Istio
- Canonical Observability
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 23 | 17 Apr 2025 |
juju deploy istio-k8s --channel edge
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
22.04
-
- Last updated
- Revision Library version 0.2
"""istio_ingress_config.
This library implements endpoint wrappers for the istio-ingress-config interface.
Currently, it facilitates the exchange of external authorizer configuration details such as the service name, port and a provider identifier.
Usage:
Requirer (istio k8s charm):
class FooCharm(CharmBase):
def __init__(self, framework):
super().__init__(framework)
self.ingress_config = IngressConfigRequirer(self.model.relations, self.app, "istio-ingress-config")
self.framework.observe(self.on["istio-ingress-config"].relation_changed, self._on_ingress_config_changed)
self.framework.observe(self.on["istio-ingress-config"].relation_broken, self._on_ingress_config_changed)
def _on_ingress_config_changed(self, event):
# Publish a unique ext_authz_provider_name for each connected ingress provider.
for relation in self.ingress_config.relations:
if self.ingress_config.is_provider_ready(relation):
ext_authz_info = self.ingress_config.get_provider_ext_authz_info(relation)
unique_name = generate_provider_name(relation.app.name, ext_authz_info) # type: ignore
self.ingress_config.publish_ext_authz_provider_name(relation, unique_name)
def generate_provider_name(
ingress_app_name: str, ext_authz_info: ProviderIngressConfigData
) -> str:
data = f"{ext_authz_info.ext_authz_service_name}:{ext_authz_info.ext_authz_port}"
stable_hash = hashlib.sha256(data.encode("utf-8")).hexdigest()
return f"ext_authz-{ingress_app_name}-{stable_hash}"
...
Provider (istio ingress charm):
class FooCharm(CharmBase):
def __init__(self, framework):
super().__init__(framework)
self.ingress_config = IngressConfigProvider(self.model.relations, self.app, "istio-ingress-config")
self.framework.observe(self.on.leader_elected, self.publish_config)
self.framework.observe(self.on["istio-ingress-config"].relation_joined, self.publish_config)
self.framework.observe(self.on.some_event, self.publish_config)
def publish_config(self, event):
# Publish the ext_authz service details to our databag.
self.ingress_config.publish(ext_authz_service_name="my-ext_authz-service", ext_authz_port="8080")
# Later, fetch the ext_authz provider name generated by the requirer:
if self.ingress_config.is_requirer_ready():
provider_name = self.ingress_config.get_ext_authz_provider_name()
# Do something with provider_name
...
"""
import logging
from typing import List, Optional
from ops import Application, Relation, RelationMapping
from pydantic import BaseModel, Field, field_validator
# The unique Charmhub library identifier, never change it
LIBID = "12331b5ac41547e087edd7ac993176ed"
# Increment this major API version when introducing breaking changes
LIBAPI = 0
# Increment this PATCH version before using `charmcraft publish-lib` or reset
# to 0 if you are raising the major API version
LIBPATCH = 2
DEFAULT_RELATION_NAME = "istio-ingress-config"
PYDEPS = ["pydantic>=2"]
FAKE_EXT_AUTHZ_SERVICE_NAME = "fake_host"
FAKE_EXT_AUTHZ_PORT = "5432"
log = logging.getLogger(__name__)
class ProviderIngressConfigData(BaseModel):
"""Data model for the provider side of the relation.
Holds the external authorizer service name and port information.
"""
ext_authz_service_name: Optional[str] = Field(
default=None,
description="The external authorizer service name provided by the ingress charm.",
)
ext_authz_port: Optional[str] = Field(
default=None, description="The port on which the external authorizer service is exposed."
)
@field_validator("ext_authz_port")
@classmethod
def validate_ext_authz_port(cls, port: Optional[str]) -> Optional[str]:
"""Ensure port is convertible to int."""
if port is None:
return port
try:
int(port)
except ValueError:
raise ValueError(f"ext_authz_port must be convertible to an integer, got {port!r}")
return port
class RequirerIngressConfigData(BaseModel):
"""Data model for the requirer side of the relation.
Holds the generated external authorizer provider name and the ingress charm's application name.
"""
ext_authz_provider_name: Optional[str] = Field(
default=None,
description="The generated external authorizer provider name.",
)
class IngressConfigProvider:
"""Provider side wrapper for the istio-ingress-config relation.
The provider (ingress charm) publishes its external authorizer service name and port and
can fetch the generated external authorizer provider name from the requirer's databag.
"""
def __init__(
self,
relation_mapping: RelationMapping,
app: Application,
relation_name: str = DEFAULT_RELATION_NAME,
) -> None:
"""Initialize the IngressConfigProvider.
