make docs and examples use istioctl kube-inject#87
make docs and examples use istioctl kube-inject#87ayj merged 9 commits intoistio:masterfrom ayj:use-kube-inject
istioctl kube-inject#87Conversation
|
cc @sebastienvas, it looks like some of the functions in https://github.com/istio/istio/blob/master/tests/kubeUtils.sh need to be updated to use |
|
What do you think about embedding SHA into istioctl and then using that for default docker image tags? |
|
That could work. Downside is users would need to download the latest version of istioctl anytime we identify a new set of stable images vs. making it implicit via versions specified in istio/istio/kubernetes/istioctl-kube-inject or a proper docker tag. |
|
Does istioctl kube-inject support namespace for testing ? ie installing everything into one namespace and only listening on one namespace such that we can have multiple test running in one cluster that don t impact each other ? |
|
|
demos/apps/bookinfo/README.md
Outdated
|
|
||
| `istio-inject` is a wrapper function around `istioctl | ||
| kube-inject` which injects the istio runtime proxy into kubernetes | ||
| resources files. `istio-inject` and `istioctl kube-inject` are documented [here](https://github.com/istio/istio/blob/master/doc/istioctl.md#kube-inject). |
There was a problem hiding this comment.
better to use relative reference: ../../../doc/istioctl.md#kube-inject
demos/apps/bookinfo/README.md
Outdated
|
|
||
| ```bash | ||
| $ kubectl create -f bookinfo-istio.yaml | ||
| $ source ../../../kubernetes/istioctl-kube-inject.sh |
There was a problem hiding this comment.
Move this up before the previous step (cd) then it's only source ./kubernetes/istioctl-kube-inject.sh
demos/apps/bookinfo/README.md
Outdated
| resources files. `istio-inject` and `istioctl kube-inject` are documented [here](https://github.com/istio/istio/blob/master/doc/istioctl.md#kube-inject). | ||
|
|
||
| ```bash | ||
| $ isito-inject bookinfo-istio.yaml | kubectl apply -f - |
There was a problem hiding this comment.
I'm not sure maintaining and using this istio-inject script is worth it. Maybe it would be better to just provide the whole istioctl kube-inject ... command here instead. I think we can hardcode the hub (docker.io/istio) in the command and provide a simple grep/awk command to extract the correct tag from .../.../.../kubernetes/istio-install/istio-manager.yaml. People will just copy-paste whatever we put here anyway.
There was a problem hiding this comment.
I expect churn in the pod template we use, so we need to treat each SHA as incompatible with any other SHA. That's why I suggest we hardcode istioctl's SHA into docker image it uses by default. Once we have a stable alpha API, we can start putting alpha tag, and then switch to x.y.z versions.
|
I created a new PR to change The normal usage should look like this: kubectl create -f <(istioctl kube-inject -f bookinfo-istio.yaml)And using a new tag without updating to the latest istioctl version looks like this: kubectl create -f <(istioctl kube-inject -f bookinfo-istio.yaml -tag <new-tag>) |
|
This looks pretty good to me now. Couple of small issues:
|
|
@frankbu, re: point #2, user can confirm correct istioctl version with $ istioctl version | grep GitRevision
GitRevision: <known-good-sha>I'll update the docs with a specific revision once new istioctl binaries are uploaded. How is istioctl binary being released? It looks like @esnible uploaded the most recent set of binaries for win/osx/linux. |
|
@ayj: Isn't there more to it than just making sure that the istioctl version is a known good one? Doesn't the istioctl version that we use need to match the tags being used by the version of istio/kuernetes/istio-install/istio-manager.yaml that we are using when starting the istio runtime services? |
|
s/<known-good-sha>/<sha-that-corresponds-to-istio-manager-image> We can select a version of istioctol that corresponds to the image used into istio-manager.yaml. Ideally they would be the same once e2e acceptance test is automated, but for now we can select things manually, which I believe is what we've currently be doing anyway with the hardcoded injection method. |
|
@ayj I am planning to put istioctl binary in some istio-io bucket. And have them accessible from gcsweb. |
|
An extra line or two of --help for kube-inject with an example of piping to kubectl apply would be very helpful. Although the istioctl kube-inject output looks correct after piping to kubectl apply the |
frankbu
left a comment
There was a problem hiding this comment.
