Update templates for initialzier and pilot external admission webhook#793
Update templates for initialzier and pilot external admission webhook#793istio-merge-robot merged 15 commits intoistio:masterfrom ayj:update-templates-for-initializer-and-pilot-admission-webhook
Conversation
1) Update RBAC templates for sidecar initialzier and pilot external admission webhook 2) Update istio-pilot template with external admission webook for config validation. Self-registration is gated on availability of secret with cert/key for signing requests. Secret is not created by default due to GKE 1.7.x bug which requires additional external IP. Workaround script is included for curious users to test but is not integrated in e2e tests. 3) Initializer deployment is in its own file. The expectation is that this file will be included in cluster-wide specific tests where the initializer will not interfere with other tests in a shared cluster. istio/old_pilot_repo#1153 (or equivalent) is required for sidecar configuration per-namespace. The following command can be temporarily used in cluster-wide specific tests to propogate sidecar configmap to app namespaces. kubectl -n <new-namespace> create cm istio --from-file=<(kubectl -n istio-system get cm istio -o jsonpath={.data}
| image: gcr.io/istio-testing/pilot:5acaa9e26e7d9b239cbc72da63f5f9a3dac5a54e | ||
| imagePullPolicy: IfNotPresent | ||
| args: ["discovery", "-v", "2"] | ||
| args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external"] |
There was a problem hiding this comment.
So this will be on even in non cluster-wide? Is it for validation?
There was a problem hiding this comment.
Yes. This shouldn't be a problem because the admission control service only self-registers when the dependent secret w/certs is created. That secret is not created by default due to GKE 1.7.x bug (see workaround script).
| - deployments | ||
| - statefulsets | ||
| - jobs | ||
| - daemonsets |
There was a problem hiding this comment.
Do we need other workloads?
There was a problem hiding this comment.
- Initializer doesn't support cronjob yet.
- replicatsets and replicationcontrollers had some issues with current initializer support that aren't resolved yet. Deployments are recommended instead of using replicasets or replicationctonrollers (see here)
- pod also did not work but isn't recommended on its own since some controllers will complain if the pod template spec in the deployment doesn't match the pod spec itself.
…-for-initializer-and-pilot-admission-webhook
|
Let's go with the plan we discussed in the meeting and close on this:
|
|
My only concern is with the name, sidecar initializer somehow makes me think it runs as a sidecar. I would call it simply istio-initializer. |
install/kubernetes/istio-auth.yaml
Outdated
| name: istio-sidecar-initializer-admin-role-binding-istio-system | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: istio-sidecar-initializer-service-account |
There was a problem hiding this comment.
Remove sidecar from the name
There was a problem hiding this comment.
The naming was derived from kelsey heightower's envoy-initializer, i.e. s/envoy/istio-sidecar. I can change it if its confusing, but I should start with istio/pilot first. Also, any chance istio will use other initializers?
There was a problem hiding this comment.
We never know what future holds in store, there may be other initializers. The name is still confusing. We call the proxy a side car proxy, so I expect a sidecar initializer to be a sidecar...
How about istio-proxy-initializer or istio-proxy-injector?
install/updateVersion.sh
Outdated
| cp $ISTIO $ISTIO_AUTH | ||
| sed -i=.bak "s/# authPolicy: MUTUAL_TLS/authPolicy: MUTUAL_TLS/" $ISTIO_AUTH | ||
|
|
||
| # TODO(andra/jason) - copy this into ${ISTIO_CLUSTER_WIDE} after initial cluster-wide test is verified. |
| name: http-discovery | ||
| - port: 8081 | ||
| name: http-apiserver | ||
| - port: 443 |
There was a problem hiding this comment.
Is this the only change needed to enable webhooks?
There was a problem hiding this comment.
No, users need to run install/kubernetes/external-admission-webhook-gke-1-7-x-workaround.sh. This concerts the istio-pilot service to type=LoadBalancer, generates certs, and plumbs them through to k8s secret. The secret creation triggers the admission webhook to self-register.
There was a problem hiding this comment.
We will need to document the extra step somewhere on istio.io.
…-admission-webhook
|
@ayj PR needs rebase |
|
/lgtm we can do the renaming in a separate commit, if you fix the conflicts and find a window to merge |
| metadata: | ||
| name: istio-sidecar-initializer | ||
| namespace: istio-system | ||
| annotations: |
There was a problem hiding this comment.
Do we really need the annotation here? We already defined the initializers as [], so seems here do not need the annotations.
initializers:
pending: []
| labels: | ||
| istio: sidecar-initializer | ||
| annotations: | ||
| sidecar.istio.io/inject: "false" |
|
This also fixed #636 |
…-for-initializer-and-pilot-admission-webhook
…bhook' of github.com:ayj/istio into update-templates-for-initializer-and-pilot-admission-webhook
|
/lgtm cancel //PR changed after LGTM, removing LGTM. @andraxylia @ayj |
The use of `sidecar` in the name of the initializer seems to be undesirable (see istio/istio#793 (comment)). Rename to simplify `istio-initializer` or `initializer` throughout.
