Change the installation files for cluster wide#860
Conversation
|
@andraxylia PR needs rebase |
| name = "kubernetes", | ||
| srcs = [ | ||
| "istio.yaml", | ||
| "istio-auth.yaml", |
There was a problem hiding this comment.
As mentioned over email I think we should keep a single file installing everything in 1 step (with auth)
| apiVersion: v1 | ||
| fieldPath: metadata.namespace | ||
| --- | ||
| --- No newline at end of file |
There was a problem hiding this comment.
make sure all files end properly with a newline (side note we need a linter for that, I keep repeating it in PR after PR)
There was a problem hiding this comment.
why is that? it actually creates ugly resulting concatenated files.
There was a problem hiding this comment.
@andraxylia no it's the only way to be able to concatenate 2 files properly actually
if you have file A
line1
line2
and file B
line3
if you cat A B and A doesn't have the last newline you'll get
line1
line2line3
which is usually not what you want
it's also a sane convention for a files of X lines to have exactly X newlines, not X-1 and most editors are set by default to, or can be set to, add the missing newlines for you
|
|
||
| content = []byte(strings.Replace(string(content), | ||
| `args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external"]`, | ||
| `args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external", "-a", "`+k.Namespace+`"]`, |
There was a problem hiding this comment.
this was almost ready to work with 2 namespaces in shared env
install/updateVersion.sh
Outdated
| cat $SRC/istio-namespace-ca.yaml.tmpl >> $ISTIO | ||
| cp $ISTIO $ISTIO_ONE_NAMESPACE | ||
| # restrict pilot controllers to a single namespace in the test file | ||
| sed -i=.bak "s|args: \[\"discovery\", \"-v\", \"2\"|args: \[\"discovery\", \"-v\", \"2\", \"-a\", \"${ISTIO_NAMESPACE}\"|" $ISTIO_ONE_NAMESPACE |
There was a problem hiding this comment.
it'd be nice to support in shared env 1 namespace for the app and 1 namespace for istio; but I guess we can change that later
| image: gcr.io/istio-testing/pilot:aca4710958367c0ac39e0a890cce599690680414 | ||
| imagePullPolicy: IfNotPresent | ||
| args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external"] | ||
| args: ["discovery", "-v", "2", "-a", "istio-system", "--admission-service", "istio-pilot-external"] |
There was a problem hiding this comment.
it's really weird to watch istio-system - this should be default or app-namespace no ?
(unless we move that file to be for testing only maybe)
There was a problem hiding this comment.
that file is mainly for testing.
If you want to use a different ns, do a sed istio-system.
There was a problem hiding this comment.
let's set it to something else to be replaced so it's not confusing
There was a problem hiding this comment.
we can generate a file with default, but then we cannot sed properly, default is used in many places.
maybe call it istio-sandbox or istio-app?
There was a problem hiding this comment.
that's not ok, because then the user would not be able to generate with the chosen name. Maybe in a separate commit.
There was a problem hiding this comment.
call it APPNAMESPACE or whatever makes it both easy to replace and clear it needs replacement
There was a problem hiding this comment.
I will think about it, but it is not a priority.
| @@ -1,3 +1,5 @@ | |||
| # GENERATED FILE. Use with Kubernetes 1.7+ | |||
There was a problem hiding this comment.
I think that the comments will be removed if I generate this file again? How about updating the README here a bit to reflect this?
There was a problem hiding this comment.
No, they will not be removed.
I will remove this file in a separate commit, it's no longer useful.
|
/retest |
|
/retest all |
| image: gcr.io/istio-testing/istio-ca:87901f278dd40e864b083409dfee9ca72e6a27e9 | ||
| imagePullPolicy: IfNotPresent | ||
| env: | ||
| - name: NAMESPACE |
There was a problem hiding this comment.
did that version somehow get accidentally deployed to the shared test cluster ?
(trying to understand how come we have errors in the bad CA sha PR that appear to be bleeding on other PRs)
There was a problem hiding this comment.
