This issue aims to track small chunks of work to be done to progress ambient to beta.

Using this issue

Each list entry is intended to be a small task that can be picked up by anyone interested in contributing.
These individual entries can be converted into individual issues if they need broader tracking/conversation/etc.
If you are planning to work on an issue, add your name next to it to claim it (or convert to an issue and assign to yourself)

Contributing to Ambient follows the same procedures as contributing to master, but development occurs on https://github.com/istio/istio/commits/experimental-ambient.

Please feel free to add entries by editing this comment

Tasks

Test Infra

• Enable branch protection for experimental-ambient (https://github.com/istio/test-infra/blob/master/prow/config.yaml) (owner: @zirain)
• Disable release notes test in experimental-* branches in prow configuration (https://github.com/istio/test-infra/blob/master/prow/config/experimental/istio.yaml)
• Get ambient integration tests running. owner: @stevenctl

Installation

• Split ztunnel daemonset to its own chart (owner: @zirain)
• Tune various ztunnel configurations, including securityContext, rollout strategies, priorityClass, etc.
• Consider running ztunnel in kube-system, or at least make it possible to (to allow priorityClass usage)

Telemetry

• Support Telemetry API on waypoint/ztunnel
  • Logging (owner: @zirain ) ambient: support telemetry logging #41605
  • Tracing (owner: @zirain ) ambient: support telemetry tracing on waypoint #41656
  • Metrics

Certificates

Currently, ztunnel fetches certificates by using a mounted kubelet credential from the node, getting a pod's token using TokenRequest, then sending a standard request to the CA.

This has issues since kubelet credential is overly broad privileged and not portable. Additionally, the whole flow has a lot of complexity. Importing k8s libraries into ztunnel also leads to binary bloat.

Instead, we should use ztunnel's own credential to authenticate to the Istiod CA. Then, Istiod can perform the node-local check itself.

• Make Istiod CA allow this node-local check (owner: @howardjohn ) ambient: ca: Implement node authorization #41379
  • CA takes Lister for Pods as input
  • CA has a user facing config to opt-in specific service accounts to use node authentication. This should default to ztunnel's service account only.
  • On request, if the CSR is not for "self", check if it is in "node local" auth mode. If so, check all other pods on the same node and verify at least one is running as the SA
• Modify ztunnel to no longer use mount kubelet cert, and instead use its own token for all request. Can remove the TokenRequest deadcode. owner: @howardjohn
• Modify ztunnel templates to no longer mount kubelet cert. owner: @howardjohn
• Modify XDS generation to just encode the identity to request, not the identity+pod UID. owner: @howardjohn
• Ensure no more client-go dependencies in ztunnel to help with binary sizes

CNI

• CNI has been found to use high CPU/memory for small clusters. Investigate why. Likely fixed by Refactor ambient CNI informer #42012
• Decide on long term plan for redirection in ambient (owner: @yuval-k)

Rest of the details will likely depend on resolution to ^

Ztunnel

• Explore improved Envoy or Rust ztunnel implementation #40956

Rest of details will depend on resolution to ^. Once that is complete, this will be filled out

HBONE

• Implement HBONE for sidecars and gateways (owner: @howardjohn ) Initial HBONE for sidecars and ingress (for master) #41391
• Make HBONE as performant as traditional Istio mTLS

General

• Design how ztunnel (singleton) will interact with revisions
• Code cleanup - properly use informers, controllers, etc. At some point, much of the added code was doing direct reads instead of through listers, etc