This is an automated email from the ASF dual-hosted git repository.
zhongxjian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-kubernetes.git
The following commit(s) were added to refs/heads/master by this push:
new 6d26799a Update security api and delete istio mark (#847)
6d26799a is described below
commit 6d26799a8837fb4af70e19e9db73427bdd1e1ce8
Author: mfordjody <[email protected]>
AuthorDate: Thu Jan 15 17:26:33 2026 +0800
Update security api and delete istio mark (#847)
---
dubbod/planet/pkg/bootstrap/config_controller.go | 108 +-----------
dubbod/planet/pkg/bootstrap/dubbo_ca.go | 46 +-----
dubbod/planet/pkg/model/service.go | 2 -
dubbod/planet/pkg/networking/grpcgen/cds.go | 6 +-
dubbod/planet/pkg/networking/grpcgen/grpcgen.go | 1 -
dubbod/planet/pkg/networking/grpcgen/lds.go | 7 +-
.../serviceregistry/kube/controller/controller.go | 16 +-
.../kube/controller/endpoint_builder.go | 26 +--
.../kube/controller/endpointslice.go | 4 -
dubbod/planet/pkg/status/manager.go | 2 +-
dubbod/planet/pkg/status/resource.go | 2 +-
dubbod/planet/pkg/xds/cds.go | 2 +-
dubbod/planet/pkg/xds/eds.go | 6 +-
.../planet/pkg/xds/endpoints/endpoint_builder.go | 2 +-
dubbod/planet/pkg/xds/xdsgen.go | 1 -
dubbod/security/{pkg => }/cmd/constants.go | 0
.../nodeagent/caclient/providers/aegis/client.go | 8 +-
dubbod/security/pkg/pki/ca/ca.go | 2 +-
dubbod/security/tools/generate_cert/main.go | 181 ---------------------
dubbod/security/tools/generate_csr/main.go | 71 --------
go.mod | 1 -
go.sum | 4 -
operator/pkg/component/component.go | 2 -
pkg/adsc/adsc.go | 6 +-
pkg/config/model.go | 77 +--------
pkg/config/schema/kubeclient/resources.go | 4 -
pkg/config/visibility/visibility.go | 2 +-
pkg/dubbo-agent/agent.go | 10 +-
pkg/dubbo-agent/xds_proxy.go | 19 ---
pkg/features/security.go | 1 -
pkg/filewatcher/filewatcher.go | 2 -
pkg/kube/inject/inject.go | 4 +-
pkg/kube/kclient/delayed.go | 2 -
pkg/kube/krt/informer.go | 2 -
pkg/log/deduplicator.go | 32 +---
pkg/log/formatter.go | 12 +-
pkg/log/klog_formatter.go | 6 -
pkg/uds/listener.go | 2 +-
tools/annotations_prep/main.go | 4 +-
39 files changed, 42 insertions(+), 643 deletions(-)
diff --git a/dubbod/planet/pkg/bootstrap/config_controller.go
b/dubbod/planet/pkg/bootstrap/config_controller.go
index 2764962f..1e13ff6d 100644
--- a/dubbod/planet/pkg/bootstrap/config_controller.go
+++ b/dubbod/planet/pkg/bootstrap/config_controller.go
@@ -18,35 +18,28 @@ package bootstrap
import (
"context"
- "crypto/tls"
- "crypto/x509"
"encoding/json"
- "encoding/pem"
"fmt"
configaggregate
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/aggregate"
-
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/kube/gateway"
- "github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/features"
- "github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/leaderelection"
-
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/leaderelection/k8sleaderelection/k8sresourcelock"
- "github.com/apache/dubbo-kubernetes/pkg/config/schema/gvr"
- "k8s.io/apimachinery/pkg/api/errors"
- "net/url"
- "strings"
-
- "github.com/apache/dubbo-kubernetes/api/networking/v1alpha3"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/kube/crdclient"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/kube/file"
+
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/kube/gateway"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/config/memory"
dubboCredentials
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/credentials"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/credentials/kube"
+ "github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/features"
+ "github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/leaderelection"
+
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/leaderelection/k8sleaderelection/k8sresourcelock"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/model"
"github.com/apache/dubbo-kubernetes/pkg/adsc"
"github.com/apache/dubbo-kubernetes/pkg/config/schema/collections"
+ "github.com/apache/dubbo-kubernetes/pkg/config/schema/gvr"
"github.com/apache/dubbo-kubernetes/pkg/log"
"google.golang.org/grpc"
- "google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
+ "k8s.io/apimachinery/pkg/api/errors"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "net/url"
)
type ConfigSourceAddressScheme string
@@ -276,93 +269,6 @@ func (s *Server) initConfigController(args *PlanetArgs)
error {
return nil
}
-// verifyCert verifies given cert against TLS settings like SANs and CRL.
-func (s *Server) verifyCert(certs [][]byte, tlsSettings
*v1alpha3.ClientTLSSettings) error {
- if len(certs) == 0 {
- return fmt.Errorf("no certificates provided")
- }
- cert, err := x509.ParseCertificate(certs[0])
- if err != nil {
- return fmt.Errorf("failed to parse certificate: %w", err)
- }
-
- if len(tlsSettings.SubjectAltNames) > 0 {
- sanMatchFound := false
- for _, san := range cert.DNSNames {
- if sanMatchFound {
- break
- }
- for _, name := range tlsSettings.SubjectAltNames {
- if san == name {
- sanMatchFound = true
- break
- }
- }
- }
- if !sanMatchFound {
- return fmt.Errorf("no matching SAN found")
- }
- }
-
- if len(tlsSettings.CaCrl) > 0 {
- crlData := []byte(strings.TrimSpace(tlsSettings.CaCrl))
- block, _ := pem.Decode(crlData)
- if block != nil {
- crlData = block.Bytes
- }
- crl, err := x509.ParseRevocationList(crlData)
- if err != nil {
- return fmt.Errorf("failed to parse CRL: %w", err)
- }
- for _, revokedCert := range crl.RevokedCertificateEntries {
- if cert.SerialNumber.Cmp(revokedCert.SerialNumber) == 0
{
- return fmt.Errorf("certificate is revoked")
- }
- }
- }
-
- return nil
-}
-
-// getTransportCredentials attempts to create credentials.TransportCredentials
from ClientTLSSettings in mesh config
-// Implemented only for SIMPLE_TLS mode
-// TODO:
-//
-// Implement for MUTUAL_TLS/DUBBO_MUTUAL_TLS modes
-func (s *Server) getTransportCredentials(args *PlanetArgs, tlsSettings
*v1alpha3.ClientTLSSettings) (credentials.TransportCredentials, error) {
- // TODO ValidateTLS
-
- switch tlsSettings.GetMode() {
- case v1alpha3.ClientTLSSettings_SIMPLE:
- if len(tlsSettings.GetCredentialName()) > 0 {
- rootCert, err :=
s.getRootCertFromSecret(tlsSettings.GetCredentialName(), args.Namespace)
- if err != nil {
- return nil, err
- }
- tlsSettings.CaCertificates = string(rootCert.Cert)
- tlsSettings.CaCrl = string(rootCert.CRL)
- }
- if tlsSettings.GetInsecureSkipVerify().GetValue() ||
len(tlsSettings.GetCaCertificates()) == 0 {
- return credentials.NewTLS(&tls.Config{
- ServerName: tlsSettings.GetSni(),
- }), nil
- }
- certPool := x509.NewCertPool()
- if
!certPool.AppendCertsFromPEM([]byte(tlsSettings.GetCaCertificates())) {
- return nil, fmt.Errorf("failed to add ca certificate
from configSource.tlsSettings to pool")
- }
- return credentials.NewTLS(&tls.Config{
- ServerName: tlsSettings.GetSni(),
- RootCAs: certPool,
- VerifyPeerCertificate: func(rawCerts [][]byte,
verifiedChains [][]*x509.Certificate) error {
- return s.verifyCert(rawCerts, tlsSettings)
- },
- }), nil
- default:
- return insecure.NewCredentials(), nil
- }
-}
-
// getRootCertFromSecret fetches a map of keys and values from a secret with
name in namespace
func (s *Server) getRootCertFromSecret(name, namespace string)
(*dubboCredentials.CertInfo, error) {
secret, err :=
s.kubeClient.Kube().CoreV1().Secrets(namespace).Get(context.Background(), name,
v1.GetOptions{})
diff --git a/dubbod/planet/pkg/bootstrap/dubbo_ca.go
b/dubbod/planet/pkg/bootstrap/dubbo_ca.go
index 39d47f6c..687bc945 100644
--- a/dubbod/planet/pkg/bootstrap/dubbo_ca.go
+++ b/dubbod/planet/pkg/bootstrap/dubbo_ca.go
@@ -19,16 +19,12 @@ package bootstrap
import (
"bytes"
"context"
- "encoding/json"
"fmt"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/features"
- securityModel
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/security/model"
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/cmd"
+ "github.com/apache/dubbo-kubernetes/dubbod/security/cmd"
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/ca"
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/ra"
caserver
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/server/ca"
-
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/server/ca/authenticate"
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/util"
"github.com/apache/dubbo-kubernetes/pkg/config/constants"
"github.com/apache/dubbo-kubernetes/pkg/env"
"github.com/apache/dubbo-kubernetes/pkg/log"
@@ -39,7 +35,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"os"
"path"
- "strings"
"time"
)
@@ -108,24 +103,6 @@ func (s *Server) initCAServer(ca
caserver.CertificateAuthority, opts *caOptions)
}
func (s *Server) RunCA(grpc *grpc.Server) {
- iss := trustedIssuer.Get()
- aud := audience.Get()
-
- token, err := os.ReadFile(securityModel.ThirdPartyJwtPath)
- if err == nil {
- tok, err := detectAuthEnv(string(token))
- if err != nil {
- log.Warnf("Starting with invalid K8S JWT token: %v",
err)
- } else {
- if iss == "" {
- iss = tok.Iss
- }
- if len(tok.Aud) > 0 && len(aud) == 0 {
- aud = tok.Aud[0]
- }
- }
- }
-
s.caServer.Register(grpc)
log.Info("Dubbod CA has started")
@@ -351,27 +328,6 @@ func (s *Server) handleCACertsFileWatch() {
}
}
-func detectAuthEnv(jwt string) (*authenticate.JwtPayload, error) {
- jwtSplit := strings.Split(jwt, ".")