Args:
relation_mapping: The charm's RelationMapping (typically self.model.relations).
app: This application (the ingress charm).
model_name: This application juju model (the ingress charm).
relation_name: The name of the relation.
"""
self._charm_relation_mapping = relation_mapping
self._app = app
self._relation_name = relation_name
@property
def relations(self) -> List[Relation]:
"""Return the relation instances for the monitored relation."""
return self._charm_relation_mapping.get(self._relation_name, [])
def publish(
self, ext_authz_service_name: Optional[str] = None, ext_authz_port: Optional[str] = None
):
"""Publish external authorizer configuration data to all related applications.
Args:
ext_authz_service_name: The external authorizer service name.
ext_authz_port: The port number for the external authorizer service.
"""
data = ProviderIngressConfigData(
ext_authz_service_name=ext_authz_service_name,
ext_authz_port=ext_authz_port,
).model_dump(mode="json", by_alias=True, exclude_defaults=True, round_trip=True)
for relation in self.relations:
databag = relation.data[self._app]
databag.update(data)
log.debug("Published provider data: %s to relation: %s", data, relation)
def clear(self) -> None:
"""Clear the local application databag."""
# Workaround for https://github.com/juju/juju/issues/19474:
# TODO: switch the below to databag.clear() when issue is fixed
# We cannot clear a databag in cross-model relations, so we publish a fake config instead.
self.publish(
ext_authz_service_name=FAKE_EXT_AUTHZ_SERVICE_NAME,
ext_authz_port=FAKE_EXT_AUTHZ_PORT,
)
def get_ext_authz_provider_name(self) -> Optional[str]:
"""Fetch the external authorizer provider name generated by the requirer for this provider.
Returns:
The generated external authorizer provider name if available, else None.
"""
if not self.relations:
return None
relation = self.relations[0]
raw_data = getattr(relation, "data", {}).get(relation.app, {})
if not raw_data:
return None
try:
return RequirerIngressConfigData.model_validate(raw_data).ext_authz_provider_name
except Exception as e:
log.debug("Failed to validate requirer data: %s", e)
return None
def is_ready(self) -> bool:
"""Guard to check if the generated external authorizer provider name is present.
Returns:
True if the external authorizer provider name has been published by the requirer.
"""
return self.get_ext_authz_provider_name() is not None
class IngressConfigRequirer:
"""Requirer side wrapper for the istio-ingress-config relation.
The requirer generates and publishes a unique external authorizer provider name
for a connected ingress charm. It can also check that the provider has published
its required external authorizer service configuration.
"""
def __init__(
self,
relation_mapping: RelationMapping,
app: Application,
relation_name: str = DEFAULT_RELATION_NAME,
) -> None:
"""Initialize the IngressConfigRequirer.
Args:
relation_mapping: The charm's RelationMapping (typically self.model.relations).
app: This application.
relation_name: The name of the relation.
"""
self._charm_relation_mapping = relation_mapping
self._app = app
self._relation_name = relation_name
@property
def relations(self) -> List[Relation]:
"""Return the relation instances for the monitored relation."""
return self._charm_relation_mapping.get(self._relation_name, [])
def publish_ext_authz_provider_name(self, relation: Relation, unique_name: str) -> None:
"""Publish a unique external authorizer provider name and ingress provider name for a connected ingress charm.
The provided unique_name is stored as the ext_authz_provider_name, and the ingress charm's
application name is stored as ingress_provider_name.
Args:
relation: A specific relation instance.
unique_name: The unique external authorizer provider name to publish.
"""
data = RequirerIngressConfigData(
ext_authz_provider_name=unique_name,
).model_dump(mode="json", by_alias=True, exclude_defaults=True, round_trip=True)
relation.data[self._app].update(data)
log.debug("Published requirer data: %s", data)
def get_provider_ext_authz_info(
self, relation: Relation
) -> Optional[ProviderIngressConfigData]:
"""Retrieve the entire provider app databag for the given relation.
This method retrieves the data that the provider (ingress charm) has published,
validates it using the ProviderIngressConfigData model, and returns the model instance.
Args:
relation: A specific relation instance.
Returns:
An instance of ProviderIngressConfigData if available and valid, else None.
"""
raw_data = getattr(relation, "data", {}).get(relation.app, {})
if not raw_data:
return None
try:
return ProviderIngressConfigData.model_validate(raw_data)
except Exception as e:
log.debug("Failed to validate provider data: %s", e)
return None
def is_fake_authz_config(self, relation: Relation) -> bool:
"""Check if the provider has published a fake external authorization configuration.
Returns:
True if any of the provider relations contains fake authz configuration, else False.
