Experimental windows ambient rebase master branch#1816
Merged
istio-testing merged 106 commits intoistio:experimental-windows-ambientfrom Mar 30, 2026
Merged
Conversation
…1564) Signed-off-by: ilrudie <ian.rudie@solo.io>
* Allow dynamic configuration of thread count * fix flakes
* don't send to empty address * add test
…io#1576) Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* tls: add PQC compliance policy Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add global lazy variable PQC_ENABLED Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Add unused_imports and dead_code to PQC_ENABLED declaration Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
* initial idea for improved resolution Signed-off-by: ilrudie <ian.rudie@solo.io> * handle preferred service namespace; unit testing Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: ilrudie <ian.rudie@solo.io> Signed-off-by: Ian Rudie <ian.rudie@solo.io>
…io#1565) * Multinetwork/Support remote networks for services with waypoints Currently `build_request` when it sees a service with a waypoint resolves the waypoint backend and routes request there using regular HBONE. In multi network scenario though the waypoint may have workload on a remote network and to reach it we have to go through E/W gateway and use double HBONE. This change enables handling of services with waypoint on a remote network. Some of the assumptions that were used when I prepared this change: 1. We assume uniformity of configuration (e.g., if service X in local cluster has a waypoint, then service X in remote network also has a waypoint, if waypoint is service addressable, then it's using service to address waypoint both locally and on remote network) 2 Split-horizon representation of waypoint workloads, just like with any regular workloads and services (e.g., in the local cluster instead of an actual waypoint workload pointing to a pod on another network we will have a "proxy" representation that just has network gateway). Both of those can be in hanled by the controlplane (e.g., controlplane can generate split-horizon workloads and when configuration is non-uniform, just filter out remote configs for remote networks), though we don't yet have a complete implementation. Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Return an error instead of panicking Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Update comments in src/proxy/outbound.rs Co-authored-by: Ian Rudie <ilrudie@gmail.com> * Update comments in src/proxy/outbound.rs Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Add a debug assert to provide a bit more context to the error in tests Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Fix formatting Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Added a few debug logs to be able to trace when a workload on a remote network is picked Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> --------- Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> Co-authored-by: Ian Rudie <ilrudie@gmail.com>
* increasing limit for open files * suggestion from PR * adding comment * Update src/main.rs Co-authored-by: Daniel Hawton <daniel@hawton.org> --------- Co-authored-by: Daniel Hawton <daniel@hawton.org>
* Buffer h2 streams * Tests * naming * Review simplify code
* adopt rcgen 14 Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt fuzz Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* fix build.rs Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clippy Signed-off-by: Ian Rudie <ian.rudie@solo.io> * remove swap Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* Update rust version and dependencies * fix mismatch * drop criterion ver * bump
* prioritize canonical services on inbound * delete MatchReason * fix itertools thing * continue not return * drop continue for into_iter * as deref * gencheck
* dry-run no allow policies match Signed-off-by: Ian Rudie <ian.rudie@solo.io> * authpol logging macro + env var to allow info log level if desired Signed-off-by: Ian Rudie <ian.rudie@solo.io> * move macro to better location Signed-off-by: Ian Rudie <ian.rudie@solo.io> * clean up Signed-off-by: Ian Rudie <ian.rudie@solo.io> * update tests Signed-off-by: Ian Rudie <ian.rudie@solo.io> * fmt Signed-off-by: Ian Rudie <ian.rudie@solo.io> --------- Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* proxy: handle peer_addr() failure gracefully instead of panicking
Replace .expect("must receive peer addr") with proper error handling in
outbound and socks5 proxy paths. A client can send RST immediately after
the TCP handshake completes, causing getpeername(2) to return ENOTCONN on
the already-queued socket. The previous .expect() converted this transient
OS-level error into a panic that killed the Tokio task.
- outbound: match on peer_addr(), log debug and return early on error
- socks5/handle_socks_connection: same pattern
- socks5/negotiate_socks_connection: use ? operator (From<io::Error> for
SocksError already exists)
Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com>
* i socket: avoid panic in orig_dst_addr diagnostic log
peer_addr() and local_addr() inside the warn!() in orig_dst_addr() were
called with .unwrap(), which could panic if the socket became unavailable
before the log statement was reached. Replace with .map(...).unwrap_or_else()
so the warning logs "N.A." instead of crashing when the address cannot be
retrieved.
Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com>
---------
Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com>
Bumps the cargo group with 2 updates in the / directory: [bytes](https://github.com/tokio-rs/bytes) and [time](https://github.com/time-rs/time). Bumps the cargo group with 4 updates in the /fuzz directory: [bytes](https://github.com/tokio-rs/bytes), [tracing-subscriber](https://github.com/tokio-rs/tracing), [time](https://github.com/time-rs/time) and [crossbeam-channel](https://github.com/crossbeam-rs/crossbeam). Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.11.0...v1.11.1) Updates `time` from 0.3.44 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.44...v0.3.47) Updates `bytes` from 1.10.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.11.0...v1.11.1) Updates `tracing-subscriber` from 0.3.19 to 0.3.22 - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.22) Updates `time` from 0.3.37 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.44...v0.3.47) Updates `crossbeam-channel` from 0.5.14 to 0.5.15 - [Release notes](https://github.com/crossbeam-rs/crossbeam/releases) - [Changelog](https://github.com/crossbeam-rs/crossbeam/blob/master/CHANGELOG.md) - [Commits](crossbeam-rs/crossbeam@crossbeam-channel-0.5.14...crossbeam-channel-0.5.15) --- updated-dependencies: - dependency-name: bytes dependency-version: 1.11.1 dependency-type: direct:production dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: direct:production dependency-group: cargo - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect dependency-group: cargo - dependency-name: tracing-subscriber dependency-version: 0.3.22 dependency-type: indirect dependency-group: cargo - dependency-name: time dependency-version: 0.3.47 dependency-type: indirect dependency-group: cargo - dependency-name: crossbeam-channel dependency-version: 0.5.15 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
It turns out that Istio's SPIFFE certs use ECDSA certificates, which only became a problem once I started testing against waypoint proxies. This adds the missing CipherSuites (which are still FIPS-compliant of course) to unblock Waypoint->ZTunnel communication.
Signed-off-by: Daniel Hawton <daniel.hawton@solo.io>
* RootCertManager: Add new CrlCertManager-like struct Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * caclient: rebuild channel when root cert changes Use the new RootCertManager to rebuild the TLS gRPC channel when a root cert change is noted. Need to add some fields to store the information to rebuild the channel. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * small adaptations Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * Some unit tests Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * solve some compilation problems Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * delete is_dirty as it is not used Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * some clippy adjustments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * adding some comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * addressing comments Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> * log write lock wait time after TLS channel rebuild Add write_lock_wait_ms to the debug log emitted after a successful root cert hot-reload, so contention on the RwLock is observable in logs without requiring additional instrumentation. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com> --------- Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com>
Signed-off-by: zirain <zirain2009@gmail.com>
zirain
requested review from
a team,
Stevenjin8,
grnmeira,
keithmattix and
krinkinmu
as code owners
|
😊 Welcome @zirain! This is either your first contribution to the Istio ztunnel repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/XXL
keithmattix
approved these changes
Mar 30, 2026
Contributor
keithmattix
left a comment
keithmattix
left a comment
There was a problem hiding this comment.
Windows stuff is unchanged
istio-testing
merged commit c409465
into
istio:experimental-windows-ambient
2 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I tested this manually on local, seems nothing was broken.
cc @keithmattix