Update istio-remote helm chart to support automatic sidecar injection

[Rigdon]

WIP, this needs further testing.
This removes the local Istio service endpoints in favor of addressing remote endpoints directly and provides a basic setup for the Citadel and SIdecar Injectors. I will update the README with instructions if we agree on this approach and it works for others.

[Rigdon]

@tiswanso I migrated our internal Helm chart into the istio-remote directory. This is pretty much exactly what I deployed and the sidecar injector just worked. As I mentioned in the working group meeting I was unable to get a full end to end test due to #6313 but that's unrelated to multi-cluster. We're going to create a couple clusters without custom domains and I'll keep working at testing this.

I removed the endpoint and service templates in favor of using the remote endpoints directly. I could see setting up ExternalName type services though if that were preferable.

[codecov]

Codecov Report

Merging #6366 into master will increase coverage by 1%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #6366    +/-   ##
=======================================
+ Coverage      71%     71%    +1%     
=======================================
  Files         354     354            
  Lines       30666   30740    +74     
=======================================
+ Hits        21503   21619   +116     
+ Misses       8314    8274    -40     
+ Partials      849     847     -2

Impacted Files	Coverage Δ
mixer/adapter/rbac/controller.go	30% <0%> (-23%)	⬇️
...olarwinds/internal/papertrail/papertrail_logger.go	59% <0%> (-21%)	⬇️
istioctl/cmd/istioctl/authn.go	67% <0%> (-6%)	⬇️
galley/pkg/server/server.go	90% <0%> (-5%)	⬇️
mixer/adapter/bypass/util.go	3% <0%> (-3%)	⬇️
pilot/pkg/serviceregistry/kube/queue.go	86% <0%> (-3%)	⬇️
mixer/adapter/signalfx/metrics.go	41% <0%> (-2%)	⬇️
mixer/adapter/solarwinds/log_handler.go	58% <0%> (-2%)	⬇️
mixer/adapter/signalfx/signalfx.go	82% <0%> (-1%)	⬇️
mixer/adapter/list/list.go	100% <0%> (ø)	⬇️
... and 13 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a4df8f8...50f377f. Read the comment docs.

[Rigdon]

Fixes #6092
Fixes #6321

[gyliu513]

Does the two cluster can communicate with each other if using different root cert?

[sdake]

@gyliu513 this looks like a copy and paste from the main helm chart. I think that is fine for now.

[Rigdon]

yeah, what Steve said. The security and sidecar injector charts are exact copies of the subcharts in install/kubernetes/helm/istio

[gyliu513]

But my question is does mTLS works cross clusters for such case?

[tiswanso]

@gyliu513 -- AFAIK, yes, as long as each cluster's root cert was signed by the same CA.

[gyliu513]

Please add security as well.

[sdake]

@gyliu513 I prefer not to carry deltas in the istio-remote chart. The update model should be a simple copy and paste. that said, if you think security belongs as a keyword, might submit that to the main istio helm chart.

[tiswanso]

@sdake @Rigdon -- for duplicate files, wouldn't symlinks be better? Is everything under kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/ a dup of kubernetes/helm/istio/charts/sidecarInjectorWebhook/?

[Rigdon]

It is a straight copy/paste. I'd personally prefer to use helm dependency but that's not a pattern that is currently in use for the project. I could change it to symlinks if we think t's a better approach to avoid drift but I generally don't like them in git repos.

[tiswanso]

@sdake @gyliu513 --what do you guys think? IMO, relative path symlinks are ok and easier to review--explicitly ensuring "there's no change here".

EDIT: I'd prefer helm dependency as well but @sdake mentioned some practical problems. Not sure if we could/should focus on tackling those problems instead of borking up the organization of the charts, though.

[gyliu513]

+1 to symlinks.

[gyliu513]

I was a bit confused, seems here the rbac logic in your PR only handling the serviceAccount name?

Same issue for the local chart. @ymesika as you initiated the original PR for local chart, any comments for this?

[sdake]

I don't think its helpful to fix bugs in the main chart by reviewing istio-remote :) It may make more sense to just fix those problems independently and use a copy and paste as was done here (and was done in the past for citadel).

[gyliu513]

make sense.

[gyliu513]

Do we need to add permission for gateway, destinationrules, virtualservices?

[Rigdon]

No because those resources will only exist in the primary control plane cluster.

[tiswanso]

@gyliu513 - I confirm @Rigdon's answer

[gyliu513]

yes, we have only one control panel.

