A few enhancements to istio-proxy-cfg.py

[baodongli]

Made a few enhancements:

• pilot_url doesn't have to be provided, but can be found out from the cluster
• cache_stats can be queried. This is useful to find out who are talking to pilot for xds
• podname can be a prefix of a pod's name
• clarify the help strings.

Although I think podname as name.namespace.ip or name.namespace is not necessary, I kept them in.

[istio-merge-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
We suggest the following additional approver: rshriram

Assign the PR to them by writing /assign @rshriram in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• bin/OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[mandarjog]

We should continue separating yaml files by source(pilot or proxy). It is easy to diff 2 separate files.

[baodongli]

I agree. I was thinking about that while working on it, but hesitating on what command arguments should be used to achieve that. Before this PR, --pilot_url is used to indicate pilot vs proxy. Now that pilot_url is not required, and there are three types of output: pilot, proxy, cache_stats, need a way to write them in different files. Is it ok to define the output argument as --output [DIR]? That way, three files will be written in the directory. Do you have any suggestions or preference? Do you think it's necessary for user to indicate the type of output in the command line?

[mandarjog]

Yes output dir sounds good

[baodongli]

/test circleci

[baodongli]

/test istio-pilot-e2e

[baodongli]

@mandarjog updated per comments. let me know any further comments. thanks

[rshriram]

nit: its json.. there is no YAML for v1

[baodongli]

I changed the suffix to be json.

[baodongli]

@mandarjog let me know how to move this forward. thanks.

[codecov]

Codecov Report

Merging #3235 into master will decrease coverage by 1%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #3235    +/-   ##
=======================================
- Coverage      76%     76%   -<1%     
=======================================
  Files         297     297            
  Lines       26725   27213   +488     
=======================================
+ Hits        20254   20536   +282     
- Misses       5203    5359   +156     
- Partials     1268    1318    +50

Impacted Files	Coverage Δ
mixer/adapter/noop/noop.go	67% <0%> (-17%)	⬇️
mixer/adapter/stackdriver/stackdriver.go	58% <0%> (-12%)	⬇️
pilot/pkg/config/monitor/monitor.go	69% <0%> (-5%)	⬇️
pilot/pkg/kube/inject/webhook.go	77% <0%> (-4%)	⬇️
mixer/adapter/circonus/circonus.go	67% <0%> (-1%)	⬇️
mixer/adapter/rbac/rbac.go	10% <0%> (-1%)	⬇️
mixer/template/sample/template.gen.go	55% <0%> (ø)	⬇️
pkg/cache/lruCache.go	100% <0%> (ø)	⬆️
mixer/adapter/dogstatsd/dogstatsd.go	100% <0%> (ø)	⬆️
pilot/pkg/model/controller.go	100% <0%> (ø)	⬆️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 007c793...e4fd766. Read the comment docs.

[mandarjog]

Running it directly gets me this error

mjog-macbookpro:tmp mjog$ ./istio-proxy-cfg.py -h
usage: istio-proxy-cfg.py [-h] [--pilot_url PILOT_URL] [--output OUTPUT]
                          [--cache_stats] [--clear_cache_stats]
                          podname

Fetch routes from Envoy or Pilot for a given pod

positional arguments:
  podname               podname must be either name.namespace.podip or
                        name.namespace or any string that is a pod's label or
                        a prefix of a pod's name. ingress, mixer, istio-ca,
                        product-page all work

