From 357baaf9cf3378ef9f442db1713570ea1d20a299 Mon Sep 17 00:00:00 2001 From: Zsolt Varga Date: Sun, 30 Jun 2019 23:55:20 +0200 Subject: [PATCH 1/8] Istio 1.2.2 support --- README.md | 2 +- config/README.md | 18 +- config/base/crds/istio_v1beta1_istio.yaml | 37 +- .../base/crds/istio_v1beta1_remoteistio.yaml | 29 + config/base/manager/manager.yaml | 2 +- config/samples/istio_v1beta1_istio.yaml | 18 +- config/samples/istio_v1beta1_istio_cni.yaml | 2 +- .../samples/istio_v1beta1_istio_cni_gke.yaml | 2 +- .../istio_v1beta1_istio_meshexpansion.yaml | 2 +- .../samples/istio_v1beta1_istio_minimal.yaml | 2 +- .../istio_v1beta1_istio_multimesh.yaml | 2 +- .../istio_v1beta1_istio_nodeaffinities.yaml | 18 +- .../samples/istio_v1beta1_istio_sds_auth.yaml | 6 +- docs/federation/gateway/README.md | 2 +- .../samples/istio-multicluster-cr.yaml | 2 +- docs/federation/multimesh/README.md | 4 +- .../multimesh/istio-multimesh-cr.yaml | 2 +- docs/roadmap.md | 3 +- pkg/apis/istio/v1beta1/defaults.go | 15 +- pkg/apis/istio/v1beta1/istio_types.go | 37 +- pkg/apis/istio/v1beta1/istio_types_test.go | 2 +- .../istio/v1beta1/zz_generated.deepcopy.go | 20 + pkg/crds/crds.go | 37 +- pkg/resources/citadel/deployment.go | 36 +- pkg/resources/common/configmap.go | 2 +- pkg/resources/galley/configmap.go | 11 +- pkg/resources/galley/deployment.go | 2 +- pkg/resources/gateways/deployment.go | 23 +- pkg/resources/gateways/gateways.go | 1 + pkg/resources/mixer/deployment.go | 140 +++-- pkg/resources/mixer/kubernetes.go | 37 +- pkg/resources/mixer/logging.go | 168 +++--- pkg/resources/mixer/monitoring.go | 154 +++--- pkg/resources/nodeagent/daemonset.go | 5 +- pkg/resources/pilot/deployment.go | 176 +++--- pkg/resources/sidecarinjector/configmap.go | 518 +++++++++++------- pkg/resources/sidecarinjector/deployment.go | 5 + pkg/resources/sidecarinjector/pdb.go | 40 ++ .../sidecarinjector/sidecarinjector.go | 4 +- pkg/resources/sidecarinjector/webhook.go | 21 +- 40 files changed, 1021 insertions(+), 586 deletions(-) create mode 100644 pkg/resources/sidecarinjector/pdb.go diff --git a/README.md b/README.md index f2d2759cc..365b02e72 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ If you are willing to kickstart your Istio experience using Pipeline, check out ## Installation -The operator (`release-1.1` branch) installs the 1.1.9 version of Istio, and can run on Minikube v0.33.1+ and Kubernetes 1.10.0+. +The operator (`release-1.2` branch) installs the 1.2.2 version of Istio, and can run on Minikube v0.33.1+ and Kubernetes 1.10.0+. As a pre-requisite it needs a Kubernetes cluster (you can create one using [Pipeline](https://github.com/banzaicloud/pipeline)). diff --git a/config/README.md b/config/README.md index 55ede3a33..de01750f5 100644 --- a/config/README.md +++ b/config/README.md @@ -6,28 +6,28 @@ Firstly, you'll need to install the necessary crds and namespace with the follow ``` bases: - - github.com/banzaicloud/istio-operator/config?ref=release-1.1 + - github.com/banzaicloud/istio-operator/config?ref=release-1.2 ``` - + Secondly, you can install the operator with multiple possible configurations with the use of overlays (choose one option). - + - `basic`: installs the clusterrole, clusterrolebinding and statefulset for the operator - + ``` bases: - - github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.1 + - github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.2 ``` - `auth-proxy-enabled`: besides the basic configs, installs the auth proxy resources as well - + ``` bases: - - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.1 + - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.2 ``` - `prometheus-scpraping-enabled`: besides the basic configs, enables Prometheus scraping for the manager pod - + ``` bases: - - github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.1 + - github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.2 ``` diff --git a/config/base/crds/istio_v1beta1_istio.yaml b/config/base/crds/istio_v1beta1_istio.yaml index 95e48b936..5ea13ce40 100644 --- a/config/base/crds/istio_v1beta1_istio.yaml +++ b/config/base/crds/istio_v1beta1_istio.yaml @@ -61,6 +61,8 @@ spec: type: string enabled: type: boolean + healthCheck: + type: boolean image: type: string nodeSelector: @@ -283,6 +285,10 @@ spec: minReplicas: format: int32 type: integer + multiClusterSupport: + description: Turn it on if you use mixer that supports multi cluster + telemetry + type: boolean nodeSelector: type: object replicaCount: @@ -367,12 +373,35 @@ spec: proxy: description: Proxy configuration options properties: + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string enableCoreDump: description: If set, newly injected sidecars will have core dumps enabled. type: boolean image: type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string privileged: description: If set to true, istio-proxy container will have privileged securityContext @@ -391,6 +420,8 @@ spec: will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates properties: + customTokenDirectory: + type: string enabled: description: If set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead @@ -423,6 +454,10 @@ spec: autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean enabled: type: boolean image: @@ -533,7 +568,7 @@ spec: type: boolean version: description: Contains the intended Istio version - pattern: ^1.1 + pattern: ^1.2 type: string watchAdapterCRDs: description: Whether or not to establish watches for adapter-specific diff --git a/config/base/crds/istio_v1beta1_remoteistio.yaml b/config/base/crds/istio_v1beta1_remoteistio.yaml index 51cdc641b..b51a19cda 100644 --- a/config/base/crds/istio_v1beta1_remoteistio.yaml +++ b/config/base/crds/istio_v1beta1_remoteistio.yaml @@ -61,6 +61,8 @@ spec: type: string enabled: type: boolean + healthCheck: + type: boolean image: type: string nodeSelector: @@ -106,12 +108,35 @@ spec: proxy: description: Proxy configuration options properties: + componentLogLevel: + description: Per Component log level for proxy, applies to gateways + and sidecars. If a component level is not set, then the "LogLevel" + will be used. If left empty, "misc:error" is used. + type: string + dnsRefreshRate: + description: Configure the DNS refresh rate for Envoy cluster of + type STRICT_DNS This must be given it terms of seconds. For example, + 300s is valid but 5m is invalid. + pattern: ^[0-9]{1,5}s$ + type: string enableCoreDump: description: If set, newly injected sidecars will have core dumps enabled. type: boolean image: type: string + logLevel: + description: 'Log level for proxy, applies to gateways and sidecars. + If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' + enum: + - trace + - debug + - info + - warning + - error + - critical + - "off" + type: string privileged: description: If set to true, istio-proxy container will have privileged securityContext @@ -133,6 +158,10 @@ spec: autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean + enableNamespacesByDefault: + description: This controls whether the webhook looks for namespaces + for injection enabled or disabled + type: boolean enabled: type: boolean image: diff --git a/config/base/manager/manager.yaml b/config/base/manager/manager.yaml index 769d27698..3d0374116 100644 --- a/config/base/manager/manager.yaml +++ b/config/base/manager/manager.yaml @@ -36,7 +36,7 @@ spec: containers: - command: - /manager - image: banzaicloud/istio-operator:latest-1.1 + image: banzaicloud/istio-operator:latest-1.2 imagePullPolicy: Always name: manager env: diff --git a/config/samples/istio_v1beta1_istio.yaml b/config/samples/istio_v1beta1_istio.yaml index cbfb3d0a3..e6afe8fe7 100644 --- a/config/samples/istio_v1beta1_istio.yaml +++ b/config/samples/istio_v1beta1_istio.