I'm still a little worried that people will often trip up because they're using the wrong isitioctl sha, but otherwise LGTM. Maybe in the doc we could suggest that the use the -tag flag and tell them the value can be found with a command something like this: awk '/image:/{print substr($2,25)}' istio-manager.yaml. Not sure if this is really an issue, but I guess we'll find out soon enough
|
re: annotation appearing twice, the same thing happens with the previous hardcoded yaml files. $ kubectl create -f hello-and-proxy.yaml
$ kubectl get deployment hello -o yaml | grep init-container
pod.alpha.kubernetes.io/init-containers: '[{"name":"iptables","image":"docker.io/istio/runtime:2017-03-17-22.11.25","resources":{},"imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
pod.beta.kubernetes.io/init-containers: '[{"name":"iptables","image":"docker.io/istio/runtime:2017-03-17-22.11.25","resources":{},"imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
|
kubernetes/README.md
Outdated
| ## Deploy your apps | ||
|
|
||
| NOTE: Kubernetes admission controller for transparent proxy is not | ||
| implementedyet . Use `istioctl kube-inject` to modify kubernetes |
There was a problem hiding this comment.
Insert a space between implemented and yet.
- update istioctl binaries to latest - update acceptance test to use kube-inject - fix typo in README.md
|
Jenkins job istio/presubmit passed |
|
Review status: 0 of 22 files reviewed at latest revision, 4 unresolved discussions. demos/apps/bookinfo/README.md, line 59 at r1 (raw file): Previously, frankbu (Frank Budinsky) wrote…
Done. demos/apps/bookinfo/README.md, line 64 at r1 (raw file): Previously, frankbu (Frank Budinsky) wrote…
Done. demos/apps/bookinfo/README.md, line 67 at r1 (raw file): Previously, kyessenov (Kuat) wrote…
Done. kubernetes/README.md, line 41 at r3 (raw file): Previously, andraxylia (Andra Cismaru) wrote…
Done. Comments from Reviewable |
|
Jenkins job istio/presubmit passed |
|
Pre-submit is now passing with @frankbu 's comment about mismatched istioctl is noted, so perhaps we wait and see if its a problem and react accordingly? Other than that I think all comments have been addressed. If not, please let me know. |
|
@ayj: fine with me to merge. I'd like to update the README.md to show both before and after (istio-inject) diagrams of the bookinfo components, but if you merge this PR, I can do that as a separate PR afterwords. |
* double to protobuf.Duration * remove markdown file * clarify timeunit granularity * fix field names * splitting into smaller protos * add examples for retries * addressing comments * removing api visibility fields
Update CircleCI badge to new repo url
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
* add ut for util. * fix lint. * add more fields. * apply comments.
…oxy-image Steps for creating custom proxyv2 image
* Strip # part in URL by default and offer a flag to opt-out (#76) * Strip # part in URL by default and offer flag for opt-out. * Small fix. * Small fix. * release 1.10: use case-insensitive match for host field in authz (#74) Same as https://github.com/istio-private/istio/pull/69 Signed-off-by: Yangmin Zhu <ymzhu@google.com> * Update the proxy SHA (#78) * Strip # part in URL by default and offer flag for opt-out. * Small fix. * Small fix. * Update proxy SHA. * Fix a test. * Update Proxy SHA (#79) * add test for request with # character (#84) * Update the base image for 1.10 (#87) * Update istio.deps Co-authored-by: Oliver Liu <yonggangl@google.com> Co-authored-by: Yangmin Zhu <ymzhu@google.com>
* metadata: add initial support for workload metadata discovery
This CL adds initial support for a discovery service for an ambient workload
metadata filter. The service works over ECDS (in ADS) and is meant to be
used with an Ambient Listener filter to provide workload metadata for
all workloads being proxied by an Ambient uProxy.
At the moment, the schema for Workload Metadata resources is placed in this repo and will need
to be duplicated (once OK'd) into the proxy repo.