No, it has not. Just checked the cluster, there is nothing there.
|
/test e2e-suite-rbac-auth |
|
/test e2e-suite-rbac-no_auth |
|
/test e2e-suite-rbac-auth |
|
/test e2e-suite-rbac-no_auth |
|
can you update the summary and including adding a rationale for why have 2 files that could stay combined in 1 is an improvement Alternatively if a pr isn't ready maybe put WIP in the summary until it's ready |
|
Please provide a description for context. |
|
@andraxylia PR needs rebase |
install/kubernetes/istio-auth.yaml
Outdated
| data: | ||
| mesh: |- | ||
| # Uncomment the following line to enable mutual TLS between proxies | ||
| # Uncomment the following line to enable mutual encryption |
There was a problem hiding this comment.
leave it as mTLS or as "encryption" but not "mutual encryption" that's meaningless
There was a problem hiding this comment.
this should be left alone as mTLS. we don't support regular TLS which is also encryption.
install/kubernetes/istio-auth.yaml
Outdated
| # | ||
| # Along with discoveryRefreshDelay, this setting determines how | ||
| # frequently should Envoy fetch and update its internal configuration | ||
| # frequently should Envoy fetch and update its ntiernal configuration |
There was a problem hiding this comment.
spellcheck/typo (review diff)
| image: gcr.io/istio-testing/pilot:aca4710958367c0ac39e0a890cce599690680414 | ||
| imagePullPolicy: IfNotPresent | ||
| args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external"] | ||
| args: ["discovery", "-v", "2", "-a", "istio-system", "--admission-service", "istio-pilot-external"] |
|
/test istio-presubmit |
|
Addressed the comments, PTAL. |
| cat $SRC/istio-ns.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-rbac-beta.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-mixer.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-config.yaml.tmpl >> $ISTIO |
There was a problem hiding this comment.
Do we also need to update those templates as well by adding the info of GENERATED FILE. Use with Kubernetes 1.7+, @andraxylia
There was a problem hiding this comment.
Not sure what you mean... the templates are not generated.
There was a problem hiding this comment.
thanks, got it, then seems this is missing for the $ISTIO_INITIALIZER?
| image: gcr.io/istio-testing/pilot:e32cdc4b77175ccc800231e4103ab2b0182ea25d | ||
| imagePullPolicy: IfNotPresent | ||
| args: ["discovery", "-v", "2", "--admission-service", "istio-pilot-external"] | ||
| args: ["discovery", "-v", "2", "-a", "istio-system", "--admission-service", "istio-pilot-external"] |
There was a problem hiding this comment.
it doesn't make sense to watch istio-system (3rd time)
| @@ -0,0 +1,66 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
what does the moving from pilot to this new file do ? (it is probably cleaner if that config isn't just about pilot - is it? - but it's not necessary for 0.2?)
There was a problem hiding this comment.
Yes, it's much cleaner.
| cat $SRC/istio-ns.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-rbac-beta.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-mixer.yaml.tmpl >> $ISTIO | ||
| cat $SRC/istio-config.yaml.tmpl >> $ISTIO |
|
@andraxylia PR needs rebase |
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gyliu513, rshriram The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Former-commit-id: 388289074b98e51f23ef07d8373634e9ee187594
* Change the installation files Former-commit-id: 1c04856
Former-commit-id: 49bde5caa5fb136cb3295f01882b1050408759c6
* Change the installation files Former-commit-id: 1c04856
* remove istioctl * remove remainder * fix template
* Change the installation files Former-commit-id: 1c04856
* OSSM-2378: Use Maistra proxy CentOS Stream 8 img (istio#713) * OSSM-2378: Use Maistra proxy CentOS Stream 8 img For integration tests. Based on (istio#609) * Build container images with docker Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Use maistra proxy and CentOS Stream 8 as a base image for proxyv2 Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Test VMs using CentOS Stream 8 Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Temporarily skip failing security tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Temporarily skip tests suite telemetry.prometheus.wasm Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix(tests): enables fixed integration tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> * Use our proxy (istio#801) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-5958: Remove wasm extensions (istio#937) * Do not rely on WASM extensions Since maistra/proxy#253 * Remove wasm extensions from EnvoyFilters Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable tests for WASM extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove commented code Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Jonh Wendell <jwendell@redhat.com> * Disable failing tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix TestTrustDomainValidation - change expected TLS error to make it work with OpenSSL Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: Jonh Wendell <jwendell@redhat.com>
This is needed to switch to cluster-wide installation files for istio.yaml and istio-auth.yaml.
Installation flow will ask the user to:
The namespace restricted files used for testing on a shared cluster have been renamed to istio-one-namespace.yaml, respectively istio-one-namespace-auth.yaml.
Updated e2e tests to use the istio-one-namespace* files.
Fixes #146