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: false includeIPRanges: "*" excludeIPRanges: "" @@ -19,7 +19,7 @@ spec: enabled: false pilot: enabled: true - image: "docker.io/istio/pilot:1.1.9" + image: "docker.io/istio/pilot:1.2.2" replicaCount: 1 minReplicas: 1 maxReplicas: 5 @@ -30,10 +30,10 @@ spec: memory: 2048Mi citadel: enabled: true - image: "docker.io/istio/citadel:1.1.9" + image: "docker.io/istio/citadel:1.2.2" galley: enabled: true - image: "docker.io/istio/galley:1.1.9" + image: "docker.io/istio/galley:1.2.2" replicaCount: 1 gateways: enabled: true @@ -96,13 +96,13 @@ spec: enabled: false mixer: enabled: true - image: "docker.io/istio/mixer:1.1.9" + image: "docker.io/istio/mixer:1.2.2" replicaCount: 1 minReplicas: 1 maxReplicas: 5 sidecarInjector: enabled: true - image: "docker.io/istio/sidecar_injector:1.1.9" + image: "docker.io/istio/sidecar_injector:1.2.2" replicaCount: 1 rewriteAppHTTPProbe: true autoInjectionPolicyEnabled: true @@ -116,9 +116,9 @@ spec: memory: 50Mi nodeAgent: enabled: false - image: "docker.io/istio/node-agent-k8s:1.1.9" + image: "docker.io/istio/node-agent-k8s:1.2.2" proxy: - image: "docker.io/istio/proxyv2:1.1.9" + image: "docker.io/istio/proxyv2:1.2.2" enableCoreDump: false resources: requests: @@ -128,7 +128,7 @@ spec: cpu: 2000m memory: 1024Mi proxyInit: - image: "docker.io/istio/proxy_init:1.1.9" + image: "docker.io/istio/proxy_init:1.2.2" defaultPodDisruptionBudget: enabled: true outboundTrafficPolicy: diff --git a/config/samples/istio_v1beta1_istio_cni.yaml b/config/samples/istio_v1beta1_istio_cni.yaml index b46df5517..3f9820094 100644 --- a/config/samples/istio_v1beta1_istio_cni.yaml +++ b/config/samples/istio_v1beta1_istio_cni.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: false autoInjectionNamespaces: - "default" diff --git a/config/samples/istio_v1beta1_istio_cni_gke.yaml b/config/samples/istio_v1beta1_istio_cni_gke.yaml index b8f3ce8f4..2a0fd3348 100644 --- a/config/samples/istio_v1beta1_istio_cni_gke.yaml +++ b/config/samples/istio_v1beta1_istio_cni_gke.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: false autoInjectionNamespaces: - "default" diff --git a/config/samples/istio_v1beta1_istio_meshexpansion.yaml b/config/samples/istio_v1beta1_istio_meshexpansion.yaml index 1bb931569..b932bf6f7 100644 --- a/config/samples/istio_v1beta1_istio_meshexpansion.yaml +++ b/config/samples/istio_v1beta1_istio_meshexpansion.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" autoInjectionNamespaces: - "default" useMCP: true diff --git a/config/samples/istio_v1beta1_istio_minimal.yaml b/config/samples/istio_v1beta1_istio_minimal.yaml index 096a7e02a..99810a523 100644 --- a/config/samples/istio_v1beta1_istio_minimal.yaml +++ b/config/samples/istio_v1beta1_istio_minimal.yaml @@ -7,7 +7,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: false autoInjectionNamespaces: - "default" diff --git a/config/samples/istio_v1beta1_istio_multimesh.yaml b/config/samples/istio_v1beta1_istio_multimesh.yaml index efdd689b0..48210c5dd 100644 --- a/config/samples/istio_v1beta1_istio_multimesh.yaml +++ b/config/samples/istio_v1beta1_istio_multimesh.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: multimesh spec: - version: "1.1.9" + version: "1.2.2" autoInjectionNamespaces: - "default" useMCP: true diff --git a/config/samples/istio_v1beta1_istio_nodeaffinities.yaml b/config/samples/istio_v1beta1_istio_nodeaffinities.yaml index 65c00c37c..6eabf4f5a 100644 --- a/config/samples/istio_v1beta1_istio_nodeaffinities.yaml +++ b/config/samples/istio_v1beta1_istio_nodeaffinities.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: false includeIPRanges: "*" excludeIPRanges: "" @@ -16,7 +16,7 @@ spec: enabled: false pilot: enabled: true - image: "docker.io/istio/pilot:1.1.9" + image: "docker.io/istio/pilot:1.2.2" replicaCount: 1 minReplicas: 1 maxReplicas: 5 @@ -30,10 +30,10 @@ spec: tolerationSeconds: 6000 citadel: enabled: true - image: "docker.io/istio/citadel:1.1.9" + image: "docker.io/istio/citadel:1.2.2" galley: enabled: true - image: "docker.io/istio/galley:1.1.9" + image: "docker.io/istio/galley:1.2.2" replicaCount: 1 gateways: enabled: true @@ -89,24 +89,24 @@ spec: enabled: false mixer: enabled: true - image: "docker.io/istio/mixer:1.1.9" + image: "docker.io/istio/mixer:1.2.2" replicaCount: 1 minReplicas: 1 maxReplicas: 5 sidecarInjector: enabled: true - image: "docker.io/istio/sidecar_injector:1.1.9" + image: "docker.io/istio/sidecar_injector:1.2.2" replicaCount: 1 rewriteAppHTTPProbe: true autoInjectionPolicyEnabled: true nodeAgent: enabled: false - image: "docker.io/istio/node-agent-k8s:1.1.9" + image: "docker.io/istio/node-agent-k8s:1.2.2" proxy: - image: "docker.io/istio/proxyv2:1.1.9" + image: "docker.io/istio/proxyv2:1.2.2" enableCoreDump: false proxyInit: - image: "docker.io/istio/proxy_init:1.1.9" + image: "docker.io/istio/proxy_init:1.2.2" defaultPodDisruptionBudget: enabled: true outboundTrafficPolicy: diff --git a/config/samples/istio_v1beta1_istio_sds_auth.yaml b/config/samples/istio_v1beta1_istio_sds_auth.yaml index ebdc34783..a49a56b32 100644 --- a/config/samples/istio_v1beta1_istio_sds_auth.yaml +++ b/config/samples/istio_v1beta1_istio_sds_auth.yaml @@ -5,7 +5,7 @@ metadata: controller-tools.k8s.io: "1.0" name: istio-sample spec: - version: "1.1.9" + version: "1.2.2" mtls: true autoInjectionNamespaces: - "default" @@ -20,7 +20,7 @@ spec: enabled: true sds: enabled: true - image: "docker.io/istio/node-agent-k8s:1.1.9" + image: "docker.io/istio/node-agent-k8s:1.2.2" resources: requests: cpu: 100m @@ -30,4 +30,4 @@ spec: memory: 1024Mi nodeAgent: enabled: true - image: "docker.io/istio/node-agent-k8s:1.1.9" + image: "docker.io/istio/node-agent-k8s:1.2.2" diff --git a/docs/federation/gateway/README.md b/docs/federation/gateway/README.md index 2717e85be..493e0da83 100644 --- a/docs/federation/gateway/README.md +++ b/docs/federation/gateway/README.md @@ -15,7 +15,7 @@ For demo purposes, create 3 clusters, a single node [Banzai Cloud PKE](https://b ```bash ❯ git clone https://github.com/banzaicloud/istio-operator.git ❯ cd istio-operator -❯ git checkout release-1.1 +❯ git checkout release-1.2 ``` [Pipeline platform](https://beta.banzaicloud.io/) is the easiest way to setup that environment using our [CLI tool](https://banzaicloud.com/blog/cli-ux/) ([install](https://github.com/banzaicloud/banzai-cli#installation)) for [Pipeline](https:/github.com/banzaicloud/pipeline), simply called `banzai`. diff --git a/docs/federation/gateway/samples/istio-multicluster-cr.yaml b/docs/federation/gateway/samples/istio-multicluster-cr.yaml index fe67fe23e..07738fb40 100644 --- a/docs/federation/gateway/samples/istio-multicluster-cr.yaml +++ b/docs/federation/gateway/samples/istio-multicluster-cr.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: gateway-multicluster spec: - version: "1.1.9" + version: "1.2.2" autoInjectionNamespaces: - "default" mtls: true diff --git a/docs/federation/multimesh/README.md b/docs/federation/multimesh/README.md index b7bf0cc02..e4e83103c 100644 --- a/docs/federation/multimesh/README.md +++ b/docs/federation/multimesh/README.md @@ -15,7 +15,7 @@ For demonstrative purposes, create 2 clusters, a 2 node [Banzai Cloud PKE](https ```bash ❯ git clone https://github.com/banzaicloud/istio-operator.git ❯ cd istio-operator -❯ git checkout release-1.1 +❯ git checkout release-1.2 ``` ## Create the clusters on the Banzai Cloud Pipeline platform @@ -193,7 +193,7 @@ In order to allow access to `echo` running on the GKE cluster, we need to create For DNS resolution for services under the `*.global` domain, you need to assign these services an IP address. In this example we’ll use IPs in 127.255.0.0/16. Application traffic for these IPs will be captured by the sidecar and routed to the appropriate remote service. -> Each service (in the .global DNS domain) must have a unique IP within the cluster, but they are not need to be routable. +> Each service (in the .global DNS domain) must have a unique IP within the cluster, but they are not need to be routable. ```bash ❯ kubectl apply --context=$CTX_PKE -n default -f - < Date: Thu, 4 Jul 2019 14:13:51 +0200 Subject: [PATCH 2/8] Add workload cert ttl support to Citadel --- config/base/crds/istio_v1beta1_istio.yaml | 15 +++++++++++++ .../base/crds/istio_v1beta1_remoteistio.yaml | 15 +++++++++++++ pkg/apis/istio/v1beta1/istio_types.go | 21 ++++++++++++------- pkg/resources/citadel/deployment.go | 14 +++++++++++++ 4 files changed, 57 insertions(+), 8 deletions(-) diff --git a/config/base/crds/istio_v1beta1_istio.yaml b/config/base/crds/istio_v1beta1_istio.yaml index 5ea13ce40..9bb13b34e 100644 --- a/config/base/crds/istio_v1beta1_istio.yaml +++ b/config/base/crds/istio_v1beta1_istio.yaml @@ -62,9 +62,18 @@ spec: enabled: type: boolean healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ type: boolean image: type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string nodeSelector: type: object resources: @@ -73,6 +82,12 @@ spec: items: type: object type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string type: object controlPlaneSecurityEnabled: description: ControlPlaneSecurityEnabled control plane services are diff --git a/config/base/crds/istio_v1beta1_remoteistio.yaml b/config/base/crds/istio_v1beta1_remoteistio.yaml index b51a19cda..98e168c36 100644 --- a/config/base/crds/istio_v1beta1_remoteistio.yaml +++ b/config/base/crds/istio_v1beta1_remoteistio.yaml @@ -62,9 +62,18 @@ spec: enabled: type: boolean healthCheck: + description: Enable health checking on the Citadel CSR signing API. + https://istio.io/docs/tasks/security/health-check/ type: boolean image: type: string + maxWorkloadCertTTL: + description: Citadel uses a flag max-workload-cert-ttl to control + the maximum lifetime for Istio certificates issued to workloads. + The default value is 90 days. If workload-cert-ttl on Citadel + or node agent is greater than max-workload-cert-ttl, Citadel will + fail issuing the certificate. + type: string nodeSelector: type: object resources: @@ -73,6 +82,12 @@ spec: items: type: object type: array + workloadCertTTL: + description: For the workloads running in Kubernetes, the lifetime + of their Istio certificates is controlled by the workload-cert-ttl + flag on Citadel. The default value is 90 days. This value should + be no greater than max-workload-cert-ttl of Citadel. + type: string type: object defaultResources: description: DefaultResources are applied for all Istio components by diff --git a/pkg/apis/istio/v1beta1/istio_types.go b/pkg/apis/istio/v1beta1/istio_types.go index 135dc1ea5..cdb39ee17 100644 --- a/pkg/apis/istio/v1beta1/istio_types.go +++ b/pkg/apis/istio/v1beta1/istio_types.go @@ -70,14 +70,19 @@ type PilotConfiguration struct { // CitadelConfiguration defines config options for Citadel type CitadelConfiguration struct { - Enabled *bool `json:"enabled,omitempty"` - Image string `json:"image,omitempty"` - CASecretName string `json:"caSecretName,omitempty"` - HealthCheck *bool `json:"healthCheck,omitempty"` - Resources *corev1.ResourceRequirements `json:"resources,omitempty"` - NodeSelector map[string]string `json:"nodeSelector,omitempty"` - Affinity *corev1.Affinity `json:"affinity,omitempty"` - Tolerations []corev1.Toleration `json:"tolerations,omitempty"` + Enabled *bool `json:"enabled,omitempty"` + Image string `json:"image,omitempty"` + CASecretName string `json:"caSecretName,omitempty"` + // Enable health checking on the Citadel CSR signing API. https://istio.io/docs/tasks/security/health-check/ + HealthCheck *bool `json:"healthCheck,omitempty"` + // For the workloads running in Kubernetes, the lifetime of their Istio certificates is controlled by the workload-cert-ttl flag on Citadel. The default value is 90 days. This value should be no greater than max-workload-cert-ttl of Citadel. + WorkloadCertTTL string `json:"workloadCertTTL,omitempty"` + // Citadel uses a flag max-workload-cert-ttl to control the maximum lifetime for Istio certificates issued to workloads. The default value is 90 days. If workload-cert-ttl on Citadel or node agent is greater than max-workload-cert-ttl, Citadel will fail issuing the certificate. + MaxWorkloadCertTTL string `json:"maxWorkloadCertTTL,omitempty"` + Resources *corev1.ResourceRequirements `json:"resources,omitempty"` + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + Affinity *corev1.Affinity `json:"affinity,omitempty"` + Tolerations []corev1.Toleration `json:"tolerations,omitempty"` } // GalleyConfiguration defines config options for Galley diff --git a/pkg/resources/citadel/deployment.go b/pkg/resources/citadel/deployment.go index d6a73d083..7725d568a 100644 --- a/pkg/resources/citadel/deployment.go +++ b/pkg/resources/citadel/deployment.go @@ -57,6 +57,20 @@ func (r *Reconciler) deployment() runtime.Object { ) } + if r.Config.Spec.Citadel.WorkloadCertTTL != "" { + args = append(args, + "--workload-cert-ttl", + r.Config.Spec.Citadel.WorkloadCertTTL, + ) + } + + if r.Config.Spec.Citadel.MaxWorkloadCertTTL != "" { + args = append(args, + "--max-workload-cert-ttl", + r.Config.Spec.Citadel.MaxWorkloadCertTTL, + ) + } + var citadelContainer = apiv1.Container{ Name: "citadel", Image: r.Config.Spec.Citadel.Image, From fcf98541bca1e0541b17a68cef43f633cc3f3511 Mon Sep 17 00:00:00 2001 From: Zsolt Varga Date: Thu, 4 Jul 2019 15:01:43 +0200 Subject: [PATCH 3/8] Add support for always/never inject labelselector sidecar option --- config/base/crds/istio_v1beta1_istio.yaml | 16 ++++++++++++++++ config/base/crds/istio_v1beta1_remoteistio.yaml | 16 ++++++++++++++++ pkg/apis/istio/v1beta1/istio_types.go | 17 +++++++++++++---- pkg/apis/istio/v1beta1/zz_generated.deepcopy.go | 15 +++++++++++++++ pkg/resources/sidecarinjector/configmap.go | 10 +++++++++- 5 files changed, 69 insertions(+), 5 deletions(-) diff --git a/config/base/crds/istio_v1beta1_istio.yaml b/config/base/crds/istio_v1beta1_istio.yaml index 9bb13b34e..0ff118e3e 100644 --- a/config/base/crds/istio_v1beta1_istio.yaml +++ b/config/base/crds/istio_v1beta1_istio.yaml @@ -466,6 +466,14 @@ spec: properties: affinity: type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean @@ -510,6 +518,14 @@ spec: description: Logging level for CNI binary type: string type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array nodeSelector: type: object replicaCount: diff --git a/config/base/crds/istio_v1beta1_remoteistio.yaml b/config/base/crds/istio_v1beta1_remoteistio.yaml index 98e168c36..ff7e3c1ac 100644 --- a/config/base/crds/istio_v1beta1_remoteistio.yaml +++ b/config/base/crds/istio_v1beta1_remoteistio.yaml @@ -170,6 +170,14 @@ spec: properties: affinity: type: object + alwaysInjectSelector: + description: 'AlwaysInjectSelector: Forces the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match' + items: + type: object + type: array autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean @@ -214,6 +222,14 @@ spec: description: Logging level for CNI binary type: string type: object + neverInjectSelector: + description: 'NeverInjectSelector: Refuses the injection on pods + whose labels match this selector. It''s an array of label selectors, + that will be OR''ed, meaning we will iterate over it and stop + at the first match Takes precedence over AlwaysInjectSelector.' + items: + type: object + type: array nodeSelector: type: object replicaCount: diff --git a/pkg/apis/istio/v1beta1/istio_types.go b/pkg/apis/istio/v1beta1/istio_types.go index cdb39ee17..166547d03 100644 --- a/pkg/apis/istio/v1beta1/istio_types.go +++ b/pkg/apis/istio/v1beta1/istio_types.go @@ -186,10 +186,19 @@ type SidecarInjectorConfiguration struct { // This controls the 'policy' in the sidecar injector AutoInjectionPolicyEnabled *bool `json:"autoInjectionPolicyEnabled,omitempty"` // This controls whether the webhook looks for namespaces for injection enabled or disabled - EnableNamespacesByDefault *bool `json:"enableNamespacesByDefault,omitempty"` - NodeSelector map[string]string `json:"nodeSelector,omitempty"` - Affinity *corev1.Affinity `json:"affinity,omitempty"` - Tolerations []corev1.Toleration `json:"tolerations,omitempty"` + EnableNamespacesByDefault *bool `json:"enableNamespacesByDefault,omitempty"` + // NeverInjectSelector: Refuses the injection on pods whose labels match this selector. + // It's an array of label selectors, that will be OR'ed, meaning we will iterate + // over it and stop at the first match + // Takes precedence over AlwaysInjectSelector. + NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector,omitempty"` + // AlwaysInjectSelector: Forces the injection on pods whose labels match this selector. + // It's an array of label selectors, that will be OR'ed, meaning we will iterate + // over it and stop at the first match + AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector,omitempty"` + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + Affinity *corev1.Affinity `json:"affinity,omitempty"` + Tolerations []corev1.Toleration `json:"tolerations,omitempty"` } // NodeAgentConfiguration defines config options for NodeAgent diff --git a/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go b/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go index e7498be80..ac6ac7081 100644 --- a/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go @@ -21,6 +21,7 @@ package v1beta1 import ( v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -997,6 +998,20 @@ func (in *SidecarInjectorConfiguration) DeepCopyInto(out *SidecarInjectorConfigu *out = new(bool) **out = **in } + if in.NeverInjectSelector != nil { + in, out := &in.NeverInjectSelector, &out.NeverInjectSelector + *out = make([]metav1.LabelSelector, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AlwaysInjectSelector != nil { + in, out := &in.AlwaysInjectSelector, &out.AlwaysInjectSelector + *out = make([]metav1.LabelSelector, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = make(map[string]string, len(*in)) diff --git a/pkg/resources/sidecarinjector/configmap.go b/pkg/resources/sidecarinjector/configmap.go index 40b3bd25c..1251db72d 100644 --- a/pkg/resources/sidecarinjector/configmap.go +++ b/pkg/resources/sidecarinjector/configmap.go @@ -104,10 +104,18 @@ func (r *Reconciler) siConfig() string { if util.PointerToBool(r.Config.Spec.SidecarInjector.AutoInjectionPolicyEnabled) { autoInjection = "enabled" } - siConfig := map[string]string{ + siConfig := map[string]interface{}{ "policy": autoInjection, "template": r.templateConfig(), } + + if len(r.Config.Spec.SidecarInjector.AlwaysInjectSelector) > 0 { + siConfig["alwaysInjectSelector"] = r.Config.Spec.SidecarInjector.AlwaysInjectSelector + } + if len(r.Config.Spec.SidecarInjector.NeverInjectSelector) > 0 { + siConfig["neverInjectSelector"] = r.Config.Spec.SidecarInjector.NeverInjectSelector + } + marshaledConfig, _ := yaml.Marshal(siConfig) // this is a static config, so we don't have to deal with errors return string(marshaledConfig) From 6f8cf97fcd2102ff11c77c911b8daa8c8680379b Mon Sep 17 00:00:00 2001 From: Zsolt Varga Date: Fri, 5 Jul 2019 02:31:12 +0200 Subject: [PATCH 4/8] Fix ComponentLogLevel default value --- pkg/apis/istio/v1beta1/defaults.