Add helm flags to control the app probe rewrite beahvior.#10344
Add helm flags to control the app probe rewrite beahvior.#10344istio-testing merged 10 commits intoistio:release-1.1from
Conversation
…s check. (istio#9266) * WIP injector change to modify istio-proxy. * move out to app_probe.go * Iterating sidecartmpl to find the statusPort. * use the same name for ready path. * Get rewrite work, almost. * Some clean up on test and check one container criteria. * fix the injected test file. * Add inject test for readiness probe itself. * Add missing added test file. * fix helm test. * fix lint. * update header based finding the port. * return to previous injected file status. * fixing TestIntoResource test. * sed fixing all remaining injecting files. * handling named port. * fixing merginge failure. * remove the debug print. * lint fixing. * Apply the suggestions for finding statusPort arg. * Address comments, regex support more port value format. * add app_probe_test.go * add more test. * merge fix the test.
istioctl/cmd/istioctl/kubeinject.go
Outdated
| if sidecarTemplate, err = inject.GenerateTemplateFromParams(&inject.Params{ | ||
| InitImage: inject.InitImageName(hub, tag, debugMode), | ||
| ProxyImage: inject.ProxyImageName(hub, tag, debugMode), | ||
| RewriteAppHTTPProbe: false, |
pilot/pkg/kube/inject/webhook.go
Outdated
| } | ||
| } | ||
|
|
||
| // TODO: plumbing wh.sidecarConfig.RewriteHTTPPRobe to the injectionData. |
There was a problem hiding this comment.
nit: add your github handle in the TODO
| data: | ||
| config: |- | ||
| policy: {{ .Values.global.proxy.autoInject }} | ||
| rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }} |
There was a problem hiding this comment.
Confused - why ?
Typically we use pod annotations to allow user to opt in/out of a specific feature.
| # | ||
| sidecarInjectorWebhook: | ||
| enabled: true | ||
| rewriteAppHTTPProbe: false |
There was a problem hiding this comment.
Once again - after reverting please add comments explaining what it does. Nobody can understand - rewrite how, when to set, why, etc. Don't assume all users are familiar with the your implementation details and goals.
| injectCmd.PersistentFlags().BoolVar(&enableCoreDump, "coreDump", | ||
| true, "Enable/Disable core dumps in injected Envoy sidecar (--coreDump=true affects "+ | ||
| "all pods in a node and should only be used the cluster admin)") | ||
| injectCmd.PersistentFlags().BoolVar(&rewriteAppHTTPProbe, "rewriteAppProbe", false, "Whether injector "+ |
There was a problem hiding this comment.
If it's a flag - why do you need it on the config map ?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incfly, mandarjog, nmittler The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
This PR is causing e2e-simple to fail when run with auto-sidecar injection. Seems like the new helm chart param The istio-cni release-1.1 nightly is failing due to it. |
costinm
left a comment
There was a problem hiding this comment.
Please revert - it seems to break stuff, the 'rewriteAppHTTPProbe is in different places ( under confg in istio-remote, under template in istio/templates.
| { | ||
| name: "one-container", | ||
| sidecar: &SidecarInjectionSpec{ | ||
| RewriteAppHTTPProbe: true, |
There was a problem hiding this comment.
This doesn't make any sense - why would this be part of the spec, next to containers ?
costinm
left a comment
There was a problem hiding this comment.
As I mentioned in other PRs, having a global setting without a way to gradually rollout and test is extremely dangerous and should be avoided. We should certainly not set global options unless a feature
is extensively tested ( including by production users with real workloads, like @Stono )
Please add an annotation, so users can turn on for testing and off if they run into troubles for specific workloads.
|
|
To add info on what I've seen with this change... I think this has introduced a delta (at least for e2e-simple) for the e2e test framework run with sidecar injection enabled v. the default with istioctl kube-inject. I don't see how the e2e-simple would pass without the rewriteAppHTTPProbe=true so, I'm suspecting that the e2e test is running with it set for the istioctl kube-inject case. IMO, that delta in behavior is really bad and should be fixed by either changing the default for the flag or by having the makefile set it all the time for the e2e tests. |
|
I filed bug #10557. Let's move AI(s) over there. |
|
@incfly -- I think pilot/pkg/kube/inject/app_probe.go L51-53 is what changed the default behavior--at least compared to master. I'm not familiar with what was happening for the liveness probes prior to the existence of app_probe.go. |
|
kube-inject is not an option - many users use automatic sidecar injector, and it is what we recommend. Please use a pod annotation - so users can opt in and out per pod, like we do with many other features ( including mixer, policy, etc). There is not use case for having this as (only) a global setting. |
…tio#10344)" This reverts commit f265b86.
For #9150
istioctl kube-injectand auto injection has slightly different code path. The existing override changes only happen on istioctl level..Values.global.sidecarInjectorWebhook.rewriteAppHTTPProbecontrols the sidecar injection template's optionrewriteAppHTTPProbe. During injection, we'll then consult this flag to determine whether spec will be rewritten.