optional arguments:
  -h, --help            show this help message and exit
  --pilot_url PILOT_URL
                        Often this is localhost:8080 or 15003 through a port-
                        forward. kubectl --namespace=istio-system port-forward
                        $(kubectl --namespace=istio-system get -l istio=pilot
                        pod -o=jsonpath='{.items[0].metadata.name}')
                        8080:8080. If not provided, attempt will be made to
                        find it out.
  --output OUTPUT       A directory where output files are saved. default is
                        the current directory
  --cache_stats         Fetch Pilot cache stats
  --clear_cache_stats   Clear Pilot cache stats
mjog-macbookpro:tmp mjog$ ./istio-proxy-cfg.py ingress
It seems that you are running outside the k8s cluster
Let's try to create a port-forward to access pilot
Enter local port number (default 8080, ctrl-C to abort): 8080
local port is 8080
Forwarding from 127.0.0.1:8080 -> 8080
Handling connection for 8080
Fetching from Pilot for pod istio-ingress-784f979b9b-jpdzv in istio-system namespace
http://localhost:8080/v1/listeners/istio-proxy/ingress~10.32.1.33~istio-ingress-784f979b9b-jpdzv.istio-system~istio-system.svc.cluster.local
Handling connection for 8080
http://localhost:8080/v1/routes/80/istio-proxy/ingress~10.32.1.33~istio-ingress-784f979b9b-jpdzv.istio-system~istio-system.svc.cluster.local
Handling connection for 8080
http://localhost:8080/v1/clusters/istio-proxy/ingress~10.32.1.33~istio-ingress-784f979b9b-jpdzv.istio-system~istio-system.svc.cluster.local
Handling connection for 8080
http://localhost:8080/v1/registration/grafana.istio-system.svc.cluster.local|http
Handling connection for 8080
http://localhost:8080/v1/registration/istio-pilot.istio-system.svc.cluster.local|http-discovery
Handling connection for 8080
http://localhost:8080/v1/registration/httpbin.default.svc.cluster.local|http
Handling connection for 8080
http://localhost:8080/v1/registration/echosrv2.istio.svc.cluster.local|http-echo
Handling connection for 8080
http://localhost:8080/v1/registration/prometheus.istio-system.svc.cluster.local|http-prometheus
Handling connection for 8080
http://localhost:8080/v1/registration/echosrv1.istio.svc.cluster.local|http-echo
Handling connection for 8080
http://localhost:8080/v1/registration/productpage.default.svc.cluster.local|http
Handling connection for 8080
Wrote  ./istio-ingress-784f979b9b-jpdzv/pilot_xds.json
Fetching from Envoy for pod istio-ingress-784f979b9b-jpdzv in istio-system namespace
kubectl -n istio-system exec -i -t istio-ingress-784f979b9b-jpdzv -c istio-ingress -- curl http://localhost:15000/routes
command terminated with exit code 126
Traceback (most recent call last):
  File "./istio-proxy-cfg.py", line 376, in <module>
    sys.exit(main(args))
  File "./istio-proxy-cfg.py", line 324, in main
    data = pr.routes()
  File "./istio-proxy-cfg.py", line 173, in routes
    return self.query("/routes")
  File "./istio-proxy-cfg.py", line 163, in query
    s = subprocess.check_output(cmd.split())
  File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['kubectl', '-n', 'istio-system', 'exec', '-i', '-t', 'istio-ingress-784f979b9b-jpdzv', '-c', 'istio-ingress', '--', 'curl', 'http://localhost:15000/routes']' returned non-zero exit status 126

[mandarjog]

curl is not present on images, so we cannot assume it. Now that is runs unprompted, the error is an issue.

1. ask if user wants directly from envoy
2. If curl is not there, don't throw and error.
3. start a new curl container and use it to hit envoy in question. mtls needs to be solved.

[mandarjog]

Would be good to replace this

Let's try to create a port-forward to access pilot
Enter local port number (default 8080, ctrl-C to abort): 8080

with "using ${some random local port} for forwarding to pilot" And make it non interactive.

[baodongli]

About the curl error, I realized that port-forward can be used and curl can be invoked from the host rather than from inside the container. I'll restructure the code a bit so that both sidecar query and pilot query can use the same code. For local port, I'll use a random port from the range 50000 - 60000, and get rid of the read from user.

Let's use another PR for the mtls.

[baodongli]

/retest

[baodongli]

/retest

[istio-testing]

@baodongli: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/istio-presubmit.sh	e4fd766	link	/test istio-presubmit

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.