- if len(jwtSplit) != 3 {
- return nil, fmt.Errorf("invalid JWT parts: %s", jwt)
- }
- payload := jwtSplit[1]
-
- payloadBytes, err := util.DecodeJwtPart(payload)
- if err != nil {
- return nil, fmt.Errorf("failed to decode jwt: %v", err.Error())
- }
-
- structuredPayload := &authenticate.JwtPayload{}
- err = json.Unmarshal(payloadBytes, &structuredPayload)
- if err != nil {
- return nil, fmt.Errorf("failed to unmarshal jwt: %v",
err.Error())
- }
-
- return structuredPayload, nil
-}
-
func handleEvent(s *Server) {
log.Info("Update Dubbod cacerts")
diff --git a/dubbod/planet/pkg/model/service.go
b/dubbod/planet/pkg/model/service.go
index 27e25a25..c020311b 100644
--- a/dubbod/planet/pkg/model/service.go
+++ b/dubbod/planet/pkg/model/service.go
@@ -29,7 +29,6 @@ import (
"github.com/apache/dubbo-kubernetes/pkg/config/protocol"
"github.com/apache/dubbo-kubernetes/pkg/config/visibility"
"github.com/apache/dubbo-kubernetes/pkg/maps"
- "github.com/apache/dubbo-kubernetes/pkg/network"
"github.com/apache/dubbo-kubernetes/pkg/slices"
"github.com/apache/dubbo-kubernetes/pkg/util/sets"
"github.com/google/go-cmp/cmp"
@@ -167,7 +166,6 @@ type DubboEndpoint struct {
LegacyClusterPortKey int
EndpointPort uint32
WorkloadName string
- Network network.ID
Namespace string
// Specifies the hostname of the Pod, empty for vm workload.
HostName string
diff --git a/dubbod/planet/pkg/networking/grpcgen/cds.go
b/dubbod/planet/pkg/networking/grpcgen/cds.go
index 4e0a2581..e7358910 100644
--- a/dubbod/planet/pkg/networking/grpcgen/cds.go
+++ b/dubbod/planet/pkg/networking/grpcgen/cds.go
@@ -246,7 +246,7 @@ func (b *clusterBuilder)
applyDestinationRule(defaultCluster *cluster.Cluster) (
recheckTLS = (tlsMode ==
networking.ClientTLSSettings_DUBBO_MUTUAL || tlsModeStr == "DUBBO_MUTUAL")
}
if hasTLS || recheckTLS {
- log.Infof("applyDestinationRule: applying TLS to
default cluster %s (DestinationRule has ISTIO_MUTUAL)", b.defaultClusterName)
+ log.Infof("applyDestinationRule: applying TLS to
default cluster %s (DestinationRule has DUBBO_MUTUAL)", b.defaultClusterName)
b.applyTLSForCluster(defaultCluster, nil)
} else {
log.Debugf("applyDestinationRule: skipping TLS for
default cluster %s (DestinationRule has no TrafficPolicy or TLS)",
b.defaultClusterName)
@@ -270,7 +270,7 @@ func (b *clusterBuilder)
applyDestinationRule(defaultCluster *cluster.Cluster) (
core.HealthStatus_DEGRADED,
},
}
- log.Infof("applyDestinationRule: applying TLS to newly
generated default cluster %s (DestinationRule has ISTIO_MUTUAL)",
b.defaultClusterName)
+ log.Infof("applyDestinationRule: applying TLS to newly
generated default cluster %s (DestinationRule has DUBBO_MUTUAL)",
b.defaultClusterName)
b.applyTLSForCluster(defaultCluster, nil)
return nil, defaultCluster // Return the newly generated
default cluster
}
@@ -327,7 +327,7 @@ func (b *clusterBuilder)
applyDestinationRule(defaultCluster *cluster.Cluster) (
}
// applyTLSForCluster attaches a gRPC-compatible TLS transport socket whenever
the
-// DestinationRule (or subset override) specifies ISTIO_MUTUAL/DUBBO_MUTUAL
mode.
+// DestinationRule (or subset override) specifies DUBBO_MUTUAL/DUBBO_MUTUAL
mode.
func (b *clusterBuilder) applyTLSForCluster(c *cluster.Cluster, subset
*networking.Subset) {
if c == nil || b.svc == nil {
return
diff --git a/dubbod/planet/pkg/networking/grpcgen/grpcgen.go
b/dubbod/planet/pkg/networking/grpcgen/grpcgen.go
index b1b13b2c..4d9d1bdc 100644
--- a/dubbod/planet/pkg/networking/grpcgen/grpcgen.go
+++ b/dubbod/planet/pkg/networking/grpcgen/grpcgen.go
@@ -53,7 +53,6 @@ func (g *GrpcConfigGenerator) Generate(proxy *model.Proxy, w
*model.WatchedResou
}
// buildCommonTLSContext creates a TLS context that matches gRPC xDS
expectations.
-// It is adapted from Istio's buildCommonTLSContext implementation, but kept
minimal:
// - Uses certificate provider "default" for workload certs and root CA
// - Does not configure explicit SAN matches (left to future hardening)
func buildCommonTLSContext() *tlsv3.CommonTlsContext {
diff --git a/dubbod/planet/pkg/networking/grpcgen/lds.go
b/dubbod/planet/pkg/networking/grpcgen/lds.go
index 5cdbe3c1..4278750c 100644
--- a/dubbod/planet/pkg/networking/grpcgen/lds.go
+++ b/dubbod/planet/pkg/networking/grpcgen/lds.go
@@ -203,10 +203,9 @@ func buildInboundListeners(node *model.Proxy, push
*model.PushContext, names []s
log.Debugf("buildInboundListeners: listener %s, service=%s,
isGatewayPod=%v, node.Type=%v, node.IsRouter()=%v",
name, si.Service.Attributes.Name, isGatewayPod,
node.Type, node.IsRouter())
- // - DestinationRule with ISTIO_MUTUAL only configures
CLIENT-SIDE (outbound) mTLS
+ // - DestinationRule with DUBBO_MUTUAL only configures
CLIENT-SIDE (outbound) mTLS
// - PeerAuthentication with STRICT configures SERVER-SIDE
(inbound) mTLS
// Both are REQUIRED for mTLS to work. Server-side mTLS should
ONLY be controlled by PeerAuthentication.
