Skip to content

Enable the config validation webhook in istiod (3 of 3)#19985

Merged
istio-testing merged 22 commits intoistio:masterfrom
ayj:0002-webhook-validation-pilot-use-new-controller-server
Jan 18, 2020
Merged

Enable the config validation webhook in istiod (3 of 3)#19985
istio-testing merged 22 commits intoistio:masterfrom
ayj:0002-webhook-validation-pilot-use-new-controller-server

Conversation

@ayj
Copy link
Copy Markdown
Contributor

@ayj ayj commented Jan 8, 2020
edited
Loading

Part 3 of 3 in a set of changes to unify webhook validation.

This PR enables Pilot to provide config validation in the absence of Galley. It includes the following changes:

  • Pilot now starts the webhook validation server and optionally the corresponding controller for config reconciliation.
  • The injection and validation webhook handlers are now served by the same https server.
  • The validatingwebhookconfiguration was made more concise and renamed to not be component specific.

@ayj ayj requested a review from a team January 8, 2020 01:14
@ayj ayj requested review from a team as code owners January 8, 2020 01:14
@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jan 8, 2020
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jan 8, 2020
@istio-testing istio-testing added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jan 8, 2020
@ayj ayj changed the title WIP - Make pilot use the new webhook controller and server packages (3 of 3) (NOT READY FOR REVIEW) - Make pilot use the new webhook controller and server packages (3 of 3) Jan 8, 2020
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jan 8, 2020
@ayj
Copy link
Copy Markdown
Contributor Author

ayj commented Jan 8, 2020

This PR is not ready for review yet. I misclicked when switching to a draft PR.

@ayj ayj force-pushed the 0002-webhook-validation-pilot-use-new-controller-server branch from 261acc8 to 1c2437c Compare January 13, 2020 22:40
@ayj ayj requested a review from a team as a code owner January 13, 2020 22:40
@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 13, 2020
howardjohn
howardjohn reviewed Jan 13, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm overall, just nitpicks and the PR says WIP so not pressing approve yet

@ayj ayj force-pushed the 0002-webhook-validation-pilot-use-new-controller-server branch from 1c2437c to ae85c15 Compare January 14, 2020 01:36
@ayj ayj requested a review from a team as a code owner January 14, 2020 01:36
@istio-testing istio-testing added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 14, 2020
howardjohn
howardjohn reviewed Jan 15, 2020
View reviewed changes
howardjohn
howardjohn reviewed Jan 15, 2020
View reviewed changes
@ayj ayj requested a review from a team January 16, 2020 20:09
@ayj ayj requested review from a team as code owners January 16, 2020 20:09
@istio-testing istio-testing added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jan 16, 2020
@googlebot
Copy link
Copy Markdown
Collaborator

googlebot commented Jan 16, 2020

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

howardjohn
howardjohn reviewed Jan 17, 2020
View reviewed changes
@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Jan 18, 2020
@ayj
Merge branch 'master' of https://github.com/istio/istio into 0002-web…
81dad6a 
…hook-validation-pilot-use-new-controller-server
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Jan 18, 2020
@ayj ayj mentioned this pull request Jan 18, 2020
Merged
howardjohn
howardjohn reviewed Jan 18, 2020
View reviewed changes
pkg/test/framework/components/istio/config.go Outdated
}

func (c *Config) IsIstiodEnabled() bool {
return c.Values["global.istiod.enabled"] == "true"
Copy link
Copy Markdown
Member

@howardjohn howardjohn Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return c.Values["global.istiod.enabled"] == "true"
if c.Operator {
return c.Values["global.istiod.enabled"] != "true"
}
return false

Values only contains overrides, so we have to rely on the fact that istiod is default on operator and is never set for helm.

howardjohn
howardjohn reviewed Jan 18, 2020
View reviewed changes
tests/integration/galley/webhook/webhook_test.go Outdated
ctx.NewSubTest("key/cert reload").
Run(func(t framework.TestContext) {
addr, done := startGalleyPortForwarderOrFail(t, env, istioNs)
if i.Settings().IsIstiodEnabled() {
Copy link
Copy Markdown
Member

@howardjohn howardjohn Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if i.Settings().IsIstiodEnabled() {
cfg := i.Settings()
if cfg.IsIstiodEnabled() {

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Jan 18, 2020
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Jan 18, 2020
@howardjohn
Copy link
Copy Markdown
Member

howardjohn commented Jan 18, 2020

looks like this is passing now except gencheck, but if not I copied this down and made a couple tiny tweaks and it seemed to work if it helps #20292

@ayj
Copy link
Copy Markdown
Contributor Author

ayj commented Jan 18, 2020

Thanks @howardjohn. One-line change to fix a bracket indentation. Now to re-run all of the tests again.

incfly
incfly reviewed Jan 18, 2020
View reviewed changes
tests/integration/security/webhook/webhook_test.go
NewTest(t).
Run(func(ctx framework.TestContext) {
cfg := inst.Settings()
if cfg.IsIstiodEnabled() {
Copy link
Copy Markdown

@incfly incfly Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lei-tang fyi.

Copy link
Copy Markdown
Contributor

@lei-tang lei-tang Jan 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When istiod is enabled, users are unable to manage webhooks through operator?

Copy link
Copy Markdown
Contributor Author

@ayj ayj Jan 18, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only temporary. We need to update operator/istioctl to skip the k8s secret check with istiod.

incfly
incfly approved these changes Jan 18, 2020
View reviewed changes
Copy link
Copy Markdown

@incfly incfly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approval modulo on

  • for code freeze
  • the issue should be resolved and having webhook test enabled with istiod. (Given we want all these thing in 1.5)

@istio-testing istio-testing merged commit 20cac5b into istio:master Jan 18, 2020
@ayj ayj deleted the 0002-webhook-validation-pilot-use-new-controller-server branch January 18, 2020 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@howardjohn howardjohn howardjohn approved these changes

@lei-tang lei-tang lei-tang left review comments

@costinm costinm Awaiting requested review from costinm

@linsun linsun Awaiting requested review from linsun

@rshriram rshriram Awaiting requested review from rshriram

+2 more reviewers

@incfly incfly incfly approved these changes

@sushicw sushicw sushicw approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@myidpt myidpt

@incfly incfly

@JimmyCYJ JimmyCYJ

Labels

cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@ayj @googlebot @howardjohn @incfly @lei-tang @sushicw @myidpt @istio-testing @JimmyCYJ