Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Istio user agent to kube-client used in istioctl and other binaries #33120

Merged
merged 15 commits into from
Jun 10, 2021
Merged

Add Istio user agent to kube-client used in istioctl and other binaries #33120

merged 15 commits into from
Jun 10, 2021

Conversation

mandarjog
Copy link
Contributor

@mandarjog mandarjog commented May 26, 2021
edited
Loading

Add istio-user-agent string to api server calls from istio for auditability.

resolves #28231

  1. Use pkg/version to generation version string for user-agent.
  2. Consolidate multiple paths to build a kubeclient.
  3. Add klog support for client-go. The standard -v=x option cannot be used because we use it elsewhere. istioctl renames the option, and makes it a long form option with --vklog.

--

Following is output with --vkog=9. This flag was also added as part of this PR. shows -H "User-Agent: istioctl/1.11-dev"

jog@dev3:~/go/src/istio.io/istio$ ./out/linux_amd64/istioctl version -vklog=9
I0608 07:11:00.050509  250705 loader.go:372] Config loaded from file:  /home/mjog/.kube/config
I0608 07:11:00.051002  250705 loader.go:372] Config loaded from file:  /home/mjog/.kube/config
I0608 07:11:00.052499  250705 round_trippers.go:435] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: istioctl/1.11-dev" 'https://34.67.144.238/api/v1/namespaces/istio-system/pods?fieldSelector=status.phase%3DRunning&labelSelector=app%3Distiod&timeout=10m0s'
I0608 07:11:00.180675  250705 round_trippers.go:454] GET https://34.67.144.238/api/v1/namespaces/istio-system/pods?fieldSelector=status.phase%3DRunning&labelSelector=app%3Distiod&timeout=10m0s 200 OK in 128 milliseconds
I0608 07:11:00.180739  250705 round_trippers.go:460] Response Headers:
I0608 07:11:00.180774  250705 round_trippers.go:463]     Cache-Control: no-cache, private
I0608 07:11:00.180805  250705 round_trippers.go:463]     Content-Type: application/json
I0608 07:11:00.180834  250705 round_trippers.go:463]     Date: Tue, 08 Jun 2021 07:11:00 GMT
I0608 07:11:00.180838  250705 round_trippers.go:463]     Audit-Id: 1c8eebbc-0860-4ac0-8f9e-278b54c8bd8c
I0608 07:11:00.213594  250705 request.go:1123] Response Body {...}

@mandarjog mandarjog requested review from richardwxn and ostromart May 26, 2021 15:51
@mandarjog mandarjog requested review from a team as code owners May 26, 2021 15:51
@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label May 26, 2021
@google-cla google-cla bot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label May 26, 2021
@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 26, 2021
howardjohn
howardjohn reviewed May 26, 2021
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

operator/cmd/mesh/upgrade.go
@@ -443,7 +444,7 @@ type ExecClient interface {

// NewClient is the constructor for the client wrapper
func NewClient(kubeconfig, configContext string) (*Client, error) {
config, err := defaultRestConfig(kubeconfig, configContext)
config, err := kube.DefaultRestConfig(kubeconfig, configContext)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems simpler change but should it be in another PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh nevermind, i see we are setting user agent at a very low level

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Jun 8, 2021
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Jun 8, 2021
@mandarjog mandarjog changed the title WIP: Istio user agent Add Istio user agent to kube-client used in istioctl and other binaries Jun 8, 2021
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jun 8, 2021
@mandarjog
Copy link
Contributor Author

/test gencheck_istio

howardjohn
howardjohn reviewed Jun 9, 2021
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except comments on the vklog stuff. I think its awesome but may need some tweaks

istioctl/cmd/istioctl/main.go Outdated
// EnableKlogWithCobra enables klog to work with cobra / pflags.
// k8s libraries like client-go use klog.
func EnableKlogWithCobra() {
klog.InitFlags(nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does passing nil (which then uses goflag.CommandLine) cause any issues here in help messages, etc? Should we create a dedicated FlagSet for this so it doesn't unexpectedly leak out?

istioctl/cmd/istioctl/main.go Outdated
Usage: gf.Usage + ". Like -v flag. ex: --vklog=9",
}))

klog.SetLogger(nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand the situation correctly:

Today we can enable "debug" logs from klog with --log_output_level=klog:debug. This uses our logging system (json, stackdriver, etc). But it uses the default klog verbosity level which is not 9.

This pr allows setting the klog verbosity, but it doesn't use our logging system. I think if you remove this line it will allow --vklog to work, but it also requires --log_output_level=klog:debug. It seems preferable to use our logging system, but maybe we can improve the UX

I feel like this is something that is generally useful outside of istioctl - I have often wanted this in istiod. Maybe we should make it so it can be configured as part of istio/pkg? Not sure the UX we want here though (new flag, --log_output_level=klog:debug for most cases and env var to tune -v level, etc).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, once we have it in istioctl, we will add it to add binaries.
In a previous version of the PR I had enabled it by mistake on istiod and is spews logs, but it is very useful.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we at least remove klog.SetLogger(nil) so it uses our logging system?

howardjohn
howardjohn approved these changes Jun 10, 2021
View reviewed changes
istioctl/cmd/istioctl/main.go Outdated
Usage: gf.Usage + ". Like -v flag. ex: --vklog=9",
}))

klog.SetLogger(nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we at least remove klog.SetLogger(nil) so it uses our logging system?

@mandarjog mandarjog requested a review from a team as a code owner June 10, 2021 06:46
@mandarjog
Copy link
Contributor Author

mandarjog commented Jun 10, 2021
edited
Loading

@howardjohn I removed a bunch of code and now setting --vklog will correctly adjust the loglevel for klog so the user does not need to provide additional --log_output_level=klog:debug.
I will move all this into istio.io/pkg soon.

@mandarjog
Copy link
Contributor Author

@esnible @therealmitchconnors for UX.

@mandarjog
Copy link
Contributor Author

/test integ-security-multicluster-tests_istio

@istio-testing istio-testing merged commit 177cd70 into istio:master Jun 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn approved these changes

@esnible esnible esnible approved these changes

@richardwxn richardwxn Awaiting requested review from richardwxn

@ostromart ostromart Awaiting requested review from ostromart

@costinm costinm Awaiting requested review from costinm costinm is a code owner

@linsun linsun Awaiting requested review from linsun linsun is a code owner

@nmittler nmittler Awaiting requested review from nmittler

Assignees
No one assigned
Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Istio binaries should set kubeclient UserAgent with version
4 participants
@mandarjog @howardjohn @esnible @istio-testing