Inspect API `/_rules` to include the list of outbounds

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.

https://kuma.io/install

Apache License 2.0

3.67k stars 333 forks source link

Inspect API `/_rules` to include the list of outbounds #11500

Open lobkovilya opened 1 month ago

lobkovilya commented 1 month ago

Description

Kuma GUI needs to create cross links to MS, MES, MMZS even when there are no specific rules for them.

We need to include the list of outbounds, like:

outbounds:
- name: demo-app-2955c88v9z48dww6.kuma-demo # core name
  envoy: default_demo-app_kuma-demo_west_msvc_5000
  resourceIdentifier:
    type: MeshService
    mesh: default
    displayName: demo-app
    namespace: kuma-demo
    zone: west
    sectionName: "5000"

and change toResourceRules[].resourceMeta to resourceIdentifier:

toResourceRules:
  - conf: {...}
    origins: [...]
    resourceIdentifier:
      type: MeshService
      mesh: default
      displayName: demo-app
      namespace: kuma-demo
      zone: west
      sectionName: "5000"

Matching between item in outbounds and item in toResourceRules should be done by using the resourceIdentifier.

The only place where we have name with hash is outbounds[].name and it only should be used for creating cross links (until Kuma API gets endpoints that accept resourceIdentifier).

lahabana commented 1 month ago

I like this! Couple of points:

What happens when one of the field is empty (.e.g: zone)?
If we put outbounds should we put inbounds too?

Does this only exist in the _rules api or it's part of a datastructure that's more internal and that we could use in the XDS config generation?

lahabana commented 1 month ago

I'm curious also if we could add in the future internal and external inbounds/outbounds

lobkovilya commented 1 month ago

What happens when one of the field is empty (.e.g: zone)?

Empty fields in ResourceIdentifier are meaningful, i.e. resources from global will have their zone empty, resources from universal will have their namespace empty.

If we put outbounds should we put inbounds too?

Yeah, I don't see why not, it's basically exactly the same format as outbounds, being able to make cross links to inbound's MeshService is useful as well.

Does this only exist in the _rules api or it's part of a datastructure that's more internal and that we could use in the XDS config generation?

We already have a list of outbounds in the Proxy struct, but we don't call dataplane_proxy_builder.go for _rules at this moment. Though we do it in other Inspect API endpoints.

I'm curious also if we could add in the future internal and external inbounds/outbounds

by internal you mean like envoy admin or prometheus listeners or what exactly?

johncowen commented 1 month ago

I'm guessing that if I have a list/map of outbounds (and in the future inbounds), then I no longer need to parse the envoy stats for the names of things. I can just look up the stats/values I need based on this list instead? Also means I don't need to filter out internal inbounds/outbounds etc etc.

We can obvs make any changes related to that ^ after 2.9