"""
# Workaround for https://github.com/juju/juju/issues/19474:
# TODO: remove this function entirely as it becomes redunant when issue is fixed
# We cannot clear a databag in cross-model relations, so we publish a fake config instead.
provider_info = self.get_provider_ext_authz_info(relation)
if provider_info is not None:
if (
provider_info.ext_authz_service_name == FAKE_EXT_AUTHZ_SERVICE_NAME
and provider_info.ext_authz_port == FAKE_EXT_AUTHZ_PORT
):
return True
return False
def is_ready(self, relation: Relation) -> bool:
"""Guard to check if the provider has published its external authorizer service configuration.
Args:
relation: A specific relation instance.
Returns:
True if both ext_authz_service_name and ext_authz_port are present in the provider's databag.
"""
provider_info = self.get_provider_ext_authz_info(relation)
if provider_info is None:
return False
return (
provider_info.ext_authz_service_name is not None
and provider_info.ext_authz_port is not None
)
def get_ext_authz_provider_name(self, relation: Relation) -> Optional[str]:
"""Retrieve the generated external authorizer provider name for the given provider.
Args:
relation: A specific relation instance.
Returns:
The external authorizer provider name if available, else None.
"""
raw_data = getattr(relation, "data", {}).get(self._app, {})
if not raw_data:
return None
try:
requirer_data = RequirerIngressConfigData.model_validate(raw_data)
return requirer_data.ext_authz_provider_name
except Exception as e:
log.debug("Failed to retrieve external authorizer provider name: %s", e)
return None
%27%20fill%3D%27%23E95420%27%3E%3Cpath%20d%3D%27m15.839%205.293-1.447-2.8a.136.136%200%200%200-.051-.055.144.144%200%200%200-.074-.02h-5.8a.143.143%200%200%200-.091.03.13.13%200%200%200-.034.17.138.138%200%200%200%20.072.06l7.251%202.8a.144.144%200%200%200%20.17-.054.13.13%200%200%200%20.007-.13l-.003-.001ZM11.839%204.945.073.223A.073.073%200%200%200%20.026.221a.07.07%200%200%200-.038.027.065.065%200%200%200%20.007.086l7.962%208.182a.069.069%200%200%200%20.049.022.072.072%200%200%200%20.047-.019l3.805-3.461a.066.066%200%200%200%20.02-.061.065.065%200%200%200-.014-.03.07.07%200%200%200-.028-.02l.003-.002ZM5.382%207.183a.071.071%200%200%200-.062-.022.07.07%200%200%200-.03.011.067.067%200%200%200-.023.025l-4.13%207.696a.065.065%200%200%200-.005.046.068.068%200%200%200%20.027.038.072.072%200%200%200%20.09-.006L7.13%209.18a.066.066%200%200%200%200-.087l-1.75-1.91Z%27%2F%3E%3C%2Fg%3E%3Cdefs%3E%3CclipPath%20id%3D%27a%27%3E%3Cpath%20fill%3D%27%23fff%27%20d%3D%27M0%200h15.83v15.21H0z%27%2F%3E%3C%2FclipPath%3E%3C%2Fdefs%3E%3C%2Fsvg%3E)
%27%20fill%3D%27%23E95420%27%3E%3Cpath%20d%3D%27M1.936%202.592c.668%200%201.21-.515%201.21-1.151S2.604.29%201.936.29C1.267.29.726.805.726%201.44c0%20.637.541%201.152%201.21%201.152ZM14.56.576H3.404a1.587%201.587%200%200%201%20.024%201.69l-.026.04h11.156a.56.56%200%200%200%20.386-.15.518.518%200%200%200%20.16-.369v-.692a.502.502%200%200%200-.16-.369.543.543%200%200%200-.386-.15ZM1.936%206.701c.668%200%201.21-.515%201.21-1.15%200-.637-.542-1.152-1.21-1.152-.669%200-1.21.515-1.21%201.151s.541%201.151%201.21%201.151ZM14.56%204.685H3.404a1.612%201.612%200%200%201%20.242%201.083c-.03.215-.105.421-.219.608l-.026.04h11.157a.56.56%200%200%200%20.386-.15.518.518%200%200%200%20.16-.37v-.692a.5.5%200%200%200-.16-.369.542.542%200%200%200-.386-.15