargo fmt --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com>
istio-testing
added a commit
that referenced
this pull request
Mar 30, 2026
* remove git tag (#1559) * update how io errors are being generated to fix clippy issues (#1564) Signed-off-by: ilrudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1563) * Automator: update common-files@master in istio/ztunnel@master (#1568) * Allow dynamic configuration of thread count (#1566) * Allow dynamic configuration of thread count * fix flakes * don't send to empty address (#1570) * don't send to empty address * add test * Automator: update common-files@master in istio/ztunnel@master (#1571) * Automator: update common-files@master in istio/ztunnel@master (#1572) * remove invalid test cases from parsing of ZTUNNEL_WORKER_THREADS (#1576) Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1577) * Automator: update common-files@master in istio/ztunnel@master (#1578) * tls: add PQC compliance policy (#1561) * tls: add PQC compliance policy Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add global lazy variable PQC_ENABLED Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add unused_imports and dead_code to PQC_ENABLED declaration Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Automator: update common-files@master in istio/ztunnel@master (#1582) * Improved Service Resolution (#1562) * initial idea for improved resolution Signed-off-by: ilrudie <ian.rudie@solo.io> * handle preferred service namespace; unit testing Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: ilrudie <ian.rudie@solo.io> Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1583) * Multinetwork/Support remote networks for services with waypoints (#1565) * Multinetwork/Support remote networks for services with waypoints Currently `build_request` when it sees a service with a waypoint resolves the waypoint backend and routes request there using regular HBONE. In multi network scenario though the waypoint may have workload on a remote network and to reach it we have to go through E/W gateway and use double HBONE. This change enables handling of services with waypoint on a remote network. Some of the assumptions that were used when I prepared this change: 1. We assume uniformity of configuration (e.g., if service X in local cluster has a waypoint, then service X in remote network also has a waypoint, if waypoint is service addressable, then it's using service to address waypoint both locally and on remote network) 2 Split-horizon representation of waypoint workloads, just like with any regular workloads and services (e.g., in the local cluster instead of an actual waypoint workload pointing to a pod on another network we will have a "proxy" representation that just has network gateway). Both of those can be in hanled by the controlplane (e.g., controlplane can generate split-horizon workloads and when configuration is non-uniform, just filter out remote configs for remote networks), though we don't yet have a complete implementation. Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Return an error instead of panicking Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Update comments in src/proxy/outbound.rs Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Update comments in src/proxy/outbound.rs Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Add a debug assert to provide a bit more context to the error in tests Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Fix formatting Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Added a few debug logs to be able to trace when a workload on a remote network is picked Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> --------- Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> * increasing limit for open files (#1586) * increasing limit for open files * suggestion from PR * adding comment * Update src/main.rs Co-authored-by: Daniel Hawton <daniel@hawton.org> --------- Co-authored-by: Daniel Hawton <daniel@hawton.org> * Buffer inner h2 streams (#1580) * Buffer h2 streams * Tests * naming * Review simplify code * Automator: update common-files@master in istio/ztunnel@master (#1589) * Automator: update common-files@master in istio/ztunnel@master (#1595) * Automator: update common-files@master in istio/ztunnel@master (#1596) * Automator: update common-files@master in istio/ztunnel@master (#1597) * Automator: update common-files@master in istio/ztunnel@master (#1598) * adopt rcgen 14 (#1599) * adopt rcgen 14 Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt fuzz Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * respect IPV6 setting for DNS server (#1601) * Automator: update common-files@master in istio/ztunnel@master (#1604) * chore - clippy cleanup (#1610) * fix build.rs Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clippy Signed-off-by: Ian Rudie <ian.rudie@solo.io> * remove swap Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1607) * Update rust version and dependencies (#1614) * Update rust version and dependencies * fix mismatch * drop criterion ver * bump * Automator: update common-files@master in istio/ztunnel@master (#1615) * Automator: update common-files@master in istio/ztunnel@master (#1618) * fix: upgrade pprof to version 0.15.0 to fix GHSA-2gh3-rmm4-6rq5/CVE-2025-53605. Creator of upstream patch to fix CVE issue: tikv/pprof-rs@3d4e696 (#1606) Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev> * Automator: update common-files@master in istio/ztunnel@master (#1619) * Automator: update common-files@master in istio/ztunnel@master (#1621) * Update ztunnel profiling doc (#1620) * Update ztunnel profiling doc * reset the numbers to 1 since markdown auto-renders them in order * Automator: update common-files@master in istio/ztunnel@master (#1622) * Add open file metrics (#1626) * Add open file metrics * Lint * use /dev/fd and subtract one from fd count * import ordering * Automator: update common-files@master in istio/ztunnel@master (#1628) * initial impl for passthrough services (#1627) * initial impl for passthrough services Signed-off-by: Ian Rudie <ian.rudie@solo.io> * make gen Signed-off-by: Ian Rudie <ian.rudie@solo.io> * tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1635) * retain valid certs on fetch failures (#1567) * retain valid certs on fetch failures * better unit tests. - fetches now records failed attempts as well. - validate that valid certificate are retained across fetch attempts despite ca failures * minor tweaks as per review comments. * Automator: update common-files@master in istio/ztunnel@master (#1638) * Automator: update common-files@master in istio/ztunnel@master (#1639) * Automator: update common-files@master in istio/ztunnel@master (#1640) * admin: allow symbols in jemalloc pprof (#1636) Otherwise its pretty useless. Manually tested this makes heap profiles work * Set timeouts and keepalive (#1641) * set timeouts * Listener takes socket config * Make certificate DER fields public (#1646) * logs: disable spammy DNS logs (#1649) These logs are crazy, like 5 lines per DNS query. We turned them off but an update changed the log target. Not sure what backports we need * Automator: update common-files@master in istio/ztunnel@master (#1653) * Automator: update common-files@master in istio/ztunnel@master (#1654) * Automator: update common-files@master in istio/ztunnel@master (#1655) * fix small typo (#1647) Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Bumps deps (#1623) * Bumps deps * fixup * fix * fmt * rfmt * fmt and 1.90 * their way * Automator: update common-files@master in istio/ztunnel@master (#1661) * Automator: update common-files@master in istio/ztunnel@master (#1670) * Bump cargo deps (#1669) * removing CNAME record answer for wildcards (#1664) * removing CNAME record answer for wildcards * removing unnused trace * fixing unit test * removing unused fild/type * make gen * metrics: fix accept header negotiation (#1681) Basically `get_all` does NOT unconditionally split a header that has been sent on 1 line by the client. This breaks kube-prometheus-stack * Automator: update common-files@master in istio/ztunnel@master (#1685) * Set socket options outside trace! (#1689) * Automator: update common-files@master in istio/ztunnel@master (#1696) * Set keepalives on outbound connections (#1688) * Set keepalives on outbound connections * mut * Update tonic/prost crates to 0.14.x (#1687) The only relevant breaking change is that `prost::Message` is no longer a supertrait of `fmt::Debug`, so that bound is added in the few places that need it. * Automator: update common-files@master in istio/ztunnel@master (#1700) * Fix clippy lint errors (#1701) * Fix clippy lint errors Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Ordering Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Automator: update common-files@master in istio/ztunnel@master (#1702) * Automator: update common-files@master in istio/ztunnel@master (#1705) * provide test to verify socket options set (#1690) * metrics: fix dns histogram (#1706) * canonical wds service (#1704) * initial impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * improvements to the impl Signed-off-by: Ian Rudie <ian.rudie@solo.io> * implement preferred service namespace handling Signed-off-by: Ian Rudie <ian.rudie@solo.io> * lints Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit for canonical service Signed-off-by: Ian Rudie <ian.rudie@solo.io> * cleanup old commented reference code Signed-off-by: Ian Rudie <ian.rudie@solo.io> * comment about canonical's purpose Signed-off-by: Ian Rudie <ian.rudie@solo.io> * add issue link for deprecation of preferred_service_namespace Signed-off-by: Ian Rudie <ian.rudie@solo.io> * unit to assert that namespace-local Service definitions are preferred over canonical Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * dry run auth (#1659) * dry run auth * lint * Expose client config builder for workload TLS (#1710) Add WorkloadCertificate::client_config to build a rustls ClientConfig using the existing verifier and root store, so callers can customize SNI/ALPN without duplicating TLS config construction. Existing outbound behavior remains unchanged. * feat: implement crl support in ztunnel (#1660) * feat: implements ca-crl support in zTunnel Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: drains connection only for revoked cert Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * feat: revokes affected inbound connections only Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: refactors crl watcher Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: rejects new connections only Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: clr validation only at the HBONE layer Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: use rustls-webpki for CRL validation Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: validates CRL using webpki instead of custom implementation. Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: addresses review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: implements CRL validation entirely with webpki's verify_for_usage method. Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: reverts verify_for_usage Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: removes comment Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: address review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: fixes lock Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: uses Option rather than extra var Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: addresses review comments Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * chore: fixes merge conflict Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> --------- Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> * add support for TLSv1.2 (#1711) by setting `TLS12_ENABLED` to `true`, ztunnel will negotiate TLSv1.2 or 1.3. Fixes #1296 until we have FIPS-140-3 support in istiod. * Automator: update common-files@master in istio/ztunnel@master (#1716) * enhance ztunnel metrics (#1695) * enhance ztunnel metrics Signed-off-by: Lucas Copi <lucas.copi@solo.io> * make gen Signed-off-by: Lucas Copi <lucas.copi@solo.io> * change socket labels, review fixes Signed-off-by: Lucas Copi <lucas.copi@solo.io> * use gauge metric for socket tracking Signed-off-by: Lucas Copi <lucas.copi@solo.io> * expand connection falure checking Signed-off-by: Lucas Copi <lucas.copi@solo.io> * fix cargo issues Signed-off-by: Lucas Copi <lucas.copi@solo.io> * make gen Signed-off-by: Lucas Copi <lucas.copi@solo.io> * remove unneeded direction label Signed-off-by: Lucas Copi <lucas.copi@solo.io> * remove unused enum Signed-off-by: Lucas Copi <lucas.copi@solo.io> * downcast error for metrics Signed-off-by: Lucas Copi <lucas.copi@solo.io> --------- Signed-off-by: Lucas Copi <lucas.copi@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1721) * Change log level from info to debug for "response received" (#1723) * Embed test data files to enable running tests outside source tree (#1720) * Embed test data files to enable running tests outside source tree Several unit tests depend on external files via relative paths, causing failures when the test binary is executed from a different directory than the source tree (e.g. in CI environments that copy binaries to isolated locations). This change: - Embed test data files at compile time using `include_str!` - Adds `temp_file_with_content()` helper function for tests requiring file paths - Uses `AuthSource::StaticToken` for CA client tests - Moves tempfile from dev-dependencies to optional dependency activated by the testing feature Affected tests: - config::tests::config_from_proxyconfig - identity::caclient::tests::{empty_chain, fetch_certificate, wrong_identity} - state::workload::tests::local_client Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * small change `make gen` Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1726) * Add x forwarded network header (#1728) * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Actually check value of origin header Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove incorrect TODO Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Update src/proxy.rs Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Complete the rename Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Find/replace was too ambitious Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fix inverted logic Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Automator: update common-files@master in istio/ztunnel@master (#1737) * Ambient Multicluster Telemetry (#1734) * Add addtl codeowners for experimental (#1732) Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * More baggage support (#1731) * baggage * Use baggage for cross-cluster * fix unit tests * Fix namespaced tests. Remove extra code. * cleanup a bit * Initial plan * Add x-origin-source header to inner CONNECT requests in double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add comment explaining single HBONE codepath and tests for x-origin-source header Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header from x-origin-source to x-istio-origin-source Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Rename header to x-istio-origin-network and refocus test on double HBONE Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> * Add test back Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use inbound x-istio-origin-network to know whether traffic originates from the gateway Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * lint * Codeowners * Fix rebase --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Remove experimental codeowners Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Address review comments (#1738) * Address PR comments Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Cargo fmt Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com> * PQC: openssl crypto provider support (#1743) * PQC: openssl crypto provider support ztunnel must be both compiled and ran with openssl >= 3.5.0. Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * allow unusual byte groupings for openssl version detection Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * running 'make gen' Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> --------- Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1750) * Automator: update common-files@master in istio/ztunnel@master (#1758) * prioritize canonical services on inbound (#1746) * prioritize canonical services on inbound * delete MatchReason * fix itertools thing * continue not return * drop continue for into_iter * as deref * gencheck * dry-run no allow policies match (#1745) * dry-run no allow policies match Signed-off-by: Ian Rudie <ian.rudie@solo.io> * authpol logging macro + env var to allow info log level if desired Signed-off-by: Ian Rudie <ian.rudie@solo.io> * move macro to better location Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clean up Signed-off-by: Ian Rudie <ian.rudie@solo.io> * update tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io> * Automator: update common-files@master in istio/ztunnel@master (#1763) * handle peer_addr() failure gracefully (#1764) * proxy: handle peer_addr() failure gracefully instead of panicking Replace .expect("must receive peer addr") with proper error handling in outbound and socks5 proxy paths. A client can send RST immediately after the TCP handshake completes, causing getpeername(2) to return ENOTCONN on the already-queued socket. The previous .expect() converted this transient OS-level error into a panic that killed the Tokio task. - outbound: match on peer_addr(), log debug and return early on error - socks5/handle_socks_connection: same pattern - socks5/negotiate_socks_connection: use ? operator (From<io::Error> for SocksError already exists) Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * i socket: avoid panic in orig_dst_addr diagnostic log peer_addr() and local_addr() inside the warn!() in orig_dst_addr() were called with .unwrap(), which could panic if the socket became unavailable before the log statement was reached. Replace with .map(...).unwrap_or_else() so the warning logs "N.A." instead of crashing when the address cannot be retrieved. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Automator: update common-files@master in istio/ztunnel@master (#1765) * Automator: update common-files@master in istio/ztunnel@master (#1770) * Bump the cargo group across 2 directories with 4 updates (#1771) Bumps the cargo group with 2 updates in the / directory: [bytes](https://github.com/tokio-rs/bytes) and [time](https://github.com/time-rs/time). Bumps the cargo group with 4 updates in the /fuzz directory: [bytes](https://github.com/tokio-rs/bytes), [tracing-subscriber](https://github.com/tokio-rs/tracing), [time](https://github.com/time-rs/time) and [crossbeam-channel](https://github.com/crossbeam-rs/crossbeam). Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.11.0...v1.11.1) Updates `time` from 0.3.44 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.44...v0.3.47) Updates `bytes` from 1.10.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.11.0...v1.11.1) Updates `tracing-subscriber` from 0.3.19 to 0.3.22 - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.22) Updates `time` from 0.3.37 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.44...v0.3.47) Updates `crossbeam-channel` from 0.5.14 to 0.5.15 - [Release notes](https://github.com/crossbeam-rs/crossbeam/releases) - [Changelog](https://github.com/crossbeam-rs/crossbeam/blob/master/CHANGELOG.md) - [Commits](crossbeam-rs/crossbeam@crossbeam-channel-0.5.14...crossbeam-channel-0.5.15) --- updated-dependencies: - dependency-name: bytes dependency-version: 1.11.1 dependency-type: direct:production dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: direct:production dependency-group: cargo - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect dependency-group: cargo - dependency-name: tracing-subscriber dependency-version: 0.3.22 dependency-type: indirect dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: indirect dependency-group: cargo - dependency-name: crossbeam-channel dependency-version: 0.5.15 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Automator: update common-files@master in istio/ztunnel@master (#1777) * fix TLSv1.2 support by adding missing ciphersuites (#1779) It turns out that Istio's SPIFFE certs use ECDSA certificates, which only became a problem once I started testing against waypoint proxies. This adds the missing CipherSuites (which are still FIPS-compliant of course) to unblock Waypoint->ZTunnel communication. * expand dependabot (#1778) Signed-off-by: Daniel Hawton <daniel.hawton@solo.io> * Dont log error on broken pipe (#1784) * Automator: update common-files@master in istio/ztunnel@master (#1788) * Automator: update common-files@master in istio/ztunnel@master (#1792) * Automator: update common-files@master in istio/ztunnel@master (#1799) * Automator: update common-files@master in istio/ztunnel@master (#1800) * Automator: update common-files@master in istio/ztunnel@master (#1802) * Automator: update common-files@master in istio/ztunnel@master (#1810) * identity: reload CA root cert channel on file change (#1775) * RootCertManager: Add new CrlCertManager-like struct Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * caclient: rebuild channel when root cert changes Use the new RootCertManager to rebuild the TLS gRPC channel when a root cert change is noted. Need to add some fields to store the information to rebuild the channel. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * small adaptations Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Some unit tests Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * solve some compilation problems Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * delete is_dirty as it is not used Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * some clippy adjustments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * adding some comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * addressing comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * log write lock wait time after TLS channel rebuild Add write_lock_wait_ms to the debug log emitted after a successful root cert hot-reload, so contention on the RwLock is observable in logs without requiring additional instrumentation. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * update after merge master branch Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: ilrudie <ian.rudie@solo.io> Signed-off-by: Ian Rudie <ian.rudie@solo.io> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev> Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Signed-off-by: nilekh <1626598+nilekhc@users.noreply.github.com> Signed-off-by: Lucas Copi <lucas.copi@solo.io> Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Daniel Hawton <daniel.hawton@solo.io> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: Ian Rudie <ian.rudie@solo.io> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: John Howard <john.howard@solo.io> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Krinkin, Mike <krinkin.m.u@gmail.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com> Co-authored-by: Gustavo Meira <grnmeira@users.noreply.github.com> Co-authored-by: Daniel Hawton <daniel@hawton.org> Co-authored-by: Steven Jin <sjinxuan@microsoft.com> Co-authored-by: Kyle Steere <kbsteere@users.noreply.github.com> Co-authored-by: Arka Bhattacharya <21124287+find-arka@users.noreply.github.com> Co-authored-by: deveshdama <87668846+deveshdama@users.noreply.github.com> Co-authored-by: Mantas Matelis <me@mantasmatelis.com> Co-authored-by: Tamir Duberstein <tamird@gmail.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Mike Zappa <michael.zappa@gmail.com> Co-authored-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: lcopi <lucas.copi@solo.io> Co-authored-by: Ram Vennam <ram.vennam@solo.io> Co-authored-by: Jose Luis Ojosnegros <jojosneg@redhat.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com> Co-authored-by: Krinkin, Mike <mkrinkin@microsoft.com> Co-authored-by: Zuzana Miklánková <zmiklank@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Daniel Hawton <daniel.hawton@solo.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on #1728.
Adds baggage header to HTTP CONNECT responses and uses them to populate metrics labels for cross-network communication.
Logs now look like this for the client:
and like this for the server ztunnel
Access logs now also use baggage header when crossing networks. Here it is for the client:
and for the server ztunnel