[gyliu513]

namespace also needed here

[Rigdon]

This is from the main chart as well. If the namespace is required it should be in{{ .Values.global.proxy.envoyStatsd.host }}

[gyliu513]

main chart has a bug and has been fixed at #6349

[gyliu513]

Please add namespace back for this, as master already fixed this.

[gyliu513]

If removing this, then how to let the local istio connect to remote istio?

BTW: I also created a PR to add more checking for this at #6393

[sdake]

agreed, I don't understand how this works properly. @Rigdon could you expand on how one deploys Istio in this setup?

[Rigdon]

The proxy containers in the remote cluster will use the remote endpoints directly as this is written. We could add some ExternalName services so that they are referencing local service names but I couldn't think of any immediate value in that.

[Rigdon]

I can go ahead and update the README with details if we think this is generally the right direction.

[sdake]

The README.md should not exist - it was removed once and replaced with a link to istio.io. No sense updating README.md, although istio.io will need any updates that are relevant to changes made in the charts.

[Rigdon]

👍

[tiswanso]

@sdake @Rigdon @gyliu513 -- does removing this mandate using auto-sidecar injection? (or pretty much mandate it?)

With the selectorless service + endpoint setup on the remote, we're able to make the manual injection workflow use the exact same kube-inject output for apps as if they were deployed on the cluster with the Istio control-plane. IMO, this is fairly nice.

However, I think a similar workflow could still work with this change if the istioctl kube-inject is run against a remote cluster with the --meshConfigMapName (or maybe --injectConfigMapName) option pointing to the istio configmap in this change. I hope to get time to play with that scenario.

[Rigdon]

Yeah I guess I was hoping (I haven't been using manual injection at all) that istioctl kube-inject would honor the meshConfig in the target cluster. If that's not the case then adding the ExternalName type service may be a better option.

[gyliu513]

thanks all, I think this is good to remove this as long as we can make sure manual injection works. @sdake @tiswanso @Rigdon

[sdake]

@Rigdon @tiswanso I think the outstanding question that needs answered prior to merging this PR is whether or not manual injection works with it. All of the e2e tests for multicluster depend on manual injection, and while i'm not opposed to changing those to automatic injection, we don't want to break the test cases with this merge.

Further we do need manual injection to work - atleast for 1.0 and until automatic injection has less tread on the tires.

Cheers
-steve

[sdake]

namespace objects do not work properly in helm. Please remove this section.

[Rigdon]

👍

[sdake]

values.yaml is a special file in that it exports an API to the user. As such, it should have as minimum a footprint as is necessary to get the job done. This has a bunch of unrelated stuff in it - would need to be trimmed prior to merge.

[Rigdon]

I'll go through and review the variables again. I removed all of the sections related to Istio components that won't be installed on the remote clusters.

[sdake]

Kubernetes applications won't work in this model unless there is some magic I don't understand. Currently we specify the pilotendpoint so that the sidecars inside kubernetes can find pilot and receive the mesh calculation.

Could you add more detail as to how the deployment works in this situation?

[Rigdon]

I use remotePilotAddress as the discoveryAddress here in the mesh config (along with the other remoteX addresses. The proxy sidecars will then use those adresses instead of local default service names.

[sdake]

Sounds like an improvement. Mind I test prior to merge? cc @baodongli @tiswanso

[Rigdon]

Please!

[sdake]

@Rigdon are you using proyv1, or v2? v1 is deprecated, and IIUC will disappear in the 1.0 release. We should be marching towards that model if possible.

[Rigdon]

The default in both charts now is the proxyv2 image, though as @tiswanso pointed out the sidecars are still configured by default to use the old http ports rather than the newer grpc ports. I tried to keep as much the same as possible between the two charts.

[tiswanso]

@sdake -- I think we want to fix this in the main charts ASAP. From your slack msg, I'm guessing you're looking at it. Do you know if we have an issue already for tracking the latest xDS config stuff the helm charts?

@baodongli ^^

[Rigdon]

@sdake I removed the namespace and any variables in the values.yaml that aren't used by the security and injector subcharts

[tiswanso]

This service account isn't created in any chart that I can see. Did you add a new file to create this service account but it didn't get added to changeset?

I see now: istio-remote/templates/serviceaccount.yaml has the wrong service-account name

[tiswanso]

you want istio-control-plane-service-account instead of istio-multi

[Rigdon]

I changed it the other way. Kept the istio-multi SA name to match the docs you'd written and fixed the role binding instead.

[tiswanso]

We need to fix this section for envoyv1 xDS v. envoyv2 xDS (grpc). ports 15005 and 15007 are the envoy v1 (legacy) pilot endpoints. The envoy v2 (grpc) endpoints are 15010 and 15011.