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/istio/v1beta1/defaults.go b/pkg/apis/istio/v1beta1/defaults.go index 24fe5c77e..5f48402f6 100644 --- a/pkg/apis/istio/v1beta1/defaults.go +++ b/pkg/apis/istio/v1beta1/defaults.go @@ -276,7 +276,7 @@ func SetDefaults(config *Istio) { config.Spec.ProxyInit.Image = defaultProxyInitImage } if config.Spec.Proxy.ComponentLogLevel == "" { - config.Spec.Proxy.ComponentLogLevel = "default:error" + config.Spec.Proxy.ComponentLogLevel = "misc:error" } if config.Spec.Proxy.LogLevel == "" { config.Spec.Proxy.LogLevel = "warning" From 304dd02c97f213aeaccef8a29cfe04578b551372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Bence=20Nagy?= Date: Mon, 8 Jul 2019 12:43:12 +0200 Subject: [PATCH 5/8] Update upgrade docs --- docs/upgrade.md | 200 +++++++++--------------------------------------- 1 file changed, 37 insertions(+), 163 deletions(-) diff --git a/docs/upgrade.md b/docs/upgrade.md index 6f4726316..29ce1c96e 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -4,10 +4,10 @@ The steps are listed in this doc to perform an Istio version upgrade with the op ## Istio Control Plane Upgrade -Let us suppose that we have a [Kubernetes](https://kubernetes.io/) cluster with Istio 1.0.7, and we would like to upgrade our Istio components to Istio version 1.1.9. Here are the steps we need to perform to accomplish this with the operator: +Let us suppose that we have a [Kubernetes](https://kubernetes.io/) cluster with Istio 1.1.11, and we would like to upgrade our Istio components to Istio version 1.2.2. Here are the steps we need to perform to accomplish this with the operator: -1. Deploy a version of the operator which supports Istio 1.1.x -2. Apply a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) using Istio 1.1.9 components +1. Deploy a version of the operator which supports Istio 1.2.x +2. Apply a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) using Istio 1.2.2 components What happens is that once the operator discerns that the Custom Resource it's watching has changed, it reconciles all Istio-related components in order to perform a control plane upgrade. @@ -20,14 +20,14 @@ What happens is that once the operator discerns that the Custom Resource it's wa - Minikube v0.33.1+ or Kubernetes 1.10.0+ - `KUBECONFIG` set to an existing Kubernetes cluster -If you already have Istio 1.0.x installed on your cluster you can skip the next section and can jump right to [Deploy sample BookInfo application](#deploy-sample-bookinfo-application). +If you already have Istio 1.1.x installed on your cluster you can skip the next section and can jump right to [Deploy sample BookInfo application](#deploy-sample-bookinfo-application). -#### Install Istio 1.0.7 +#### Install Istio 1.1.11 -We install Istio with our operator, so first we need to check out the `release-1.0` branch of our operator (this branch supports Istio versions before 1.1.0): +We install Istio with our operator, so first we need to check out the `release-1.1` branch of our operator (this branch supports Istio versions before 1.2.0): ```bash $ git clone git@github.com:banzaicloud/istio-operator.git -$ git checkout release-1.0 +$ git checkout release-1.1 ``` **Install Istio Operator with make** @@ -46,16 +46,16 @@ Alternatively, if you just can't let go of Helm completely, you can deploy the o ```bash $ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com -$ helm install --name=istio-operator --namespace=istio-system --set-string operator.image.tag=0.0.11 banzaicloud-stable/istio-operator +$ helm install --name=istio-operator --namespace=istio-system --set-string operator.image.tag=0.1.21 banzaicloud-stable/istio-operator ``` -*Note: As of now, the `0.0.11` tag is the latest version of our operator to support Istio versions 1.0.x.* +*Note: As of now, the `0.1.21` tag is the latest version of our operator to support Istio versions 1.1.x.* **Apply the Custom Resource** Once you've applied the Custom Resource to your cluster, the operator will start reconciling all of Istio's components. -There are some sample Custom Resource configurations in the `config/samples` folder. To deploy Istio 1.0.7 with its default configuration options, use the following command: +There are some sample Custom Resource configurations in the `config/samples` folder. To deploy Istio 1.1.11 with its default configuration options, use the following command: ```bash $ kubectl apply -n istio-system -f config/samples/istio_v1beta1_istio.yaml @@ -77,75 +77,24 @@ istio-sidecar-injector-596f8dddbb-gvzk9 1/1 Running 0 1m istio-telemetry-7cbf75c5cf-wk4v8 2/2 Running 0 1m ``` -The `Istio` Custom Resource is showing `Available` in its status field and the Istio components are using `1.0.7` images : +The `Istio` Custom Resource is showing `Available` in its status field and the Istio components are using `1.1.11` images : ```bash -$ kubectl describe istio -n istio-system istio -Name: istio-sample -Namespace: istio-system -Labels: controller-tools.k8s.io=1.0 -Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"istio.banzaicloud.io/v1beta1","kind":"Istio","metadata":{"annotations":{},"labels":{"controller-tools.k8s.io":"1.0"},"name":"istio-sampl... -API Version: istio.banzaicloud.io/v1beta1 -Kind: Istio -Metadata: - Creation Timestamp: 2019-03-31T10:07:22Z - Finalizers: - istio-operator.finializer.banzaicloud.io - Generation: 2 - Resource Version: 13101 - Self Link: /apis/istio.banzaicloud.io/v1beta1/namespaces/istio-system/istios/istio-sample - UID: c6a095da-539c-11e9-9080-42010a9a0136 -Spec: - Auto Injection Namespaces: - default - Citadel: - Image: istio/citadel:1.0.7 - Replica Count: 1 - Galley: - Image: istio/galley:1.0.7 - Replica Count: 1 - Gateways: - Egress: - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Ingress: - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Include IP Ranges: * - Mixer: - Image: istio/mixer:1.0.7 - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Mtls: false - Pilot: - Image: istio/pilot:1.0.7 - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Trace Sampling: 1 - Proxy: - Image: istio/proxyv2:1.0.7 - Sidecar Injector: - Image: istio/sidecar_injector:1.0.7 - Replica Count: 1 - Tracing: - Zipkin: - Address: zipkin.jaeger-system:9411 -Status: - Error Message: - Status: Available -Events: +$ kubectl describe istio -n istio-system istio -o yaml | grep "image:" + image: docker.io/istio/citadel:1.1.11 + image: docker.io/istio/galley:1.1.11 + image: docker.io/istio-mixer:1.1.11 + image: docker.io/istio-pilot:1.1.11 + image: docker.io/istio/proxyv2:1.1.11 + image: docker.io/istio/sidecar_injector:1.1.11 ``` #### Deploy sample BookInfo application -Let's make sure that Istio 1.0.7 is properly installed with Istio's BookInfo application: +Let's make sure that Istio 1.1.11 