- // Reference:
https://istio.io/latest/blog/2021/proxyless-grpc/#enabling-mtls
mode := push.InboundMTLSModeForProxy(node, uint32(listenPort))
if mode == model.MTLSPermissive {
log.Warnf("buildInboundListeners: PERMISSIVE mTLS is
not supported for proxyless gRPC; defaulting to plaintext on listener %s", name)
@@ -518,7 +517,7 @@ func buildOutboundListeners(node *model.Proxy, push
*model.PushContext, filter l
routeName := clusterName
// For gRPC proxyless, outbound listeners MUST use
ApiListener with RDS
- // This is the correct pattern used by Istio for gRPC
xDS clients
+ // This is the correct pattern used by Dubbo for gRPC
xDS clients
// Using FilterChain with inline RouteConfig causes the
gRPC client to remain in IDLE state
hcm := &hcmv3.HttpConnectionManager{
CodecType: hcmv3.HttpConnectionManager_AUTO,
@@ -543,7 +542,7 @@ func buildOutboundListeners(node *model.Proxy, push
*model.PushContext, filter l
},
}
- // Build outbound listener with ApiListener (Istio
pattern)
+ // Build outbound listener with ApiListener
// gRPC xDS clients expect ApiListener for outbound,
not FilterChain
ll := &listener.Listener{
Name: fullListenerName,
diff --git a/dubbod/planet/pkg/serviceregistry/kube/controller/controller.go
b/dubbod/planet/pkg/serviceregistry/kube/controller/controller.go
index 6e393271..a208dc77 100644
--- a/dubbod/planet/pkg/serviceregistry/kube/controller/controller.go
+++ b/dubbod/planet/pkg/serviceregistry/kube/controller/controller.go
@@ -58,7 +58,6 @@ type controllerInterface interface {
var (
log = dubbolog.RegisterScope("controller",
"kube controller debugging")
- _ controllerInterface = &Controller{}
_ serviceregistry.Instance = &Controller{}
)
@@ -391,7 +390,7 @@ func (c *Controller) addOrUpdateService(pre, curr
*v1.Service, currConv *model.S
c.opts.XDSUpdater.ServiceUpdate(shard, string(currConv.Hostname), ns,
event)
// Note: Endpoint updates are handled separately by EndpointSlice
events, not here.
- // This matches Istio's behavior where service changes don't
immediately update endpoints.
+ // service changes don't immediately update endpoints.
// EndpointSlice events will trigger EDSUpdate (with logPushType=true)
which will properly
// log "Full push, new service" when a new endpoint shard is created.
@@ -546,16 +545,3 @@ func (c *Controller) servicesForNamespacedName(name
types.NamespacedName) []*mod
}
return nil
}
-
-func (c *Controller) Network(endpointIP string, labels labels.Instance)
network.ID {
- // 1. check the pod/workloadEntry label
- if nw := labels["topology.dubbo.apache.org/network"]; nw != "" {
- return network.ID(nw)
- }
- // 2. check the system namespace labels
- if nw := c.networkFromSystemNamespace(); nw != "" {
- return nw
- }
-
- return ""
-}
diff --git
a/dubbod/planet/pkg/serviceregistry/kube/controller/endpoint_builder.go
b/dubbod/planet/pkg/serviceregistry/kube/controller/endpoint_builder.go
index cc16b2d6..29f291dd 100644
--- a/dubbod/planet/pkg/serviceregistry/kube/controller/endpoint_builder.go
+++ b/dubbod/planet/pkg/serviceregistry/kube/controller/endpoint_builder.go
@@ -19,16 +19,12 @@ package controller
import (
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/model"
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/serviceregistry/kube"
- labelutil
"github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/serviceregistry/util/label"
"github.com/apache/dubbo-kubernetes/pkg/config/labels"
- "github.com/apache/dubbo-kubernetes/pkg/network"
v1 "k8s.io/api/core/v1"
)
type EndpointBuilder struct {
- controller controllerInterface
labels labels.Instance
- metaNetwork network.ID
serviceAccount string
workloadName string
namespace string
@@ -38,7 +34,7 @@ type EndpointBuilder struct {
}
func (c *Controller) NewEndpointBuilder(pod *v1.Pod) *EndpointBuilder {
- var sa, namespace, hostname, subdomain, ip, node string
+ var sa, namespace, hostname, subdomain, node string
var podLabels labels.Instance
if pod != nil {
sa = kube.SecureNamingSAN(pod, c.meshWatcher.Mesh())
@@ -54,7 +50,6 @@ func (c *Controller) NewEndpointBuilder(pod *v1.Pod)
*EndpointBuilder {
node = pod.Spec.NodeName
}
out := &EndpointBuilder{
- controller: c,
serviceAccount: sa,
namespace: namespace,
hostname: hostname,
@@ -62,8 +57,6 @@ func (c *Controller) NewEndpointBuilder(pod *v1.Pod)
*EndpointBuilder {
labels: podLabels,
nodeName: node,
}
- networkID := out.endpointNetwork(ip)
- out.labels = labelutil.AugmentLabels(podLabels, c.Cluster(), "", node,
networkID)
return out
}
@@ -79,20 +72,12 @@ func (b *EndpointBuilder) buildDubboEndpoint(
return nil
}
- // in case pod is not found when init EndpointBuilder.
- networkID := network.ID(b.labels["topology.dubbo.apache.org/network"])
- if networkID == "" {
- networkID = b.endpointNetwork(endpointAddress)
- b.labels["topology.dubbo.apache.org/network"] =
string(networkID)
- }
-
return &model.DubboEndpoint{
Labels: b.labels,
ServiceAccount: b.serviceAccount,
Addresses: []string{endpointAddress},
EndpointPort: uint32(endpointPort),
ServicePortName: svcPortName,
- Network: networkID,
Namespace: b.namespace,
HostName: b.hostname,
SubDomain: b.subDomain,
@@ -102,12 +87,3 @@ func (b *EndpointBuilder) buildDubboEndpoint(
NodeName: b.nodeName,
}
}
-
-func (b *EndpointBuilder) endpointNetwork(endpointIP string) network.ID {
- // If we're building the endpoint based on proxy meta, prefer the
injected ISTIO_META_NETWORK value.
- if b.metaNetwork != "" {
- return b.metaNetwork
- }
-
- return b.controller.Network(endpointIP, b.labels)
-}
diff --git a/dubbod/planet/pkg/serviceregistry/kube/controller/endpointslice.go
b/dubbod/planet/pkg/serviceregistry/kube/controller/endpointslice.go
index 65102397..1a58d3b3 100644
--- a/dubbod/planet/pkg/serviceregistry/kube/controller/endpointslice.go
+++ b/dubbod/planet/pkg/serviceregistry/kube/controller/endpointslice.go
@@ -378,10 +378,6 @@ func (esc *endpointSliceController)
updateEndpointCacheForSlice(hostName host.Na
log.Debugf("updateEndpointCacheForSlice:
creating endpoint for service %s (address=%s, servicePortNum=%d,
targetPortNum=%d, portName='%s', hostname=%s, kubeSvc=%v)",
svcNamespacedName.Name, a,
servicePortNum, targetPortNum, portName, hostName, kubeSvc != nil)
- // - EndpointSlice.Port.Port should be the
Service Port (not targetPort)
- // - But IstioEndpoint.EndpointPort should be
the targetPort (container port)
- // - ServicePortName should match
Service.Port.Name for filtering in BuildClusterLoadAssignment
- //
// We use targetPortNum as EndpointPort because
that's what the container actually listens on.
// The servicePortNum is used for matching in
BuildClusterLoadAssignment via portName.
//
diff --git a/dubbod/planet/pkg/status/manager.go
b/dubbod/planet/pkg/status/manager.go
index 82f86169..c95e47bb 100644
--- a/dubbod/planet/pkg/status/manager.go
+++ b/dubbod/planet/pkg/status/manager.go
@@ -77,7 +77,7 @@ func NewManager(store model.ConfigStore) *Manager {
func (m *Manager) Start(stop <-chan struct{}) {
scope.Info("Starting status manager")
- ctx := NewIstioContext(stop)
+ ctx := NewDubboContext(stop)
m.workers.Run(ctx)
}
diff --git a/dubbod/planet/pkg/status/resource.go
b/dubbod/planet/pkg/status/resource.go
index 1a2e9dec..3c445544 100644
--- a/dubbod/planet/pkg/status/resource.go
+++ b/dubbod/planet/pkg/status/resource.go
@@ -65,7 +65,7 @@ func GetStatusManipulator(in any) (out Manipulator) {
return &NopStatusManipulator{in}
}
-func NewIstioContext(stop <-chan struct{}) context.Context {
+func NewDubboContext(stop <-chan struct{}) context.Context {
ctx, cancel := context.WithCancel(context.Background())
go func() {
<-stop
diff --git a/dubbod/planet/pkg/xds/cds.go b/dubbod/planet/pkg/xds/cds.go
index 733f7319..cbcbee72 100644
--- a/dubbod/planet/pkg/xds/cds.go
+++ b/dubbod/planet/pkg/xds/cds.go
@@ -33,7 +33,7 @@ func cdsNeedsPush(req *model.PushRequest, proxy *model.Proxy)
(*model.PushReques
return req, res
}
- // with TLS configuration (ISTIO_MUTUAL), CDS must be pushed to update
cluster TransportSocket.
+ // with TLS configuration (DUBBO_MUTUAL), CDS must be pushed to update
cluster TransportSocket.
