From 212a77c2fd76255db49569d1efa12b4c075466a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= Date: Sun, 9 Jun 2024 06:31:58 -0600 Subject: [PATCH] Prevent the PassthroughCluster for clients/workloads in the service mesh (#3711) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent the PassthroughCluster for clients in the service mesh The KServe Ingress VirtualServices are created with configurations targeting only the Gateways. Although this works, the omission of the Istio sidecars has the following downsides for workloads that belong to the Istio mesh: * Requests to InferenceServices will be treated as going to external services (i.e. not part of the mesh), because the sidecars are unaware of the routing rules. * In consequence, the requests will be hanlded as with any external (non-mesh) workload: the ingress gateway will first receive the request and will forward it to itself doing the URL rewrite to the relevant -predictor, -explainer or -transformer hostname. Such forwarding can be avoided (for mesh-workloads) and the rewrite can be performed by the sidecars with the right VirtualService configuration. This is adding the missing configurations in the KServe-created VirtualService, so that Istio sidecars are aware of the KServe services/hostnames and do the rewrite in the sidecar, rather than delaying/deferring the rewrite to the Gateway. For workloads that belong to the mesh, slightly better performance may be seen (given one request forwarding is saved) and better observability from Istio may also be possible. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --- pkg/constants/constants.go | 1 + .../inferenceservice/controller_test.go | 3 +- .../reconcilers/ingress/ingress_reconciler.go | 3 +- .../ingress/ingress_reconciler_test.go | 32 +++++++++---------- 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 1e3b15aacf5..390ac4088bb 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -231,6 +231,7 @@ const ( var ( LocalGatewayHost = "knative-local-gateway.istio-system.svc." + network.GetClusterDomainName() + IstioMeshGateway = "mesh" ) // InferenceService Component enums diff --git a/pkg/controller/v1beta1/inferenceservice/controller_test.go b/pkg/controller/v1beta1/inferenceservice/controller_test.go index 4ea3ec6f370..b9aa13ada41 100644 --- a/pkg/controller/v1beta1/inferenceservice/controller_test.go +++ b/pkg/controller/v1beta1/inferenceservice/controller_test.go @@ -316,6 +316,7 @@ var _ = Describe("v1beta1 inference service controller", func() { Spec: istiov1beta1.VirtualService{ Gateways: []string{ constants.KnativeLocalGateway, + constants.IstioMeshGateway, constants.KnativeIngressGateway, }, Hosts: []string{ @@ -326,7 +327,7 @@ var _ = Describe("v1beta1 inference service controller", func() { { Match: []*istiov1beta1.HTTPMatchRequest{ { - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, Authority: &istiov1beta1.StringMatch{ MatchType: &istiov1beta1.StringMatch_Regex{ Regex: constants.HostRegExp(network.GetServiceHostname(serviceKey.Name, serviceKey.Namespace)), diff --git a/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler.go b/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler.go index 61306da9dba..ae1a9aa3ce4 100644 --- a/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler.go +++ b/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler.go @@ -289,7 +289,7 @@ func createHTTPMatchRequest(prefix, targetHost, internalHost string, additionalH Regex: constants.HostRegExp(internalHost), }, }, - Gateways: []string{config.LocalGateway}, + Gateways: []string{config.LocalGateway, constants.IstioMeshGateway}, }, } if !isInternal { @@ -431,6 +431,7 @@ func createIngress(isvc *v1beta1.InferenceService, useDefault bool, config *v1be gateways := []string{ config.LocalGateway, + constants.IstioMeshGateway, } if !isInternal { hosts = append(hosts, serviceHost) diff --git a/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler_test.go b/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler_test.go index 7334a4698d6..ce64a2b89be 100644 --- a/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler_test.go +++ b/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress/ingress_reconciler_test.go @@ -57,7 +57,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, { Authority: &istiov1beta1.StringMatch{ @@ -132,7 +132,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: predictorRouteMatch, @@ -187,7 +187,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName}, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: []*istiov1beta1.HTTPMatchRequest{ @@ -197,7 +197,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, }, Route: []*istiov1beta1.HTTPRouteDestination{ @@ -295,7 +295,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: predictorRouteMatch, @@ -367,7 +367,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: predictorRouteMatch, @@ -466,7 +466,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: []*istiov1beta1.HTTPMatchRequest{ @@ -481,7 +481,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, { Uri: &istiov1beta1.StringMatch{ @@ -567,7 +567,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName, "my-domain.com"}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: []*istiov1beta1.HTTPMatchRequest{ @@ -577,7 +577,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, { Authority: &istiov1beta1.StringMatch{ @@ -689,7 +689,7 @@ func TestCreateVirtualService(t *testing.T) { Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName, "my-domain.com", "my-model.test.my-additional-domain.com", "my-model.test.my-second-additional-domain.com"}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: []*istiov1beta1.HTTPMatchRequest{ @@ -699,7 +699,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, { Authority: &istiov1beta1.StringMatch{ @@ -820,7 +820,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: predictorRouteMatch, @@ -891,7 +891,7 @@ func TestCreateVirtualService(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespace, Annotations: annotations, Labels: labels}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName, serviceHostName}, - Gateways: []string{constants.KnativeLocalGateway, constants.KnativeIngressGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway, constants.KnativeIngressGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: predictorRouteMatch, @@ -1089,7 +1089,7 @@ func TestCreateVirtualService(t *testing.T) { }}, Spec: istiov1beta1.VirtualService{ Hosts: []string{serviceInternalHostName}, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, Http: []*istiov1beta1.HTTPRoute{ { Match: []*istiov1beta1.HTTPMatchRequest{ @@ -1099,7 +1099,7 @@ func TestCreateVirtualService(t *testing.T) { Regex: constants.HostRegExp(network.GetServiceHostname(serviceName, namespace)), }, }, - Gateways: []string{constants.KnativeLocalGateway}, + Gateways: []string{constants.KnativeLocalGateway, constants.IstioMeshGateway}, }, }, Route: []*istiov1beta1.HTTPRouteDestination{