Add more checking for istio-remote.

[gyliu513]

Add more checking for istio-remote chart to see if the endpoints
and services are enabled for istio remote.

Fixed #6321

/cc @sdake @baodongli @tiswanso @john-a-joyce

[sdake]

seems like a little too much overloading. I believe @costinm had thought using the actual DNS name would result in a workable solution with virtual services + coredns in addition.

One thing that might work a little better is:

global.pilotEnabled: true
global.telemetryEnabled: true
global.tracingEnabled: false

and not overloading the variables.

[tiswanso]

I think a point is that having default values don't make sense anyway. The endpoint manifest won't validate with those defaults--the API demands an IP for the field.

[gyliu513]

@sdake adding a new parameter to control the endpoint is enabled or not seems to be complex, as I need to update two places if I want to enable pilotEndpoint, including both global.pilotEnabled and pilotEndpoint, but with this PR, we only need to update pilotEndpoint.

[john-a-joyce]

Is this a problem not defining a pilotEndpoint value? I am not a helm expert but it looks fishy since this is only defined in istio-remote

[john-a-joyce]

Ignore my comment got a bit of tutorial on how these values are used to build the charts

[tiswanso]

LGTM -- without a valid endpoint value for a service, the corresponding sections in the manifest don't make sense on the remote.

[tiswanso]

LGTM -- the *Endpoint settings MUST be IPs for the template and defaulting the value doesn't make sense. The lack of a setting for a specific service equates to not needing the istio-remote to contain a corresponding representation of selectorless service and endpoint manifests.

[baodongli]

should be .pilotEndpoint

[gyliu513]

Done

[codecov]

Codecov Report

Merging #6393 into master will increase coverage by 1%.
The diff coverage is n/a.

@@          Coverage Diff           @@
##           master   #6393   +/-   ##
======================================
+ Coverage      71%     71%   +1%     
======================================
  Files         354     354           
  Lines       30666   30743   +77     
======================================
+ Hits        21503   21602   +99     
+ Misses       8314    8289   -25     
- Partials      849     852    +3

Impacted Files	Coverage Δ
mixer/adapter/solarwinds/metrics_handler.go	70% <0%> (-13%)	⬇️
galley/pkg/server/server.go	90% <0%> (-5%)	⬇️
pilot/pkg/serviceregistry/kube/queue.go	86% <0%> (-3%)	⬇️
pilot/pkg/serviceregistry/kube/controller.go	66% <0%> (-2%)	⬇️
mixer/adapter/solarwinds/log_handler.go	58% <0%> (-2%)	⬇️
mixer/adapter/rbac/rbac.go	10% <0%> (-1%)	⬇️
mixer/adapter/bypass/bypass.go	62% <0%> (-1%)	⬇️
mixer/adapter/statsd/statsd.go	96% <0%> (-1%)	⬇️
mixer/pkg/attribute/mutableBag.go	89% <0%> (ø)	⬇️
mixer/adapter/list/list.go	100% <0%> (ø)	⬇️
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a4df8f8...aaf7df6. Read the comment docs.

[sdake]

@tiswanso the endpoint does not need to be an IP, as long as it is resolvable via Kubernetes. resolution can happen via coredns. I think in the past @costinm had mentioned that coredns can be used to serve the purposes of providing DNS resolution with the kubernetai plugin.

@costinm can you weigh in - IIRC you had the strong desire to add these endpoint definitiions.

[sdake]

Added do-not-merge tag until Costin can weigh in.

[sbezverk]

@sdake I played with coredns and integration with kubernetes, it does work but a couple of points to consider:

1. You rely on a third party software component which may or may not exist in the cluster you install remote instio. (Maybe it would be safer to base design on almost ubiquitous kube-dns)
2. Even if you have coredns service as dns for the cluster, by default it will not be serving external requests as it does not get exposed to outside by default. (Many cluster admins would be concerned to expose internal services to outside)

[tiswanso]

@sdake -- The error I see is not a DNS resolution error. It's an immediate error on validating the endpoint kind--the error indicates that an IP is required.

Anyway, regardless... the whole point of the selectorless services and endpoints is to get a DNS entry. If a setup has multicluster coredns is setup, this will already be achieved and none of these selectorless services is required.

[sdake]

@sbezverk coredns is standard in kubernetes 1.11+.

[gyliu513]

@rshriram is also using CoreDNS for zero VPN multi-cloud solution, mainly using the CoreDNS to resolve service *.x.global to a dummy IP 1.1.1.1,

[tiswanso]

@sdake -- Could we not hold this up for analysis of a special case? It's a blocker for e2e multicluster pilot tests.

[john-a-joyce]

Why are we holding this up on DNS approach? The current charts are broken because the multicluster e2e tests will fail due to the way the helm charts are generated for the tests. Let's let this merge if everyone agrees that the code is sound. We can revamp the recommended install as a separate PR as the changes are more encompassing.

[gyliu513]

We may not need this after #6366 got merged.

[tiswanso]

@gyliu513 IMO, let's not wait on #6366. This is an easy change for now and not having this is a blocker for using the instructions in https://preliminary.istio.io/docs/setup/kubernetes/multicluster-install/.

[gyliu513]

/retest

[morvencao]

/lgtm

[istio-testing]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gyliu513, morvencao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• install/OWNERS [gyliu513]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gyliu513]

/retest

[gyliu513]

/retest

[gyliu513]

/retest

[istio-testing]

@gyliu513: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/istio-pilot-e2e.sh	450852d0cfc5cbb3c196c6e8d392fb8436137753	link	/test istio-pilot-e2e
prow/e2e-bookInfoTests.sh	450852d0cfc5cbb3c196c6e8d392fb8436137753	link	/test e2e-bookInfo
prow/istio-unit-tests.sh	aaf7df6	link	/test istio-unit-tests
prow/istio-presubmit.sh	aaf7df6	link	/test istio-presubmit

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[istio-testing]

@gyliu513: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gyliu513]

#6366 is merged