[Rigdon]

yeah... I noticed that. Didn't want to deviate from the main chart though.

[tiswanso]

Cool... good point. Not sure if there's an issue already for this.

[gyliu513]

There is an issue here #6452

[gyliu513]

But my question is does mTLS works cross clusters for such case?

[gyliu513]

+1 to symlinks.

[gyliu513]

make sense.

[gyliu513]

yes, we have only one control panel.

[gyliu513]

main chart has a bug and has been fixed at #6349

[gyliu513]

There is an issue here #6452

[gyliu513]

Should not here be remote statsd?

[Rigdon]

the existing statsd configuration in values.yaml is adequate. the statsd collector could be local or remote and either is supported by the current configuration options.

[gyliu513]

So how does the metrics be send to local control panel prometheus if using local statsd?

[gyliu513]

thanks all, I think this is good to remove this as long as we can make sure manual injection works. @sdake @tiswanso @Rigdon

[tiswanso]

@Rigdon -- hey, would you mind if we move the service-account stuff out into another PR to maybe get it in faster? I might end up needing it to cleanup the multicluster e2e tests.

[Rigdon]

the existing statsd configuration in values.yaml is adequate. the statsd collector could be local or remote and either is supported by the current configuration options.

[Rigdon]

symlink

[Rigdon]

symlink

[Rigdon]

@sdake @tiswanso @gyliu513

I updated this with all of the additional feedback. The big things being the switch to symlinks for the security and injector charts and I updated the readme to point at the preliminary docs page.

I'll also pull the service account parts into a separate PR so that we can get them merged for Tim. I'll leave them here for now too in case this gets merged quickly and fix the conflict Monday if not.

hey, would you mind if we move the service-account stuff out into another PR to maybe get it in faster? I might end up needing it to cleanup the multicluster e2e tests.

[gyliu513]

@Rigdon can you rebase, the overall PR looks good, hope this can be merged soon.

[Rigdon]

The commands that appear to be failing in both the lint and e2e-galley tests are working fine in Helm version 2.8.2.

e2e-galley

# test
$ helm template --namespace=istio-system install/kubernetes/helm/istio-remote
Error: error reading charts/security: read /go/src/istio.io/istio/install/kubernetes/helm/istio-remote/charts/security: is a directory

#local 
$ helm template --namespace=istio-system install/kubernetes/helm/istio-remote > /dev/null
$ echo $?
0

Lint

# test
$ helm lint ./install/kubernetes/helm/istio ./install/kubernetes/helm/istio-remote
==> Linting ./install/kubernetes/helm/istio
Lint OK

==> Linting ./install/kubernetes/helm/istio-remote
[ERROR] templates/: error reading charts/security: read /go/src/istio.io/istio/install/kubernetes/helm/istio-remote/charts/security: is a directory


# local 
$ helm lint ./install/kubernetes/helm/istio ./install/kubernetes/helm/istio-remote
==> Linting ./install/kubernetes/helm/istio
Lint OK

==> Linting ./install/kubernetes/helm/istio-remote
Lint OK

2 chart(s) linted, no failures

It looks like an issue with the symlinks.

[Rigdon]

As I mentioned above it works with the version of Helm I'm using. I expect that it's that the istio project is using an older version of Helm or the symlinks aren't being cloned correctly. I agree with @sdake that we should move on without the symlinks for now. Hopefully we can just use helm dependency in the near future.

…

On Mon, Jun 25, 2018, 7:54 PM Guang Ya Liu ***@***.***> wrote: @Rigdon <https://github.com/Rigdon> it is weird that the symlinks failed, if this is the case, I think we may need to open an issue in helm community and have some discussion there? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6366 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABcyuNRzA43jcTb2F0iBmqVXKIxj9CGOks5uAXg5gaJpZM4UsYlZ> .

[gyliu513]

/lgtm

[gyliu513]

@Rigdon can you rebase so that I can do some test for this PR?

[gyliu513]

@Rigdon please note that we do not need .Values.global.rbacEnabled anymore,, as RBAC will always enabled, checkout here #6657 for detail.

/cc @sdake

[gyliu513]

I want to test it locally, but after the istio.yaml file is generated by make generate_yaml, the deployments cannot get images to deploy.

This seems because the CI was not passed, so the image was not created.

[gyliu513]

Those are not needed anymore #6657

[tiswanso]

missing {{ end }} for {{- if $.Values.cleanUpOldCA }}

[gyliu513]

/retest

[sdake]

/lgtm

Nice work Ryan!

[istio-testing]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gyliu513, Rigdon, sdake

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• install/OWNERS [gyliu513,sdake]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment