istio
Donot merge DR with different exportTo
Please provide a description of this PR:
Previously we merge VirtualServices resides in a namespace even they exportTo different namespaces. This is not right, #52519 reported a inconsistency with this bug.
Now with this patch, it will check exportTo, not merge them until exportTo equals.
does the oldest resource heuristic take place first or does exportTo preempt it
I donot think they are correlated, definitely oldest take preference if the exportTo satisfy. If the oldest doesnot satifsy, then find the newer one
I think this is is still a breaking change and at minimum needs to be behind a compatibility version
No, this is not a breaking change. Unless i missed something
I think I would feel comfortable approving if this is behind a feature flag. As @howardjohn mentioned, we've had a lot of breakage in this area of the code lately, and I'm conscious of minimizing risk
@howardjohn The original issue is on 1.20. #48312 has fixed a case
With this pr feature enabled :
k exec -ti istiod-6fc7bb65bd-bmpt6 -n istio-system -- curl 127.0.0.1:8080/debug/sidecarz?proxyID=sleep |jq |grep dest -n30
1-{
2: "destinationRules": {
3- "httpbin.mesh.global": [
4- {
5- "exportTo": {
6- "default": {},
7- "test": {}
8- },
9- "from": [
10- {
11- "Namespace": "test",
12- "Name": "httpbin-dr"
13- }
14- ],
15- "rule": {
16- "type": {
With this feature disabled
k exec -ti istiod-84f5757589-vf5qf -n istio-system -- curl 127.0.0.1:8080/debug/sidecarz?proxyID=sleep |jq |grep dest -n30
1-{
2: "destinationRules": {
3- "httpbin.mesh.global": [
4- {
5- "exportTo": {
6- "default": {},
7- "test": {}
8- },
9- "from": [
10- {
11- "Namespace": "test",
12- "Name": "httpbin-dr"
13- },
14- {
15- "Namespace": "test",
16- "Name": "httpbin-ingress-dr"
17- }
18- ],
19- "rule": {
@howardjohn Can you run the latest code, and have a compare with different exportTo by looking up /debug/sidecarz