// Even if req.Full is false, we need to check if DestinationRule was
updated, as it affects cluster TLS config.
if req != nil && req.ConfigsUpdated != nil {
// Check if DestinationRule was updated - this requires CDS
push to update cluster TransportSocket
diff --git a/dubbod/planet/pkg/xds/eds.go b/dubbod/planet/pkg/xds/eds.go
index 25d122db..4be94e29 100644
--- a/dubbod/planet/pkg/xds/eds.go
+++ b/dubbod/planet/pkg/xds/eds.go
@@ -127,7 +127,6 @@ func (eds *EdsGenerator) buildEndpoints(proxy *model.Proxy,
req *model.PushReque
// For proxyless gRPC, we MUST always process all watched
clusters
// This ensures clients receive EDS updates even when endpoints
become available or unavailable
- // For non-proxyless (Istio behavior), we skip clusters that
are not in edsUpdatedServices for incremental pushes
if edsUpdatedServices != nil {
if _, ok := edsUpdatedServices[hostname]; !ok {
// Cluster was not in edsUpdatedServices
@@ -138,7 +137,7 @@ func (eds *EdsGenerator) buildEndpoints(proxy *model.Proxy,
req *model.PushReque
log.Debugf("buildEndpoints:
proxyless gRPC, processing cluster %s even though not in edsUpdatedServices
(hostname=%s)", clusterName, hostname)
serviceWasUpdated = true
} else {
- // For non-proxyless, skip if
not updated (Istio behavior)
+ // For non-proxyless, skip if
not updated
continue
}
}
@@ -254,7 +253,6 @@ func (eds *EdsGenerator) buildDeltaEndpoints(proxy
*model.Proxy, req *model.Push
// For proxyless gRPC, we MUST always process all watched
clusters
// This ensures clients receive EDS updates even when endpoints
become available or unavailable
- // For non-proxyless (Istio behavior), we skip clusters that
are not in edsUpdatedServices for incremental pushes
serviceWasUpdated := false
if len(edsUpdatedServices) > 0 {
if _, ok := edsUpdatedServices[hostname]; !ok {
@@ -265,7 +263,7 @@ func (eds *EdsGenerator) buildDeltaEndpoints(proxy
*model.Proxy, req *model.Push
log.Debugf("buildDeltaEndpoints:
proxyless gRPC, processing cluster %s even though not in edsUpdatedServices
(hostname=%s)", clusterName, hostname)
serviceWasUpdated = true
} else {
- // For non-proxyless, skip if not
updated (Istio behavior)
+ // For non-proxyless, skip if not
updated
continue
}
} else {
diff --git a/dubbod/planet/pkg/xds/endpoints/endpoint_builder.go
b/dubbod/planet/pkg/xds/endpoints/endpoint_builder.go
index 1c4e005a..b7d3bf89 100644
--- a/dubbod/planet/pkg/xds/endpoints/endpoint_builder.go
+++ b/dubbod/planet/pkg/xds/endpoints/endpoint_builder.go
@@ -190,7 +190,7 @@ func (b *EndpointBuilder)
BuildClusterLoadAssignment(endpointIndex *model.Endpoi
// AND we're not in a proxyless gRPC scenario. For
proxyless gRPC, always include endpoints.
// For non-proxyless (Envoy), we follow the service's
publishNotReadyAddresses setting.
// But since this is proxyless gRPC, we should always
include endpoints.
- // Actually, let's follow Istio's behavior: always
include endpoints, let the client decide.
+ // Actually, let's follow: always include endpoints,
let the client decide.
// The OverrideHostStatus in Cluster config will
control whether unhealthy endpoints can be used.
// Build LbEndpoint
diff --git a/dubbod/planet/pkg/xds/xdsgen.go b/dubbod/planet/pkg/xds/xdsgen.go
index 8be3277d..3cf57d24 100644
--- a/dubbod/planet/pkg/xds/xdsgen.go
+++ b/dubbod/planet/pkg/xds/xdsgen.go
@@ -338,7 +338,6 @@ func (s *DiscoveryServer) pushXds(con *Connection, w
*model.WatchedResource, req
switch {
case !req.Full:
default:
- // Log format matches Istio: "LDS: PUSH for node:xxx
resources:1 size:342B"
resourceNamesStr := ""
if len(res) > 0 {
if len(res) <= 10 {
diff --git a/dubbod/security/pkg/cmd/constants.go
b/dubbod/security/cmd/constants.go
similarity index 100%
rename from dubbod/security/pkg/cmd/constants.go
rename to dubbod/security/cmd/constants.go
diff --git a/dubbod/security/pkg/nodeagent/caclient/providers/aegis/client.go
b/dubbod/security/pkg/nodeagent/caclient/providers/aegis/client.go
index fb900725..7a19dfb9 100644
--- a/dubbod/security/pkg/nodeagent/caclient/providers/aegis/client.go
+++ b/dubbod/security/pkg/nodeagent/caclient/providers/aegis/client.go
@@ -44,7 +44,7 @@ type TLSOptions struct {
type AegisClient struct {
// It means enable tls connection to Citadel if this is not nil.
tlsOpts *TLSOptions
- client pb.IstioCertificateServiceClient
+ client pb.DubboCertificateServiceClient
conn *grpc.ClientConn
provider credentials.PerRPCCredentials
opts *security.Options
@@ -63,7 +63,7 @@ func NewAegisClient(opts *security.Options, tlsOpts
*TLSOptions) (*AegisClient,
return nil, fmt.Errorf("failed to connect to endpoint %s",
opts.CAEndpoint)
}
c.conn = conn
- c.client = pb.NewIstioCertificateServiceClient(conn)
+ c.client = pb.NewDubboCertificateServiceClient(conn)
return c, nil
}
@@ -75,7 +75,7 @@ func (c *AegisClient) CSRSign(csrPEM []byte,
certValidTTLInSec int64) (res []str
},
},
}
- req := &pb.IstioCertificateRequest{
+ req := &pb.DubboCertificateRequest{
Csr: string(csrPEM),
ValidityDuration: certValidTTLInSec,
Metadata: crMetaStruct,
@@ -153,7 +153,7 @@ func (c *AegisClient) reconnect() error {
return err
}
c.conn = conn
- c.client = pb.NewIstioCertificateServiceClient(conn)
+ c.client = pb.NewDubboCertificateServiceClient(conn)
aegisClientLog.Info("recreated connection")
return nil
}
diff --git a/dubbod/security/pkg/pki/ca/ca.go b/dubbod/security/pkg/pki/ca/ca.go
index e98b67a3..3989e4dc 100644
--- a/dubbod/security/pkg/pki/ca/ca.go
+++ b/dubbod/security/pkg/pki/ca/ca.go
@@ -22,10 +22,10 @@ import (
"crypto/x509"
"encoding/pem"
"fmt"
+ "github.com/apache/dubbo-kubernetes/dubbod/security/cmd"
"os"
"time"
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/cmd"
caerror
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/error"
"github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/util"
certutil "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/util"
diff --git a/dubbod/security/tools/generate_cert/main.go
b/dubbod/security/tools/generate_cert/main.go
deleted file mode 100644
index d2f762e5..00000000
--- a/dubbod/security/tools/generate_cert/main.go
+++ /dev/null
@@ -1,181 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Provide a tool to generate X.509 certificate with different options.
-
-package main
-
-import (
- "crypto"
- "crypto/x509"
- "encoding/json"
- "flag"
- "fmt"
- "log"
- "os"
- "os/exec"
- "time"
-
- k8s "k8s.io/api/core/v1"
-
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/ca"
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/util"
-)
-
-const (
- // Layout for parsing time
- timeLayout = "Jan 2 15:04:05 2006"
-
- // modes supported by this tool.
- selfSignedMode = "self-signed"
- signerMode = "signer"
- citadelMode = "citadel"
-)
-
-var (
- host = flag.String("host", "", "Comma-separated hostnames and
IPs to generate a certificate for.")
- validFrom = flag.String("start-date", "", "Creation date in format
of "+timeLayout)
- validFor = flag.Duration("duration", 10*365*24*time.Hour,
"Duration that certificate is valid for.")
- isCA = flag.Bool("ca", false, "Whether this cert should be a
Certificate Authority.")
- signerCertFile = flag.String("signer-cert", "", "Signer certificate
file (PEM encoded).")
- signerPrivFile = flag.String("signer-priv", "", "Signer private key
file (PEM encoded).")
- isClient = flag.Bool("client", false, "Whether this certificate
is for a client.")
- org = flag.String("organization", "Juju org", "Organization
for the cert.")
- outCert = flag.String("out-cert", "cert.pem", "Output
certificate file.")
- outPriv = flag.String("out-priv", "priv.pem", "Output private
key file.")
- keySize = flag.Int("key-size", 2048, "Size of the generated
private key")
- mode = flag.String("mode", selfSignedMode, "Supported mode:
self-signed, signer, citadel")
- // Enable this flag if istio mTLS is enabled and the service is running
as server side
- isServer = flag.Bool("server", false, "Whether this certificate is for
a server.")