The use of `sidecar` in the name of the initializer seems to be undesirable (see istio/istio#793 (comment)). Rename to simplify `istio-initializer` or `initializer` throughout.
| template: | ||
| metadata: | ||
| annotations: | ||
| alpha.istio.io/sidecar: ignore |
There was a problem hiding this comment.
This is generated, can you remove from grafana.yaml.tmpl and re-run updateVersion.sh
There was a problem hiding this comment.
That should be the case already. Lines 20-21 show the result of the new annotation from the template.
There was a problem hiding this comment.
Nvm, it's good, somehow I had missed the .tmpl files.
| config: |- | ||
| policy: "enabled" | ||
| namespaces: [""] # everything, aka v1.NamepsaceAll, aka cluster-wide | ||
| initializerName: "sidecar.initializer.istio.io" |
There was a problem hiding this comment.
Do we keep sidecar here?
There was a problem hiding this comment.
That's up to. It requires another corresponding change in istio/pilot
…-admission-webhook
…-for-initializer-and-pilot-admission-webhook
…bhook' of github.com:ayj/istio into update-templates-for-initializer-and-pilot-admission-webhook
|
/retest all |
1 similar comment
|
/retest all |
|
/lgtm |
|
/lgtm cancel //PR changed after LGTM, removing LGTM. @andraxylia @ayj |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andraxylia The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
The use of `sidecar` in the name of the initializer seems to be undesirable (see istio/istio#793 (comment)). Rename to simplify `istio-initializer` or `initializer` throughout.
…#793) Automatic merge from submit-queue Update templates for initialzier and pilot external admission webhook 1) Update RBAC templates for sidecar initialzier and pilot external admission webhook 2) Update istio-pilot template with external admission webook for config validation. Self-registration is gated on availability of secret with cert/key for signing requests. Secret is not created by default due to GKE 1.7.x bug which requires additional external IP. Workaround script is included for curious users to test but is not integrated in e2e tests. 3) Initializer deployment is in its own file. The expectation is that this file will be included in cluster-wide specific tests where the initializer will not interfere with other tests in a shared cluster. istio/old_pilot_repo#1153 (or equivalent) is required for sidecar configuration per-namespace. The following command an be temporarily used in cluster-wide specific tests to propogate sidecar configmap to app namespaces. kubectl -n <new-namespace> create cm istio \ --from-file=<(kubectl -n istio-system get cm istio -o jsonpath={.data} **Release note**: ```release-note NONE ``` Former-commit-id: c6bccb9
…istio#793) Automatic merge from submit-queue Update templates for initialzier and pilot external admission webhook 1) Update RBAC templates for sidecar initialzier and pilot external admission webhook 2) Update istio-pilot template with external admission webook for config validation. Self-registration is gated on availability of secret with cert/key for signing requests. Secret is not created by default due to GKE 1.7.x bug which requires additional external IP. Workaround script is included for curious users to test but is not integrated in e2e tests. 3) Initializer deployment is in its own file. The expectation is that this file will be included in cluster-wide specific tests where the initializer will not interfere with other tests in a shared cluster. istio/old_pilot_repo#1153 (or equivalent) is required for sidecar configuration per-namespace. The following command an be temporarily used in cluster-wide specific tests to propogate sidecar configmap to app namespaces. kubectl -n <new-namespace> create cm istio \ --from-file=<(kubectl -n istio-system get cm istio -o jsonpath={.data} **Release note**: ```release-note NONE ``` Former-commit-id: c6bccb9
…#793) Automatic merge from submit-queue Update templates for initialzier and pilot external admission webhook 1) Update RBAC templates for sidecar initialzier and pilot external admission webhook 2) Update istio-pilot template with external admission webook for config validation. Self-registration is gated on availability of secret with cert/key for signing requests. Secret is not created by default due to GKE 1.7.x bug which requires additional external IP. Workaround script is included for curious users to test but is not integrated in e2e tests. 3) Initializer deployment is in its own file. The expectation is that this file will be included in cluster-wide specific tests where the initializer will not interfere with other tests in a shared cluster. istio/old_pilot_repo#1153 (or equivalent) is required for sidecar configuration per-namespace. The following command an be temporarily used in cluster-wide specific tests to propogate sidecar configmap to app namespaces. kubectl -n <new-namespace> create cm istio \ --from-file=<(kubectl -n istio-system get cm istio -o jsonpath={.data} **Release note**: ```release-note NONE ``` Former-commit-id: c6bccb9
Update RBAC templates for sidecar initialzier and pilot external
admission webhook
Update istio-pilot template with external admission webook for
config validation. Self-registration is gated on availability of
secret with cert/key for signing requests. Secret is not created by
default due to GKE 1.7.x bug which requires additional external
IP. Workaround script is included for curious users to test but is not
integrated in e2e tests.
Initializer deployment is in its own file. The expectation is that
this file will be included in cluster-wide specific tests where the
initializer will not interfere with other tests in a shared cluster.
istio/old_pilot_repo#1153 (or equivalent) is required
for sidecar configuration per-namespace. The following command
an be temporarily used in cluster-wide specific tests to propogate
sidecar configmap to app namespaces.
Release note: