Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov Report
@@ Coverage Diff @@
## release-1.0 #6896 +/- ##
============================================
- Coverage 71% 71% -<1%
============================================
Files 360 369 +9
Lines 31273 31648 +375
============================================
+ Hits 22123 22374 +251
- Misses 8275 8377 +102
- Partials 875 897 +22
Continue to review full report at Codecov.
|
| - port: 8060 | ||
| targetPort: 8060 | ||
| name: tcp-citadel | ||
| {{- end }} |
There was a problem hiding this comment.
Do we need to overload the gateway for this ?
There was a problem hiding this comment.
Since this works only with ilb why not have a separate ilb gateway instead of overloading consumer facing ingress gateway? Also this is not the right place to add ports. It’s in values.yaml
There was a problem hiding this comment.
On the first question: somehow the gateway needs to listen on the port. We can add it in values.yaml, but it's harder for the user, we may have other boiler plage.
On the second: this is not based on ILB. We may add an ILB if anyone asks, but current solution is exposing mtls only and can be used on the regular gateway
Having a separate gateway is possible - that's why it's an option on the gateway, a user can add add more gateways and select to enable mesh expansion ports selectively.
|
|
||
| # If set to true, the pilot and citadel mtls ports will be exposed on the ingress gateway | ||
| meshExpansion: false | ||
|
|
There was a problem hiding this comment.
This is where you should be adding these ports. I suggest creating a separate ingress-gateway-with-mesh-expansion that has same ports as ingress plus additional ports. Same service name as well.
This gateway should be disabled by default. Then in docs, you simply need to tell people to override the existing ingress gateway service with the new service (no changes to running gateway), add new servers to the gateway spec and so on. This keeps it cleaner and incremental, without having to add these ports to the templated spec.
There was a problem hiding this comment.
Running 2 gateways is more expensive ( IP and LB cost ). Large users are likely to do that, but for dev and small developers we can't require that. The mesh expansion gateway is disabled by default (false). I am planning to add another ingress-gateway-ILB - this will get a separate internal IP - but since not everyone has access to ILBs the first priority is using a normal gateway.
Note that this change can be done without helm changes - it's using just standard API - but it just makes it easier for a user.
|
My intention is for users to be able to install mesh expansion without editing the values.yaml manually. |
| # If set to true, the pilot and citadel mtls and the plain text pilot ports | ||
| # will be exposed on an internal gateway | ||
| meshExpansionILB: false | ||
|
|
There was a problem hiding this comment.
Why not ? How else can user control if they add or not the gateway (and expose pilot/ca) ?
| name: tcp | ||
| nodePort: 31400 | ||
| # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect | ||
| # to pilot/citadel if global.meshExpansion settings are enabled. |
There was a problem hiding this comment.
Change comment to say that while ports are exposed by the service, routing will happen only after user adds gateway config and virtual service per tutorial.
This way we don’t need to tweak helm for ingress based mesh expansion. You can add or remove routing config to enable or disable mesh expansion.
| # to pilot/citadel if global.meshExpansion settings are enabled. | ||
| - port: 15011 | ||
| targetPort: 15011 | ||
| name: tcp-pilot-grcp-tls |
| name: meshexpansion-pilot | ||
| spec: | ||
| hosts: | ||
| - "pilot.istio-system" |
There was a problem hiding this comment.
istio-pilot.istio-system ?
I would also add more variants.. like istio-pilot.istio-system.svc.cluster.local
| name: meshexpansion-ilb-citadel | ||
| spec: | ||
| hosts: | ||
| - "citadel.istio-system" |
| name: meshexpansion-citadel | ||
| spec: | ||
| hosts: | ||
| - "citadel.istio-system" |
rshriram
left a comment
There was a problem hiding this comment.
wrong hostnames in virtual services
|
Oh - it doesn't seem to matter, interesting. Are the hostnames in port
matchers used for anything ?
…On Sun, Jul 8, 2018 at 3:30 PM Shriram Rajagopalan ***@***.***> wrote:
***@***.**** commented on this pull request.
wrong hostnames in virtual services
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6896 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFI6l2yUy39NkHzJNn2s24nrvsbiq8gks5uEoftgaJpZM4VGER0>
.
|
|
There is no hostname stuff in the port match.. The authority match stuff goes into envoy's header match fields.. It doesn't get into the virtual host stuff. |
| apiVersion: networking.istio.io/v1alpha3 | ||
| kind: Gateway | ||
| metadata: | ||
| name: meshexpansion-ilb-gatewa |
Add an option for gateway to enable 2 additional ports. This must be set on a specific gateway - can be set for example on the ingress-gateway (to not waste an IP) or on a different one. ILB-type gateways
could do this - but separate PR.
In addition, a global option will enable the gateway and VirtualServices needed to connect to pilot and
citadel. The mesh expansion or multi-cluster must be setup with the IP of the ingress. For pilot, only mtls connections are exposed, for security reasons.
Along few cleanups and polish:
remote was out of sync with main config
if image has a "/", use it as a fully qualified name (as we do for the proxy annotation).
It is not clear what was the purpose of image - we don't publish other pilot/mixer/etc images under istio/istio, so having it as an option to be composed with base hub and tag doesn't make sense.
The image with / is currently enabled for grafana, pilot and initializer - each may require tweaking
(grafana is currently broken, but previous version works, initializer needs to be tweaked for tproxy testing)