- ec = flag.String("ec-sig-alg", "", "Generate an elliptical curve
private key with the specified algorithm")
- curve = flag.String("curve", "P256", "Specify the elliptic curve to
use to generate an elliptical curve private key")
- sanFields = flag.String("san", "", "Subject Alternative Names")
-)
-
-func checkCmdLine() {
- flag.Parse()
-
- hasCert, hasPriv := len(*signerCertFile) != 0, len(*signerPrivFile) != 0
- switch *mode {
- case selfSignedMode:
- if hasCert || hasPriv {
- log.Fatalf("--mode=%v is incompatible with
--signer-cert or --signer-priv.", selfSignedMode)
- }
- case signerMode:
- if !hasCert || !hasPriv {
- log.Fatalf("Need --signer-cert and --signer-priv for
--mode=%v.", signerMode)
- }
- case citadelMode:
- if hasCert || hasPriv {
- log.Fatalf("--mode=%v is incompatible with
--signer-cert or --signer-priv.", citadelMode)
- }
- default:
- log.Fatalf("Unsupported mode %v", *mode)
- }
-}
-
-func saveCreds(certPem []byte, privPem []byte) {
- err := os.WriteFile(*outCert, certPem, 0o644)
- if err != nil {
- log.Fatalf("Could not write output certificate: %s.", err)
- }
-
- err = os.WriteFile(*outPriv, privPem, 0o600)
- if err != nil {
- log.Fatalf("Could not write output private key: %s.", err)
- }
-}
-
-func signCertFromCitadel() (*x509.Certificate, crypto.PrivateKey) {
- args := []string{"get", "secret", "-n", "istio-system", "Dubbo", "-o",
"json"}
- cmd := exec.Command("kubectl", args...)
- out, err := cmd.CombinedOutput()
- if err != nil {
- log.Fatalf("Command failed error: %v\n, output\n%v\n", err,
string(out))
- }
-
- var secret k8s.Secret
- err = json.Unmarshal(out, &secret)
- if err != nil {
- log.Fatalf("Unmarshal secret error: %v", err)
- }
- key, err := util.ParsePemEncodedKey(secret.Data[ca.CAPrivateKeyFile])
- if err != nil {
- log.Fatalf("Unrecognized key format from citadel %v", err)
- }
- cert, err := util.ParsePemEncodedCertificate(secret.Data[ca.CACertFile])
- if err != nil {
- log.Fatalf("Unrecognized cert format from citadel %v", err)
- }
- return cert, key
-}
-
-func main() {
- checkCmdLine()
-
- var signerCert *x509.Certificate
- var signerPriv crypto.PrivateKey
- var err error
- switch *mode {
- case selfSignedMode:
- case signerMode:
- signerCert, signerPriv, err =
util.LoadSignerCredsFromFiles(*signerCertFile, *signerPrivFile)
- if err != nil {
- log.Fatalf("Failed to load signer key cert from file:
%v\n", err)
- }
- case citadelMode:
- signerCert, signerPriv = signCertFromCitadel()
- default:
- log.Fatalf("Unsupported mode %v", *mode)
- }
-
- opts := util.CertOptions{
- Host: *host,
- NotBefore: getNotBefore(),
- TTL: *validFor,
- SignerCert: signerCert,
- SignerPriv: signerPriv,
- Org: *org,
- IsCA: *isCA,
- IsSelfSigned: *mode == selfSignedMode,
- IsClient: *isClient,
- RSAKeySize: *keySize,
- IsServer: *isServer,
- ECSigAlg: util.SupportedECSignatureAlgorithms(*ec),
- ECCCurve: util.SupportedEllipticCurves(*curve),
- DNSNames: *sanFields,
- }
- certPem, privPem, err := util.GenCertKeyFromOptions(opts)
- if err != nil {
- log.Fatalf("Failed to generate certificate: %v\n", err)
- }
-
- saveCreds(certPem, privPem)
- fmt.Printf("Certificate and private files successfully saved in %s and
%s\n", *outCert, *outPriv)
-}
-
-func getNotBefore() time.Time {
- if *validFrom == "" {
- return time.Now()
- }
-
- t, err := time.Parse(timeLayout, *validFrom)
- if err != nil {
- log.Fatalf("Failed to parse the '-start-from' option as a time
(error: %s)\n", err)
- }
-
- return t
-}
diff --git a/dubbod/security/tools/generate_csr/main.go
b/dubbod/security/tools/generate_csr/main.go
deleted file mode 100644
index d1f70f55..00000000
--- a/dubbod/security/tools/generate_csr/main.go
+++ /dev/null
@@ -1,71 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Provide a tool to generate X.509 CSR with different options.
-
-package main
-
-import (
- "flag"
- "fmt"
- "os"
-
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/util"
-
- dubbolog "github.com/apache/dubbo-kubernetes/pkg/log"
-)
-
-var log = dubbolog.RegisterScope("generatecsr", "generate csr debugging")
-
-var (
- host = flag.String("host", "", "Comma-separated hostnames and IPs to
generate a certificate for.")
- org = flag.String("organization", "Juju org", "Organization for the
cert.")
- outCsr = flag.String("out-csr", "csr.pem", "Output csr file.")
- outPriv = flag.String("out-priv", "priv.pem", "Output private key
file.")
- keySize = flag.Int("key-size", 2048, "Size of the generated private
key")
- ec = flag.String("ec-sig-alg", "", "Generate an elliptical curve
private key with the specified algorithm")
- curve = flag.String("curve", "P256", "Specify the elliptic curve to
use to generate an elliptical curve private key")
-)
-
-func saveCreds(csrPem []byte, privPem []byte) {
- err := os.WriteFile(*outCsr, csrPem, 0o644)
- if err != nil {
- log.Errorf("Could not write output certificate request: %s.",
err)
- }
-
- err = os.WriteFile(*outPriv, privPem, 0o600)
- if err != nil {
- log.Errorf("Could not write output private key: %s.", err)
- }
-}
-
-func main() {
- flag.Parse()
-
- csrPem, privPem, err := util.GenCSR(util.CertOptions{
- Host: *host,
- Org: *org,
- RSAKeySize: *keySize,
- ECSigAlg: util.SupportedECSignatureAlgorithms(*ec),
- ECCCurve: util.SupportedEllipticCurves(*curve),
- })
- if err != nil {
- log.Errorf("Failed to generate CSR: %s.", err)
- }
-
- saveCreds(csrPem, privPem)
- fmt.Printf("Certificate and private files successfully saved in %s and
%s\n", *outCsr, *outPriv)
-}
diff --git a/go.mod b/go.mod
index 8eef04fb..c20da82a 100644
--- a/go.mod
+++ b/go.mod
@@ -33,7 +33,6 @@ require (
github.com/chzyer/readline v1.5.1
github.com/containers/image/v5 v5.34.0
github.com/containers/storage v1.57.1
- github.com/coreos/go-oidc/v3 v3.15.0
github.com/docker/cli v28.3.3+incompatible
github.com/docker/docker v27.5.1+incompatible
github.com/docker/docker-credential-helpers v0.9.3
diff --git a/go.sum b/go.sum
index 7beaff04..ef273857 100644
--- a/go.sum
+++ b/go.sum
@@ -202,8 +202,6 @@ github.com/containers/image/v5 v5.34.0
h1:HPqQaDUsox/3mC1pbOyLAIQEp0JhQqiUZ+6JiF
github.com/containers/image/v5 v5.34.0/go.mod
h1:/WnvUSEfdqC/ahMRd4YJDBLrpYWkGl018rB77iB3FDo=
github.com/containers/storage v1.57.1
h1:hKPoFsuBcB3qTzBxa4IFpZMRzUuL5Xhv/BE44W0XHx8=
github.com/containers/storage v1.57.1/go.mod
h1:i/Hb4lu7YgFr9G0K6BMjqW0BLJO1sFsnWQwj2UoWCUM=
-github.com/coreos/go-oidc/v3 v3.15.0
h1:R6Oz8Z4bqWR7VFQ+sPSvZPQv4x8M+sJkDO5ojgwlyAg=
-github.com/coreos/go-oidc/v3 v3.15.0/go.mod
h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod
h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/creack/pty v1.1.17/go.mod
h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
@@ -896,8 +894,6 @@ helm.sh/helm/v3 v3.18.6
h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY=
helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod
h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod
h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.27.1-0.20250820125923-f5a5d3a605a9
h1:gVTxnhYGJ1pY+iqcz/mrbPSpdkR9Z36srCz7TybrXGY=
-istio.io/api v1.27.1-0.20250820125923-f5a5d3a605a9/go.mod
h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg=
k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
k8s.io/apiextensions-apiserver v0.34.1
h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=
diff --git a/operator/pkg/component/component.go
b/operator/pkg/component/component.go
index 939a7777..6da301f9 100644
--- a/operator/pkg/component/component.go
+++ b/operator/pkg/component/component.go
@@ -24,8 +24,6 @@ import (
type Name string
-// DubboComponent names corresponding to the IstioOperator proto component
names.
-// These must be the same since they are used for struct traversal.
const (
BaseComponentName Name = "Base"
NacosRegisterComponentName Name = "Nacos"
diff --git a/pkg/adsc/adsc.go b/pkg/adsc/adsc.go
index efb53294..f60a2e17 100644
--- a/pkg/adsc/adsc.go
+++ b/pkg/adsc/adsc.go
@@ -115,7 +115,6 @@ type ADSC struct {
Mesh *v1alpha1.MeshGlobalConfig
- // Retrieved configurations can be stored using the common istio model
interface.
Store model.ConfigStore
cfg *ADSConfig
// sendNodeMeta is set to true if the connection is new - and we need
to send node meta.,
@@ -348,7 +347,7 @@ func (a *ADSC) WaitClear() {
// HasSynced returns true if configs have synced
// MCP support removed - it's a legacy protocol replaced by APIGenerator
func (a *ADSC) HasSynced() bool {
- // MCP was replaced by APIGenerator in Istio, not needed for proxyless
mesh
+ // MCP was replaced by APIGenerator, not needed for proxyless mesh
return true
}
@@ -379,8 +378,6 @@ func (a *ADSC) ack(msg *discovery.DiscoveryResponse) {
var resources []string
if strings.HasPrefix(msg.TypeUrl, v3.DebugType) {
- // If the response is for istio.io/debug or istio.io/debug/*,
- // skip to send ACK.
return
}
@@ -404,7 +401,6 @@ func (a *ADSC) ack(msg *discovery.DiscoveryResponse) {
})
}
-
func (a *ADSC) handleRecv() {
// We connected, so reset the backoff
if a.cfg.BackoffPolicy != nil {
diff --git a/pkg/config/model.go b/pkg/config/model.go
index 9bb40b5c..0a66ebfa 100644
--- a/pkg/config/model.go
+++ b/pkg/config/model.go
@@ -28,21 +28,16 @@ import (
gogojsonpb "github.com/gogo/protobuf/jsonpb" // nolint: depguard
gogoproto "github.com/gogo/protobuf/proto" // nolint: depguard
- gogotypes "github.com/gogo/protobuf/types" // nolint: depguard
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/reflect/protoreflect"
- "google.golang.org/protobuf/types/known/anypb"
- "google.golang.org/protobuf/types/known/structpb"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
kubetypes "k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/yaml"
- "github.com/apache/dubbo-kubernetes/dubbod/planet/pkg/util/protoconv"
"github.com/apache/dubbo-kubernetes/pkg/cluster"
"github.com/apache/dubbo-kubernetes/pkg/maps"
"github.com/apache/dubbo-kubernetes/pkg/util/gogoprotomarshal"
- "github.com/apache/dubbo-kubernetes/pkg/util/protomarshal"
"github.com/apache/dubbo-kubernetes/pkg/util/sets"
)
@@ -165,37 +160,6 @@ func ObjectInRevision(o *Config, rev string) bool {
// * Able to marshal/unmarshal using json
type Spec any
-func ToProto(s Spec) (*anypb.Any, error) {
- // golang protobuf. Use protoreflect.ProtoMessage to distinguish from
gogo
- // golang/protobuf 1.4+ will have this interface. Older golang/protobuf
are gogo compatible
- // but also not used by Istio at all.
- if pb, ok := s.(protoreflect.ProtoMessage); ok {
- return protoconv.MessageToAnyWithError(pb)
- }
-
- // gogo protobuf
- if pb, ok := s.(gogoproto.Message); ok {
- gogoany, err := gogotypes.MarshalAny(pb)
- if err != nil {
- return nil, err
- }
- return &anypb.Any{
- TypeUrl: gogoany.TypeUrl,
- Value: gogoany.Value,
- }, nil
- }
-
- js, err := json.Marshal(s)
- if err != nil {
- return nil, err
- }
- pbs := &structpb.Struct{}
- if err := protomarshal.Unmarshal(js, pbs); err != nil {
- return nil, err
- }
- return protoconv.MessageToAnyWithError(pbs)
-}
-
func ToMap(s Spec) (map[string]any, error) {
js, err := ToJSON(s)
if err != nil {
@@ -236,16 +200,6 @@ func toJSON(s Spec, pretty bool) ([]byte, error) {
indent = " "
}
- // golang protobuf. Use protoreflect.ProtoMessage to distinguish from
gogo
- // golang/protobuf 1.4+ will have this interface. Older golang/protobuf
are gogo compatible
- // but also not used by Istio at all.
- if _, ok := s.(protoreflect.ProtoMessage); ok {
- if pb, ok := s.(proto.Message); ok {
- b, err := protomarshal.MarshalIndent(pb, indent)
- return b, err
- }
- }
-
b := &bytes.Buffer{}
// gogo protobuf
if pb, ok := s.(gogoproto.Message); ok {
@@ -271,16 +225,6 @@ func ApplyYAML(s Spec, yml string) error {
}
func ApplyJSONStrict(s Spec, js string) error {
- // golang protobuf. Use protoreflect.ProtoMessage to distinguish from
gogo
- // golang/protobuf 1.4+ will have this interface. Older golang/protobuf
are gogo compatible
- // but also not used by Istio at all.
- if _, ok := s.(protoreflect.ProtoMessage); ok {
- if pb, ok := s.(proto.Message); ok {
- err := protomarshal.ApplyJSONStrict(js, pb)
- return err
- }
- }
-
// gogo protobuf
if pb, ok := s.(gogoproto.Message); ok {
err := gogoprotomarshal.ApplyJSONStrict(js, pb)
@@ -293,16 +237,6 @@ func ApplyJSONStrict(s Spec, js string) error {
}
func ApplyJSON(s Spec, js string) error {
- // golang protobuf. Use protoreflect.ProtoMessage to distinguish from
gogo
- // golang/protobuf 1.4+ will have this interface. Older golang/protobuf
are gogo compatible
- // but also not used by Istio at all.
- if _, ok := s.(protoreflect.ProtoMessage); ok {
- if pb, ok := s.(proto.Message); ok {
- err := protomarshal.ApplyJSON(js, pb)
- return err
- }
- }
-
// gogo protobuf
if pb, ok := s.(gogoproto.Message); ok {
err := gogoprotomarshal.ApplyJSON(js, pb)
@@ -321,22 +255,13 @@ func DeepCopy(s any) any {
return dc.DeepCopyInterface()
}
- // golang protobuf. Use protoreflect.ProtoMessage to distinguish from
gogo
- // golang/protobuf 1.4+ will have this interface. Older golang/protobuf
are gogo compatible
- // but also not used by Istio at all.
- if _, ok := s.(protoreflect.ProtoMessage); ok {
- if pb, ok := s.(proto.Message); ok {
- return protomarshal.Clone(pb)
- }
- }
-
// gogo protobuf
if pb, ok := s.(gogoproto.Message); ok {
return gogoproto.Clone(pb)
}
// If we don't have a deep copy method, we will have to do some
reflection magic. Its not ideal,
- // but all Istio types have an efficient deep copy.
+ // but all Dubbo types have an efficient deep copy.