is properly installed with Istio's BookInfo application: ```bash -$ kubectl -n default apply -f https://raw.githubusercontent.com/istio/istio/release-1.0/samples/bookinfo/platform/kube/bookinfo.yaml +$ kubectl -n default apply -f https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/bookinfo.yaml service "details" created deployment.extensions "details-v1" created service "ratings" created @@ -157,7 +106,7 @@ deployment.extensions "reviews-v3" created service "productpage" created deployment.extensions "productpage-v1" created -$ kubectl -n default apply -f https://raw.githubusercontent.com/istio/istio/release-1.0/samples/bookinfo/networking/bookinfo-gateway.yaml +$ kubectl -n default apply -f https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/networking/bookinfo-gateway.yaml gateway.networking.istio.io "bookinfo-gateway" created virtualservice.networking.istio.io "bookinfo" created ``` @@ -169,12 +118,12 @@ $ INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jso $ open http://$INGRESS_HOST/productpage ``` -#### Install Istio 1.1.9 +#### Install Istio 1.2.2 -To install Istio 1.1.9, first we need to check out the `release-1.1` branch of our operator (this branch supports the Istio 1.1.x versions): +To install Istio 1.2.2, first we need to check out the `release-1.2` branch of our operator (this branch supports the Istio 1.2.x versions): ```bash $ git clone git@github.com:banzaicloud/istio-operator.git -$ git checkout release-1.1 +$ git checkout release-1.2 ``` > If you installed Istio operator with `make` in the previous section go to to `Install Istio Operator with make`, if you installed it with `helm` go to `Install Istio Operator with helm`. If you haven't installed Istio operator so far you can choose whichever install option you like. @@ -194,16 +143,16 @@ Alternatively, you can deploy the operator using a [Helm chart](https://github.c ```bash $ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com -$ helm upgrade istio-operator --install --namespace=istio-system --set-string operator.image.tag=0.1.19 banzaicloud-stable/istio-operator +$ helm upgrade istio-operator --install --namespace=istio-system --set-string operator.image.tag=0.2.0 banzaicloud-stable/istio-operator ``` -*Note: As of now, the `0.1.19` tag is the latest version of our operator to support Istio versions 1.1.x.* +*Note: As of now, the `0.2.0` tag is the latest version of our operator to support Istio versions 1.2.x.* **Apply the new Custom Resource** -> If you've installed Istio 1.0.7 or earlier with the Istio operator, and if you check the logs of the operator pod at this point, you will see the following error message: `intended Istio version is unsupported by this version of the operator`. We need to update the Istio Custom Resource with Istio 1.1's components for the operator to be reconciled with the Istio control plane. +> If you've installed Istio 1.1.11 or earlier with the Istio operator, and if you check the logs of the operator pod at this point, you will see the following error message: `intended Istio version is unsupported by this version of the operator`. We need to update the Istio Custom Resource with Istio 1.2's components for the operator to be reconciled with the Istio control plane. -To deploy Istio 1.1.9 with its default configuration options, use the following command: +To deploy Istio 1.2.2 with its default configuration options, use the following command: ```bash $ kubectl apply -n istio-system -f config/samples/istio_v1beta1_istio.yaml @@ -225,94 +174,19 @@ istio-sidecar-injector-66cd99d8c8-bp4j7 1/1 Running 0 7m istio-telemetry-7b667c5fbb-2lfdc 2/2 Running 0 7m ``` -The `Istio` Custom Resource is showing `Available` in its status field, and the Istio components are now using `1.1.9` images: +The `Istio` Custom Resource is showing `Available` in its status field, and the Istio components are now using `1.2.2` images: ```bash -$ kubectl describe istio -n istio-system istio -Name: istio-sample -Namespace: istio-system -Labels: controller-tools.k8s.io=1.0 -Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"istio.banzaicloud.io/v1beta1","kind":"Istio","metadata":{"annotations":{},"labels":{"controller-tools.k8s.io":"1.0"},"name":"istio-sampl... -API Version: istio.banzaicloud.io/v1beta1 -Kind: Istio -Metadata: - Creation Timestamp: 2019-03-31T10:07:22Z - Finalizers: - istio-operator.finializer.banzaicloud.io - Generation: 3 - Resource Version: 21904 - Self Link: /apis/istio.banzaicloud.io/v1beta1/namespaces/istio-system/istios/istio-sample - UID: c6a095da-539c-11e9-9080-42010a9a0136 -Spec: - Auto Injection Namespaces: - default - Citadel: - Image: docker.io/istio/citadel:1.1.9 - Replica Count: 1 - Control Plane Security Enabled: false - Default Pod Disruption Budget: - Enabled: true - Exclude IP Ranges: - Galley: - Image: docker.io/istio/galley:1.1.9 - Replica Count: 1 - Gateways: - Egress: - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Service Annotations: - Service Labels: - Service Type: ClusterIP - Ingress: - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Service Annotations: - Service Labels: - Service Type: LoadBalancer - K8s ingress: - Enabled: false - Include IP Ranges: * - Mixer: - Image: docker.io/istio/mixer:1.1.9 - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Mtls: false - Node Agent: - Enabled: false - Image: docker.io/istio/node-agent-k8s:1.1.9 - Outbound Traffic Policy: - Mode: ALLOW_ANY - Pilot: - Image: docker.io/istio/pilot:1.1.9 - Max Replicas: 5 - Min Replicas: 1 - Replica Count: 1 - Trace Sampling: 1 - Proxy: - Enable Core Dump: false - Image: docker.io/istio/proxyv2:1.1.9 - Proxy Init: - Image: docker.io/istio/proxy_init:1.1.9 - Sds: - Enabled: false - Sidecar Injector: - Image: docker.io/istio/sidecar_injector:1.1.9 - Replica Count: 1 - Rewrite App HTTP Probe: true - Tracing: - Zipkin: - Address: zipkin.istio-system:9411 - Version: 1.1.9 -Status: - Error Message: - Status: Available -Events: +$ kubectl describe istio -n istio-system istio -o yaml | grep "image:" + image: docker.io/istio/citadel:1.2.2 + image: docker.io/istio/galley:1.2.2 + image: docker.io/istio-mixer:1.2.2 + image: docker.io/istio-pilot:1.2.2 + image: docker.io/istio/proxyv2:1.2.2 + image: docker.io/istio/sidecar_injector:1.2.2 ``` -At this point, your Istio control plane is upgraded to Istio 1.1.9 and your BookInfo application should still be available at: +At this point, your Istio control plane is upgraded to Istio 1.2.2 and your BookInfo application should still be available at: ```bash $ open http://$INGRESS_HOST/productpage ``` From 5761fbda55a5ae1c64c63cddbda74c8db1022837 Mon Sep 17 00:00:00 2001 From: Varga Zsolt Date: Thu, 11 Jul 2019 15:46:39 +0200 Subject: [PATCH 6/8] Add