I have tested this with an `istiod` in a test cluster, as follows:
test.sh:
```
toJson () {
python3 -c '
import sys, yaml, json
yml = list(y for y in yaml.safe_load_all(sys.stdin) if y)
if len(yml) == 1: yml = yml[0]
json.dump(yml, sys.stdout, indent=4)
'
}
token=$(echo '{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","spec":{"audiences":["istio-ca"], "expirationSeconds":2592000}}' | kubectl create --raw /api/v1/namespaces/default/serviceaccounts/httpbin/token -f - | jq -j '.status.token')
request=$(cat request.yaml | toJson)
echo "${request}" | grpcurl -d @ -insecure -rpc-header "authorization: Bearer $token" localhost:15012 envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources
```
request.yaml
```
node:
id: sidecar~10.100.5.4~httpbin-74fb669cc6-4bjbc.default~default.svc.cluster.local
metadata:
CONFIG_NAMESPACE: istio-system
typeUrl: type.googleapis.com/envoy.config.core.v3.TypedExtensionConfig
resourceNames:
- ambient.workload_metadata
```
This results in the following response:
```
{
"versionInfo": "2022-05-26T18:31:08Z/2",
"resources": [
{"@type":"type.googleapis.com/istio.telemetry.wmds.v1.WorkloadMetadataResources","nodeId":"httpbin-74fb669cc6-4bjbc.default","workloadMetadataResources":[{"ipAddresses":["10.100.5.3"],"instanceName":"envoy-als-6798d7c98d-wmtjs","namespaceName":"logs","containers":["envoy-als"],"workloadName":"envoy-als","canonicalName":"envoy-als","canonicalRevision":"latest"},{"ipAddresses":["10.100.5.4"],"instanceName":"httpbin-74fb669cc6-4bjbc","namespaceName":"default","containers":["httpbin","istio-proxy"],"workloadName":"httpbin","canonicalName":"httpbin","canonicalRevision":"v1"},{"ipAddresses":["10.100.5.6"],"instanceName":"httpbin-74fb669cc6-dphf7","namespaceName":"test","containers":["httpbin"],"workloadName":"httpbin","canonicalName":"httpbin","canonicalRevision":"v1"},{"ipAddresses":["10.100.5.2"],"instanceName":"konnectivity-agent-7c84c6c889-rs6q4","namespaceName":"kube-system","containers":["konnectivity-agent"],"workloadName":"konnectivity-agent","canonicalName":"konnectivity-agent","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"fluentbit-gke-vknzq","namespaceName":"kube-system","containers":["fluentbit","fluentbit-gke"],"workloadName":"fluentbit-gke-vknzq","workloadType":"KUBERNETES_POD","canonicalName":"fluentbit-gke-vknzq","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"netd-tpms7","namespaceName":"kube-system","containers":["netd"],"workloadName":"netd-tpms7","workloadType":"KUBERNETES_POD","canonicalName":"netd-tpms7","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"gke-metrics-agent-h9fqj","namespaceName":"kube-system","containers":["gke-metrics-agent"],"workloadName":"gke-metrics-agent-h9fqj","workloadType":"KUBERNETES_POD","canonicalName":"gke-metrics-agent-h9fqj","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"pdcsi-node-vrjrs","namespaceName":"kube-system","containers":["csi-driver-registrar","gce-pd-driver"],"workloadName":"pdcsi-node-vrjrs","workloadType":"KUBERNETES_POD","canonicalName":"pdcsi-node-vrjrs","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"gke-metadata-server-59n4x","namespaceName":"kube-system","containers":["gke-metadata-server"],"workloadName":"gke-metadata-server-59n4x","workloadType":"KUBERNETES_POD","canonicalName":"gke-metadata-server-59n4x","canonicalRevision":"latest"},{"ipAddresses":["10.138.0.62"],"instanceName":"kube-proxy-gke-istiocon-test-1-default-pool-194742d5-zayf","namespaceName":"kube-system","containers":["kube-proxy"],"workloadName":"kube-proxy-gke-istiocon-test-1-default-pool-194742d5-zayf","workloadType":"KUBERNETES_POD","canonicalName":"kube-proxy-gke-istiocon-test-1-default-pool-194742d5-zayf","canonicalRevision":"latest"}]}
],
"typeUrl": "type.googleapis.com/envoy.config.core.v3.TypedExtensionConfig",
"nonce": "geI+YS+L9yI=ae402003-f0ac-4b9f-9044-5929a3f7379a",
"controlPlane": {
"identifier": "{\"Component\":\"istiod\",\"ID\":\"istiod-76856bc897-wfqfm\",\"Info\":{\"version\":\"1.15-dev\",\"revision\":\"328d68d3a601fd923e86fdd3e8a8c311def52a0c-dirty\",\"golang_version\":\"go1.17.2\",\"status\":\"Modified\",\"tag\":\"\"}}"
}
}
```
In the future, we will probably want to refactor the ECDS handling code and also maybe move ECDS to a proper separate service endpointto avoid polluting the other proxy configurations. There are several TODOs throughout the existing code that serve as indications of aareas that will need to be improved once we have a proper filter defined in the proxy.
* address review comments
* gofumpt
* more gofumpt
Added support for specifying the port number to use for the node port for the Jaeger query service
…ase-1.22-merge_upstream_istio_release_1_22-b34c6a22 Automator: merge upstream changes to openshift-service-mesh/istio@release-1.22
I verified that demos/apps/bookinfo/README.md works with the
istioctl kube-injectmethod. But I would be happy if anyone else wants to verify in their own setup before its merged.I wasn't able to get doc/getting-started working, but it doesn't seem to work in my setup with unmodified changes after #86.
I'm not super happy about the need for
istio-injectwrapper function but the alternative usingistioctl kube-injectisn't great either, e.g.istioctl kube-inject \ --initImage= hub=docker.io/istio/init:2017-03-22-17.30.06 \ --runtimeImage= hub=docker.io/istio/runtime:2017-03-22-17.30.06 -f <file> | kubectl apply -f -We could this if/when we introduce a
stabletag in which case we can updatekube injectto use that by default and then usage would look like the following:This change is