js, err := json.Marshal(s)
if err != nil {
return nil
diff --git a/pkg/config/schema/kubeclient/resources.go
b/pkg/config/schema/kubeclient/resources.go
index 80860ab1..2051b9ab 100644
--- a/pkg/config/schema/kubeclient/resources.go
+++ b/pkg/config/schema/kubeclient/resources.go
@@ -230,8 +230,6 @@ func getInformerFiltered(c ClientGetter, opts
ktypes.InformerOptions, g schema.G
return
c.Kube().AdmissionregistrationV1().ValidatingWebhookConfigurations().Watch(context.Background(),
options)
}
case gvr.VirtualService:
- // VirtualService uses networking.dubbo.apache.org API group,
not networking.istio.io
- // Use Dynamic client to access it
gvr := schema.GroupVersionResource{
Group: "networking.dubbo.apache.org",
Version: "v1",
@@ -244,8 +242,6 @@ func getInformerFiltered(c ClientGetter, opts
ktypes.InformerOptions, g schema.G
return
c.Dynamic().Resource(gvr).Namespace(opts.Namespace).Watch(context.Background(),
options)
}
case gvr.DestinationRule:
- // DestinationRule uses networking.dubbo.apache.org API group,
not networking.istio.io
- // Use Dynamic client to access it
gvr := schema.GroupVersionResource{
Group: "networking.dubbo.apache.org",
Version: "v1alpha3",
diff --git a/pkg/config/visibility/visibility.go
b/pkg/config/visibility/visibility.go
index 3422155a..49c11b67 100644
--- a/pkg/config/visibility/visibility.go
+++ b/pkg/config/visibility/visibility.go
@@ -35,7 +35,7 @@ func (v Instance) Validate() (errs error) {
case Private, Public:
return nil
case None:
- return fmt.Errorf("exportTo ~ (none) is not allowed for Istio
configuration objects")
+ return fmt.Errorf("exportTo ~ (none) is not allowed for Dubbo
configuration objects")
default:
if !labels.IsDNS1123Label(string(v)) {
return fmt.Errorf("only .,*, or a valid DNS 1123 label
is allowed as exportTo entry")
diff --git a/pkg/dubbo-agent/agent.go b/pkg/dubbo-agent/agent.go
index 2f0aa550..0e4e7d33 100644
--- a/pkg/dubbo-agent/agent.go
+++ b/pkg/dubbo-agent/agent.go
@@ -63,7 +63,7 @@ const (
MetadataClientRootCert = "DUBBO_META_TLS_CLIENT_ROOT_CERT"
)
-type SDSServiceFactory = func(_ *security.Options, _ security.SecretManager, _
*mesh.PrivateKeyProvider) SDSService
+type SDSServiceFactory = func(_ *security.Options, _ security.SecretManager)
SDSService
type SDSService interface {
OnSecretUpdate(resourceName string)
@@ -112,7 +112,7 @@ type AgentOptions struct {
DubbodSAN string
DownstreamGrpcOptions []grpc.ServerOption
ProxyType model.NodeType
- SDSFactory func(options *security.Options,
workloadSecretCache security.SecretManager, pkpConf *mesh.PrivateKeyProvider)
SDSService
+ SDSFactory func(options *security.Options,
workloadSecretCache security.SecretManager) SDSService
}
func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts *AgentOptions, sopts
*security.Options) *Agent {
@@ -398,8 +398,7 @@ func (a *Agent) initSdsServer(ctx context.Context) error {
return fmt.Errorf("failed to start workload secret manager %v",
err)
}
- pkpConf := a.proxyConfig.GetPrivateKeyProvider()
- a.sdsServer = a.cfg.SDSFactory(a.secOpts, a.secretCache, pkpConf)
+ a.sdsServer = a.cfg.SDSFactory(a.secOpts, a.secretCache)
return a.registerSecretHandler(ctx)
}
@@ -421,8 +420,7 @@ func (a *Agent) rebuildSDSWithNewCAClient() {
return
}
a.secretCache = sc
- pkpConf := a.proxyConfig.GetPrivateKeyProvider()
- a.sdsServer = a.cfg.SDSFactory(a.secOpts, a.secretCache, pkpConf)
+ a.sdsServer = a.cfg.SDSFactory(a.secOpts, a.secretCache)
if err := a.registerSecretHandler(context.Background()); err != nil {
log.Errorf("failed to refresh workload certificates after CA
rebuild: %v", err)
} else {
diff --git a/pkg/dubbo-agent/xds_proxy.go b/pkg/dubbo-agent/xds_proxy.go
index d98844d4..c3f8cdda 100644
--- a/pkg/dubbo-agent/xds_proxy.go
+++ b/pkg/dubbo-agent/xds_proxy.go
@@ -26,8 +26,6 @@ import (
"sync"
"time"
- "github.com/apache/dubbo-kubernetes/dubbod/security/pkg/pki/util"
-
"github.com/apache/dubbo-kubernetes/pkg/log"
meshv1alpha1 "github.com/apache/dubbo-kubernetes/api/mesh/v1alpha1"
@@ -146,23 +144,6 @@ func initXdsProxy(ia *Agent) (*XdsProxy, error) {
return nil, fmt.Errorf("failed to init dubbod dial options:
%v", err)
}
- if ia.cfg.EnableDynamicProxyConfig && ia.secretCache != nil {
- proxy.handlers[model.ProxyConfigType] = func(resp *anypb.Any)
error {
- pc := &meshv1alpha1.ProxyConfig{}
- if err := resp.UnmarshalTo(pc); err != nil {
- proxyLog.Errorf("failed to unmarshal proxy
config: %v", err)
- return err
- }
- caCerts := pc.GetCaCertificatesPem()
- proxyLog.Infof("received new certificates to add to
mesh trust domain: %v", caCerts)
- trustBundle := []byte{}
- for _, cert := range caCerts {
- trustBundle = util.AppendCertByte(trustBundle,
[]byte(cert))
- }
- return
ia.secretCache.UpdateConfigTrustBundle(trustBundle)
- }
- }
-
// Initialize Pixiu converter for router mode (Gateway Pods)
if ia.cfg.ProxyType == model.Router {
proxy.pixiuConverter = pixiu.NewConfigConverter()
diff --git a/pkg/features/security.go b/pkg/features/security.go
index 899e564c..b914ae66 100644
--- a/pkg/features/security.go
+++ b/pkg/features/security.go
@@ -28,7 +28,6 @@ const (
PQC = "pqc"
)
-// Define common security feature flags shared among the Istio components.
var (
CompliancePolicy = env.Register("COMPLIANCE_POLICY", "",
`If set, applies policy-specific restrictions over all existing
TLS
diff --git a/pkg/filewatcher/filewatcher.go b/pkg/filewatcher/filewatcher.go
index 38f329a9..8aea86ba 100644
--- a/pkg/filewatcher/filewatcher.go
+++ b/pkg/filewatcher/filewatcher.go
@@ -13,8 +13,6 @@
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
-// Portions of this file are derived from the Istio project:
-// https://github.com/istio/istio/blob/master/pkg/filewatcher/filewatcher.go
package filewatcher
diff --git a/pkg/kube/inject/inject.go b/pkg/kube/inject/inject.go
index b538ba59..7ce1a5f0 100644
--- a/pkg/kube/inject/inject.go
+++ b/pkg/kube/inject/inject.go
@@ -141,7 +141,7 @@ func RunTemplate(params InjectionParameters) (mergedPod
*corev1.Pod, templatePod
}
mergedPod, err = applyOverlayYAML(mergedPod, bbuf.Bytes())
if err != nil {
- return nil, nil, fmt.Errorf("failed parsing generated
injected YAML (check Istio sidecar injector configuration): %v", err)
+ return nil, nil, fmt.Errorf("failed parsing generated
injected YAML: %v", err)
}
}
@@ -190,8 +190,6 @@ func knownTemplates(t Templates) []string {
return keys
}
-// getProxyImage extracts the proxy image from values map, following Istio's
pattern.
-// It checks common paths: global.proxy.image, global.proxyImage, and falls
back to default.
func getProxyImage(values map[string]any, defaultImage string) string {
if values == nil {
return defaultImage
diff --git a/pkg/kube/kclient/delayed.go b/pkg/kube/kclient/delayed.go
index 37f29b70..cdac3b24 100644
--- a/pkg/kube/kclient/delayed.go
+++ b/pkg/kube/kclient/delayed.go
@@ -90,8 +90,6 @@ func (s *delayedClient[T]) set(inf Informer[T]) {
s.hm.Lock()
defer s.hm.Unlock()
for _, h := range s.handlers {
- // h is a delayedHandler which embeds
ResourceEventHandler, so we can pass it directly
- // This matches Istio's implementation
reg := inf.AddEventHandler(h)
h.hasSynced.hasSynced.Store(ptr.Of(reg.HasSynced))
}
diff --git a/pkg/kube/krt/informer.go b/pkg/kube/krt/informer.go
index 7288424e..5063636f 100644
--- a/pkg/kube/krt/informer.go
+++ b/pkg/kube/krt/informer.go
@@ -164,8 +164,6 @@ func (i *informer[I]) Register(f func(o Event[I]))
HandlerRegistration {
func (i *informer[I]) RegisterBatch(f func(o []Event[I]), runExistingState
bool) HandlerRegistration {
synced := i.inf.AddEventHandler(informerEventHandler[I](func(o
Event[I], initialSync bool) {
- // Only process events if runExistingState is true OR this is
not an initial sync event
- // This matches Istio's behavior: runExistingState=false means
skip initial sync events
if runExistingState || !initialSync {
// Log all events to help diagnose missing events
var nameStr, nsStr string
diff --git a/pkg/log/deduplicator.go b/pkg/log/deduplicator.go
index 987a7460..731fbe8f 100644
--- a/pkg/log/deduplicator.go
+++ b/pkg/log/deduplicator.go
@@ -22,26 +22,23 @@ import (
"time"
)
-// LogKey represents a unique key for deduplication
type LogKey struct {
Scope string
Level string
Message string
}
-// DedupEntry represents a log entry with deduplication info
type DedupEntry struct {
FirstSeen time.Time
LastSeen time.Time
Count int64
}
-// Deduplicator prevents duplicate log messages from flooding the output
type Deduplicator struct {
entries map[LogKey]*DedupEntry
mu sync.RWMutex
- window time.Duration // time window for deduplication
- maxCount int64 // max count before forcing output
+ window time.Duration
+ maxCount int64
enabled bool
cleanupTicker *time.Ticker
stopCleanup chan bool
@@ -52,13 +49,10 @@ var (
dedupOnce sync.Once
)
-// DefaultDeduplicationWindow is the default time window for deduplication
const DefaultDeduplicationWindow = 5 * time.Second
-// DefaultMaxDeduplicationCount is the default max count before forcing output
const DefaultMaxDeduplicationCount = 100
-// GetDeduplicator returns the global deduplicator instance
func GetDeduplicator() *Deduplicator {
dedupOnce.Do(func() {
globalDeduplicator =
NewDeduplicator(DefaultDeduplicationWindow, DefaultMaxDeduplicationCount)
@@ -66,7 +60,6 @@ func GetDeduplicator() *Deduplicator {
return globalDeduplicator
}
-// NewDeduplicator creates a new deduplicator
func NewDeduplicator(window time.Duration, maxCount int64) *Deduplicator {
d := &Deduplicator{
entries: make(map[LogKey]*DedupEntry),
@@ -76,15 +69,12 @@ func NewDeduplicator(window time.Duration, maxCount int64)
*Deduplicator {
stopCleanup: make(chan bool),
}
- // Start cleanup goroutine
d.cleanupTicker = time.NewTicker(window * 2)
go d.cleanup()
return d
}
-// ShouldLog checks if a log should be output and updates the deduplication
state
-// Returns (shouldLog, count, summaryMessage)
func (d *Deduplicator) ShouldLog(key LogKey) (bool, int64, string) {
if !d.enabled {
return true, 1, ""
@@ -97,7 +87,6 @@ func (d *Deduplicator) ShouldLog(key LogKey) (bool, int64,
string) {
entry, exists := d.entries[key]
if !exists {
- // First time seeing this log
d.entries[key] = &DedupEntry{
FirstSeen: now,
LastSeen: now,
@@ -106,16 +95,11 @@ func (d *Deduplicator) ShouldLog(key LogKey) (bool, int64,
string) {
return true, 1, ""
}
- // Update entry
entry.Count++
entry.LastSeen = now
- // Check if we should output
timeSinceFirst := now.Sub(entry.FirstSeen)
- // Force output if:
- // 1. Time window has passed
- // 2. Count exceeds max
if timeSinceFirst >= d.window || entry.Count >= d.maxCount {
count := entry.Count
delete(d.entries, key)
@@ -127,34 +111,28 @@ func (d *Deduplicator) ShouldLog(key LogKey) (bool,
int64, string) {
return true, 1, ""
}
- // Suppress duplicate log
return false, entry.Count, ""
}
-// Enable enables deduplication
func (d *Deduplicator) Enable() {
d.mu.Lock()
defer d.mu.Unlock()
d.enabled = true
}
-// Disable disables deduplication
func (d *Deduplicator) Disable() {
d.mu.Lock()
defer d.mu.Unlock()
d.enabled = false
- // Clear entries when disabled
d.entries = make(map[LogKey]*DedupEntry)
}
-// IsEnabled returns whether deduplication is enabled
func (d *Deduplicator) IsEnabled() bool {
d.mu.RLock()
defer d.mu.RUnlock()
return d.enabled
}
-// SetWindow sets the deduplication time window
func (d *Deduplicator) SetWindow(window time.Duration) {
d.mu.Lock()
defer d.mu.Unlock()
@@ -165,14 +143,12 @@ func (d *Deduplicator) SetWindow(window time.Duration) {
d.cleanupTicker = time.NewTicker(window * 2)
}
-// SetMaxCount sets the maximum count before forcing output
func (d *Deduplicator) SetMaxCount(maxCount int64) {
d.mu.Lock()
defer d.mu.Unlock()
d.maxCount = maxCount
}
-// cleanup periodically removes old entries
func (d *Deduplicator) cleanup() {
for {
select {
@@ -180,7 +156,6 @@ func (d *Deduplicator) cleanup() {
d.mu.Lock()
now := time.Now()
for key, entry := range d.entries {
- // Remove entries that are older than 2x the
window
if now.Sub(entry.LastSeen) > d.window*2 {
delete(d.entries, key)
}
@@ -192,7 +167,6 @@ func (d *Deduplicator) cleanup() {
}
}
-// Stop stops the cleanup goroutine
func (d *Deduplicator) Stop() {
if d.cleanupTicker != nil {
d.cleanupTicker.Stop()
@@ -200,14 +174,12 @@ func (d *Deduplicator) Stop() {
close(d.stopCleanup)
}
-// Clear clears all deduplication entries
func (d *Deduplicator) Clear() {
d.mu.Lock()
defer d.mu.Unlock()
d.entries = make(map[LogKey]*DedupEntry)
}
-// Stats returns deduplication statistics
func (d *Deduplicator) Stats() map[LogKey]int64 {
d.mu.RLock()
defer d.mu.RUnlock()
diff --git a/pkg/log/formatter.go b/pkg/log/formatter.go
index 15a35c27..d298ecbf 100644
--- a/pkg/log/formatter.go
+++ b/pkg/log/formatter.go
@@ -33,12 +33,10 @@ type LogEntry struct {
Original string
}
-// Formatter formats log entries in Istio style
type Formatter struct {
patterns []*LogPattern
}
-// LogPattern represents a pattern for recognizing different log formats
type LogPattern struct {
Name string
Pattern *regexp.Regexp
@@ -58,12 +56,9 @@ func GetFormatter() *Formatter {
return defaultFormatter
}
-// NewFormatter creates a new formatter with built-in patterns
func NewFormatter() *Formatter {
f := &Formatter{
patterns: []*LogPattern{
- // Klog pattern: I0926 16:53:33.461184 1
controller.go:123] message
- // or: I0926 16:53:33.461184 1 controller.go:123]
successfully acquired lease istio-system/istio-namespace-controller-election
{
Name: "klog",
Pattern: regexp.MustCompile(`^([IWEF])(\d{4}
\d{2}:\d{2}:\d{2}\.\d+)\s+\d+\s+[^\s]+\]\s+(.+)$`),
@@ -71,7 +66,7 @@ func NewFormatter() *Formatter {
if len(matches) < 4 {
return nil
}
- level := klogLevelToIstio(matches[1])
+ level := klogLevelToDubbo(matches[1])
timestamp :=
parseKlogTimestamp(matches[2])
message := matches[3]
return &LogEntry{
@@ -189,8 +184,6 @@ func NewFormatter() *Formatter {
return f
}
-// Format formats a log line in Istio style
-// Removes any trailing newlines to prevent blank lines
func (f *Formatter) Format(line string) string {
line = strings.TrimSpace(line)
if line == "" {
@@ -240,8 +233,7 @@ func (f *Formatter) formatEntry(entry *LogEntry) string {
)
}
-// klogLevelToIstio converts klog level to Istio level
-func klogLevelToIstio(klogLevel string) string {
+func klogLevelToDubbo(klogLevel string) string {
switch klogLevel {
case "I":
return "info"
diff --git a/pkg/log/klog_formatter.go b/pkg/log/klog_formatter.go
index 317dc684..ada3708c 100644
--- a/pkg/log/klog_formatter.go
+++ b/pkg/log/klog_formatter.go
@@ -30,11 +30,7 @@ import (
type LogFormat int
const (
- // FormatKlog uses klog-style format (Istio default)
- // Format: I1107 07:53:52.789817 3352004 server.go:652] message
FormatKlog LogFormat = iota
- // FormatStandard uses standard format
- // Format: 2025-11-07T07:53:52.787717694Z info default message
FormatStandard
)
@@ -62,8 +58,6 @@ func GetLogFormat() LogFormat {
return logFormat
}
-// formatKlogLine formats a log line in klog style (Istio format)
-// Format: I1107 07:53:52.789817 3352004 server.go:652] message
func formatKlogLine(level Level, scope, message string, skip int) string {
now := time.Now()
diff --git a/pkg/uds/listener.go b/pkg/uds/listener.go
index 4fc07d5b..278930fb 100644
--- a/pkg/uds/listener.go
+++ b/pkg/uds/listener.go
@@ -44,7 +44,7 @@ func NewListener(path string) (net.Listener, error) {
return nil, fmt.Errorf("failed to listen on unix socket %q:
%v", path, err)
}
- // Update file permission so that istio-proxy has permission to access
it.
+ // Update file permission so that dubbo-proxy has permission to access
it.
if _, err := os.Stat(path); err != nil {
return nil, fmt.Errorf("uds file %q doesn't exist", path)
}
diff --git a/tools/annotations_prep/main.go b/tools/annotations_prep/main.go
index d3726e92..a3643275 100644
--- a/tools/annotations_prep/main.go
+++ b/tools/annotations_prep/main.go
@@ -350,8 +350,8 @@ func generateVariableName(v Variable) string {
// First, process the namespace portion ...
- // Strip .istio.io from the namespace portion of the annotation name.
- ns = strings.TrimSuffix(ns, ".istio.io")
+ // Strip .dubbo.apache.org from the namespace portion of the annotation
name.
+ ns = strings.TrimSuffix(ns, ".dubbo.apache.org")
// Separate the words by spaces and capitalize each word.
ns = strings.ReplaceAll(ns, ".", " ")