Locality Load Balancing support (#258) * Add Locality Load Balancing support --- config/base/crds/istio_v1beta1_istio.yaml | 45 ++++++++++ config/samples/istio_v1beta1_istio.yaml | 12 +++ pkg/apis/istio/v1beta1/istio_types.go | 51 +++++++++++ .../istio/v1beta1/zz_generated.deepcopy.go | 87 +++++++++++++++++++ pkg/resources/common/configmap.go | 20 ++++- pkg/resources/pilot/deployment.go | 7 ++ 6 files changed, 221 insertions(+), 1 deletion(-) diff --git a/config/base/crds/istio_v1beta1_istio.yaml b/config/base/crds/istio_v1beta1_istio.yaml index 0ff118e3e..c884214df 100644 --- a/config/base/crds/istio_v1beta1_istio.yaml +++ b/config/base/crds/istio_v1beta1_istio.yaml @@ -280,6 +280,51 @@ spec: type: object type: array type: object + localityLB: + description: Locality based load balancing distribution or failover + settings. + properties: + distribute: + description: 'Optional: only one of distribute or failover can be + set. Explicitly specify loadbalancing weight across different + zones and geographical locations. Refer to [Locality weighted + load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints + number within it.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. 'region/zone'. + type: string + to: + description: Map of upstream localities to traffic distribution + weights. The sum of all weights should be == 100. Any locality + not assigned a weight will receive no traffic. + type: object + type: object + type: array + enabled: + description: If set to true, locality based load balancing will + be enabled + type: boolean + failover: + description: 'Optional: only failover or distribute can be set. + Explicitly specify the region traffic will land on when endpoints + in local region becomes unhealthy. Should be used together with + OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection + specified, this will not take effect.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over + to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + type: object meshExpansion: description: If set to true, the pilot and citadel mtls will be exposed on the ingress gateway also the remote istios will be connected through diff --git a/config/samples/istio_v1beta1_istio.yaml b/config/samples/istio_v1beta1_istio.yaml index e6afe8fe7..b0b384654 100644 --- a/config/samples/istio_v1beta1_istio.yaml +++ b/config/samples/istio_v1beta1_istio.yaml @@ -145,3 +145,15 @@ spec: accessToken: secure: true cacertPath: /etc/lightstep/cacert.pem + localityLB: + enabled: false + # distribute: + # - from: "us-central1/*" + # to: + # "us-central1/*": 80 + # "us-central2/*": 20 + # failover: + # - from: us-east + # to: eu-west + # - from: us-west + # to: us-east diff --git a/pkg/apis/istio/v1beta1/istio_types.go b/pkg/apis/istio/v1beta1/istio_types.go index 166547d03..3622c7e2d 100644 --- a/pkg/apis/istio/v1beta1/istio_types.go +++ b/pkg/apis/istio/v1beta1/istio_types.go @@ -305,6 +305,54 @@ type IstioCoreDNS struct { Tolerations []corev1.Toleration `json:"tolerations,omitempty"` } +// Describes how traffic originating in the 'from' zone is +// distributed over a set of 'to' zones. Syntax for specifying a zone is +// {region}/{zone} and terminal wildcards are allowed on any +// segment of the specification. Examples: +// * - matches all localities +// us-west/* - all zones and sub-zones within the us-west region +type LocalityLBDistributeConfiguration struct { + // Originating locality, '/' separated, e.g. 'region/zone'. + From string `json:"from,omitempty"` + // Map of upstream localities to traffic distribution weights. The sum of + // all weights should be == 100. Any locality not assigned a weight will + // receive no traffic. + To map[string]uint32 `json:"to,omitempty"` +} + +// Specify the traffic failover policy across regions. Since zone +// failover is supported by default this only needs to be specified for +// regions when the operator needs to constrain traffic failover so that +// the default behavior of failing over to any endpoint globally does not +// apply. This is useful when failing over traffic across regions would not +// improve service health or may need to be restricted for other reasons +// like regulatory controls. +type LocalityLBFailoverConfiguration struct { + // Originating region. + From string `json:"from,omitempty"` + // Destination region the traffic will fail over to when endpoints in + // the 'from' region becomes unhealthy. + To string `json:"to,omitempty"` +} + +// Locality-weighted load balancing allows administrators to control the +// distribution of traffic to endpoints based on the localities of where the +// traffic originates and where it will terminate. +type LocalityLBConfiguration struct { + // If set to true, locality based load balancing will be enabled + Enabled *bool `json:"enabled,omitempty"` + // Optional: only one of distribute or failover can be set. + // Explicitly specify loadbalancing weight across different zones and geographical locations. + // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) + // If empty, the locality weight is set according to the endpoints number within it. + Distribute []*LocalityLBDistributeConfiguration `json:"distribute,omitempty"` + // Optional: only failover or distribute can be set. + // Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. + // Should be used together with OutlierDetection to detect unhealthy endpoints. + // Note: if no OutlierDetection specified, this will not take effect. + Failover []*LocalityLBFailoverConfiguration `json:"failover,omitempty"` +} + // IstioSpec defines the desired state of Istio type IstioSpec struct { // Contains the intended Istio version @@ -397,6 +445,9 @@ type IstioSpec struct { // Istio CoreDNS provides DNS resolution for services in multi mesh setups IstioCoreDNS IstioCoreDNS `json:"istioCoreDNS,omitempty"` + // Locality based load balancing distribution or failover settings. + LocalityLB *LocalityLBConfiguration `json:"localityLB,omitempty"` + networkName string meshNetworks *MeshNetworks } diff --git a/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go b/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go index ac6ac7081..ab8736bd0 100644 --- a/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/istio/v1beta1/zz_generated.deepcopy.go @@ -456,6 +456,11 @@ func (in *IstioSpec) DeepCopyInto(out *IstioSpec) { **out = **in } in.IstioCoreDNS.DeepCopyInto(&out.IstioCoreDNS) + if in.LocalityLB != nil { + in, out := &in.LocalityLB, &out.LocalityLB + *out = new(LocalityLBConfiguration) + (*in).DeepCopyInto(*out) + } if in.meshNetworks != nil { in, out := &in.meshNetworks, &out.meshNetworks *out = new(MeshNetworks) @@ -532,6 +537,88 @@ func (in *LightstepConfiguration) DeepCopy() *LightstepConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LocalityLBConfiguration) DeepCopyInto(out *LocalityLBConfiguration) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.Distribute != nil { + in, out := &in.Distribute, &out.Distribute + *out = make([]*LocalityLBDistributeConfiguration, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(LocalityLBDistributeConfiguration) + (*in).DeepCopyInto(*out) + } + } + } + if in.Failover != nil { + in, out := &in.Failover, &out.Failover + *out = make([]*LocalityLBFailoverConfiguration, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(LocalityLBFailoverConfiguration) + **out = **in + } + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalityLBConfiguration. +func (in *LocalityLBConfiguration) DeepCopy() *LocalityLBConfiguration { + if in == nil { + return nil + } + out := new(LocalityLBConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LocalityLBDistributeConfiguration) DeepCopyInto(out *LocalityLBDistributeConfiguration) { + *out = *in + if in.To != nil { + in, out := &in.To, &out.To + *out = make(map[string]uint32, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalityLBDistributeConfiguration. +func (in *LocalityLBDistributeConfiguration) DeepCopy() *LocalityLBDistributeConfiguration { + if in == nil { + return nil + } + out := new(LocalityLBDistributeConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LocalityLBFailoverConfiguration) DeepCopyInto(out *LocalityLBFailoverConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalityLBFailoverConfiguration. +func (in *LocalityLBFailoverConfiguration) DeepCopy() *LocalityLBFailoverConfiguration { + if in == nil { + return nil + } + out := new(LocalityLBFailoverConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshNetwork) DeepCopyInto(out *MeshNetwork) { *out = *in diff --git a/pkg/resources/common/configmap.go b/pkg/resources/common/configmap.go index 9a0a3c105..4f438a43d 100644 --- a/pkg/resources/common/configmap.go +++ b/pkg/resources/common/configmap.go @@ -104,7 +104,7 @@ func (r *Reconciler) meshConfig() string { "defaultConfig": defaultConfig, "rootNamespace": "istio-system", "connectTimeout": "10s", - "localityLbSetting": nil, + "localityLbSetting": r.getLocalityLBConfiguration(), } if util.PointerToBool(r.Config.Spec.UseMCP) { @@ -117,6 +117,24 @@ func (r *Reconciler) meshConfig() string { return string(marshaledConfig) } +func (r *Reconciler) getLocalityLBConfiguration() *istiov1beta1.LocalityLBConfiguration { + var localityLbConfiguration *istiov1beta1.LocalityLBConfiguration + + if r.Config.Spec.LocalityLB == nil || !util.PointerToBool(r.Config.Spec.LocalityLB.Enabled) { + return localityLbConfiguration + } + + if r.Config.Spec.LocalityLB != nil { + localityLbConfiguration = r.Config.Spec.LocalityLB.DeepCopy() + localityLbConfiguration.Enabled = nil + if localityLbConfiguration.Distribute != nil && localityLbConfiguration.Failover != nil { + localityLbConfiguration.Failover = nil + } + } + + return localityLbConfiguration +} + func (r *Reconciler) meshNetworks() string { marshaledConfig, _ := yaml.Marshal(r.Config.Spec.GetMeshNetworks()) return string(marshaledConfig) diff --git a/pkg/resources/pilot/deployment.go b/pkg/resources/pilot/deployment.go index 91defc554..60de39bc8 100644 --- a/pkg/resources/pilot/deployment.go +++ b/pkg/resources/pilot/deployment.go @@ -143,6 +143,13 @@ func (r *Reconciler) containers() []apiv1.Container { TerminationMessagePolicy: apiv1.TerminationMessageReadFile, } + if r.Config.Spec.LocalityLB != nil && util.PointerToBool(r.Config.Spec.LocalityLB.Enabled) { + discoveryContainer.Env = append(discoveryContainer.Env, apiv1.EnvVar{ + Name: "PILOT_ENABLE_LOCALITY_LOAD_BALANCING", + Value: "1", + }) + } + containers := []apiv1.Container{ discoveryContainer, } From 715908fb74adf6807dba1f0206ce9f006cf32408 Mon Sep 17 00:00:00 2001 From: Zsolt Varga Date: Thu, 11 Jul 2019 15:54:39 +0200 Subject: [PATCH 7/8] fix dns search domains configuration --- pkg/resources/sidecarinjector/configmap.go | 33 +++++++++------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/pkg/resources/sidecarinjector/configmap.go b/pkg/resources/sidecarinjector/configmap.go index 1251db72d..aa87cb623 100644 --- a/pkg/resources/sidecarinjector/configmap.go +++ b/pkg/resources/sidecarinjector/configmap.go @@ -40,19 +40,24 @@ func (r *Reconciler) configMap() runtime.Object { } func (r *Reconciler) getValues() string { + podDNSSearchNamespaces := make([]string, 0) + if util.PointerToBool(r.Config.Spec.MultiMesh) { + podDNSSearchNamespaces = append(podDNSSearchNamespaces, []string{ + "global", + "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global", + }...) + return "" + } + values := map[string]interface{}{ "sidecarInjectorWebhook": map[string]interface{}{ "rewriteAppHTTPProbe": r.Config.Spec.SidecarInjector.RewriteAppHTTPProbe, }, "global": map[string]interface{}{ - "trustDomain": "cluster.local", - "imagePullPolicy": r.Config.Spec.ImagePullPolicy, - "network": r.Config.Spec.GetNetworkName(), - "podDNSSearchNamespaces": []string{ - "global", - "total", - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global", - }, + "trustDomain": "cluster.local", + "imagePullPolicy": r.Config.Spec.ImagePullPolicy, + "network": r.Config.Spec.GetNetworkName(), + "podDNSSearchNamespaces": podDNSSearchNamespaces, "proxy_init": map[string]interface{}{ "image": r.Config.Spec.ProxyInit.Image, }, @@ -122,18 +127,6 @@ func (r *Reconciler) siConfig() string { } -func (r *Reconciler) dnsConfig() string { - if !util.PointerToBool(r.Config.Spec.MultiMesh) { - return "" - } - return ` -dnsConfig: - searches: - - global - - "{{ valueOrDefault .DeploymentMeta.Namespace "default" }}.global" -` -} - func (r *Reconciler) templateConfig() string { return `rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} {{- if .Values.global.podDNSSearchNamespaces }} From 42ac9f4170de185e8196c8e3def56d6904e65194 Mon Sep 17 00:00:00 2001 From: Zsolt Varga Date: Thu, 11 Jul 2019 15:54:59 +0200 Subject: [PATCH 8/8] fix multi cluster metrics instance cr --- pkg/resources/mixer/kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/resources/mixer/kubernetes.go b/pkg/resources/mixer/kubernetes.go index 355a18065..da6dd03c7 100644 --- a/pkg/resources/mixer/kubernetes.go +++ b/pkg/resources/mixer/kubernetes.go @@ -59,7 +59,7 @@ func (r *Reconciler) attributesKubernetes() *k8sutil.DynamicObject { "destination_uid": `destination.uid | ""`, "destination_port": `destination.port | 0`, }, - "attributeBindings": map[string]interface{}{ + "attributeBindings": map[string]string{ "source.ip": `$out.source_pod_ip | ip("0.0.0.0")`, "source.uid": `$out.source_pod_uid | "unknown"`, "source.labels": `$out.source_labels | emptyStringMap()`,