ZM1.936%2010.81c.668%200%201.21-.515%201.21-1.15%200-.637-.542-1.152-1.21-1.152-.669%200-1.21.515-1.21%201.151s.541%201.151%201.21%201.151ZM14.56%208.795H3.404a1.611%201.611%200%200%201%20.243%201.082%201.581%201.581%200%200%201-.245.648h11.156a.559.559%200%200%200%20.386-.15.517.517%200%200%200%20.16-.37v-.692a.502.502%200%200%200-.16-.368.543.543%200%200%200-.386-.15ZM1.936%2014.92c.668%200%201.21-.515%201.21-1.15%200-.637-.542-1.152-1.21-1.152-.669%200-1.21.515-1.21%201.151s.541%201.151%201.21%201.151ZM14.56%2012.904H3.404a1.611%201.611%200%200%201%20.242%201.082%201.58%201.58%200%200%201-.219.608l-.026.04h11.157a.562.562%200%200%200%20.386-.15.517.517%200%200%200%20.16-.37v-.692a.5.5%200%200%200-.16-.369.543.543%200%200%200-.386-.15Z%27%2F%3E%3C%2Fg%3E%3Cdefs%3E%3CclipPath%20id%3D%27a%27%3E%3Cpath%20fill%3D%27%23fff%27%20d%3D%27M0%200h15.83v15.21H0z%27%2F%3E%3C%2FclipPath%3E%3C%2Fdefs%3E%3C%2Fsvg%3E)
%27%20fill%3D%27%23E95420%27%3E%3Cpath%20d%3D%27M9.618.272c-.634%200-1.243.243-1.691.674-.448.43-.7%201.015-.701%201.624v4.221a1.9%201.9%200%200%201%201.362%200v-4.22a.955.955%200%200%201%20.291-.72%201.067%201.067%200%200%201%201.479%200%20.955.955%200%200%201%20.29.719v.962h1.363V2.57c0-.61-.253-1.194-.702-1.625A2.445%202.445%200%200%200%209.618.272ZM9.017%208.433c0%20.21-.065.417-.187.593a1.102%201.102%200%200%201-.499.393c-.203.08-.426.102-.642.06a1.125%201.125%200%200%201-.568-.292%201.055%201.055%200%200%201-.304-.547%201.028%201.028%200%200%201%20.064-.616c.084-.195.226-.362.41-.479a1.143%201.143%200%200%201%201.401.133c.103.1.185.217.24.347.057.129.085.268.085.408ZM2.773%205.855c-.634.001-1.242.244-1.69.674C.633%206.96.381%207.545.38%208.154v4.082a1.901%201.901%200%200%201%201.363%200V8.154a.955.955%200%200%201%20.29-.719%201.067%201.067%200%200%201%201.479%200%20.955.955%200%200%201%20.29.719v.962h1.363v-.962c0-.61-.253-1.194-.702-1.625a2.444%202.444%200%200%200-1.69-.674ZM2.166%2013.878c0%20.21-.065.415-.186.59-.121.174-.294.31-.496.39-.202.08-.424.102-.638.06a1.119%201.119%200%200%201-.565-.29%201.049%201.049%200%200%201-.302-.543c-.043-.206-.02-.42.063-.614.084-.194.225-.36.407-.476a1.136%201.136%200%200%201%201.394.133%201.024%201.024%200%200%201%20.323.75Z%27%2F%3E%3Cpath%20d%3D%27M14.752%204.76a1.789%201.789%200%200%201-.681-.126v2.411a.972.972%200%200%201-.312.682c-.193.179-.45.28-.718.28-.268%200-.526-.101-.718-.28a.972.972%200%200%201-.312-.682V4.32h-1.363v2.726c0%20.61.252%201.195.7%201.626a2.443%202.443%200%200%200%201.692.673c.635%200%201.244-.242%201.692-.673.449-.431.7-1.016.7-1.626v-2.41a1.9%201.9%200%200%201-.68.125ZM15.858%202.822c.037.225%200%20.455-.107.658a1.1%201.1%200%200%201-.49.472%201.161%201.161%200%200%201-1.302-.198%201.04%201.04%200%200%201-.206-1.251%201.1%201.1%200%200%201%20.492-.47%201.161%201.161%200%200%201%201.299.199c.166.16.276.366.314.59ZM7.907%2010.2c-.233%200-.465-.042-.681-.126V12.6a.97.97%200%200%201-.302.7%201.05%201.05%200%200%201-.728.29%201.05%201.05%200%200%201-.728-.29.97.97%200%200%201-.302-.7V9.845H3.804V12.6c0%20.61.252%201.194.7%201.625a2.443%202.443%200%200%200%201.692.674c.634%200%201.243-.243%201.692-.674.448-.43.7-1.015.7-1.625v-2.526a1.887%201.887%200%200%201-.68.127Z%27%2F%3E%3C%2Fg%3E%3Cdefs%3E%3CclipPath%20id%3D%27a%27%3E%3Cpath%20fill%3D%27%23fff%27%20d%3D%27M0%200h15.83v15.21H0z%27%2F%3E%3C%2FclipPath%3E%3C%2Fdefs%3E%3C%2Fsvg%3E)