Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bring Envoy from official release #10

Closed
jamsajones opened this issue Nov 28, 2018 · 16 comments
Closed

Bring Envoy from official release #10

jamsajones opened this issue Nov 28, 2018 · 16 comments
Assignees

Comments

@jamsajones
Copy link

@jamsajones jamsajones commented Nov 28, 2018

You should be able to use the offical release of Envoy.

@coultn coultn changed the title Bring Envoy from offical release Bring Envoy from official release Nov 29, 2018
@NoOrdInaryGuy

This comment has been minimized.

Copy link

@NoOrdInaryGuy NoOrdInaryGuy commented Dec 17, 2018

@jamsajones Out of interest, do you have any info about what modifications are in aws-appmesh-envoy:v1.8.0.2-beta versus the official Envoy release? (If this is something you can disclose).

@lavignes

This comment has been minimized.

Copy link

@lavignes lavignes commented Dec 17, 2018

@NoOrdInaryGuy
We're tracking the progress of up-streaming the main modifications in #38 and #39:

  • #38 An xDS authentication extension for using IAM credentials to connect to our envoy management service.
  • #39 An X-Ray tracer extension.
@NoOrdInaryGuy

This comment has been minimized.

Copy link

@NoOrdInaryGuy NoOrdInaryGuy commented Dec 17, 2018

Great, that's good to know - thanks for the info!

@CharlyF

This comment has been minimized.

Copy link

@CharlyF CharlyF commented Mar 14, 2019

👋 all, just out of curiosity - Would you have an ETA on this one ?
If I remember correctly, I was able to use the Datadog tracer from envoy a few months back using your custom image (I assume it backported this change envoyproxy/envoy#4699 among others).
Trying to make it work again, I am seeing:

[2019-03-14 01:04:43.372][1][info][config] source/server/configuration_impl.cc:95] loading tracing configuration
[2019-03-14 01:04:43.372][1][info][config] source/server/configuration_impl.cc:104]   loading tracing driver: envoy.tracers.datadog
[2019-03-14 01:04:43.372][1][critical][main] source/server/server.cc:80] error initializing configuration '/tmp/envoy.yaml': Didn't find a registered implementation for name: 'envoy.tracers.datadog'
[2019-03-14 01:04:43.372][1][debug][grpc] source/common/grpc/google_async_client_impl.cc:89] Client teardown, resetting streams

Which leads me to believe that the implementation is not available in this current image (v1.8.0.2-beta).
I think this along with some fixes was merged after 1.8.0 and included in the official 1.9.0, do you know if a new aws-envoy image will be build (prior to GA) with this feature (backported or just bumped to 1.9.0) ?
Best,
.C

@abby-fuller abby-fuller transferred this issue from aws/aws-app-mesh-examples Mar 27, 2019
@abby-fuller abby-fuller added this to Coming Soon in aws-app-mesh-roadmap Mar 27, 2019
@shubharao

This comment has been minimized.

Copy link

@shubharao shubharao commented May 11, 2019

@CharlyF We now support version v1.9.1.0. We do not yet have an ETA for upstreaming the changes we made (primarily for Sigv4 authentication of Envoy), but this is on our high priority item list

@tsykora-verimatrix

This comment has been minimized.

Copy link

@tsykora-verimatrix tsykora-verimatrix commented Sep 2, 2019

Is the v1.9.1.0 available outside us-west-2?

"Failed to enable App Mesh integration
Envoy container must use the official App Mesh Envoy image"

when I try to use:
111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.9.1.0-prod

@lavignes

This comment has been minimized.

Copy link

@lavignes lavignes commented Sep 3, 2019

Hi @tsykora-verimatrix

We recommend that you use the latest Envoy image available, which is currently tagged as v1.11.1.1-prod: https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html

It is available in all the App Mesh regions. Do you need to use v1.9.1.0 in particular?

@kamaldon

This comment has been minimized.

Copy link

@kamaldon kamaldon commented Sep 13, 2019

I am attempting to you use the version v1.11.1.1 specified in the documentation but I am getting the same error
Image: 111345817488.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod
"Failed to enable App Mesh integration
Envoy container must use the official App Mesh Envoy image"

@tsykora-verimatrix

This comment has been minimized.

Copy link

@tsykora-verimatrix tsykora-verimatrix commented Sep 15, 2019

111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod

Status reason CannotPullContainerError: Error response from daemon: pull access denied for 111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy, repository does not exist or may require 'docker login'
1337

@lavignes doesn't work either

@bcelenza

This comment has been minimized.

Copy link
Contributor

@bcelenza bcelenza commented Sep 15, 2019

@tsykora-verimatrix Just to confirm:

  1. Your ECS task is running in us-east-1 as well?
  2. You have given the ECS task permissions to pull images from ECR? (see these docs)

I ran a quick test to ensure that the ECR repository was open for pulling from all accounts:

$(aws ecr --region us-east-1 get-login --no-include-email --registry-ids 111345817488)

docker pull 111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod

v1.11.1.1-prod: Pulling from aws-appmesh-envoy
72d97abdfae3: Already exists 
083db2dc1aa4: Pull complete 
0ea0eef1b868: Pull complete 
97858b908079: Pull complete 
cb999a5ecfd0: Pull complete 
753534a07b32: Pull complete 
Digest: sha256:afea680c7ea35fd886be0c8599beb8d9285c2d62732480cd19a9ecda65291c13
Status: Downloaded newer image for 111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod

To be very sure your account can pull, you could try to run the commands above.

@bcelenza

This comment has been minimized.

Copy link
Contributor

@bcelenza bcelenza commented Sep 15, 2019

@kamaldon I was able to reproduce your issue on the ECS console, which is where I assume you are seeing it?

Update: I'm not actually able to reproduce this. I had personally forgotten to click the Apply button on the App Mesh integration. Is it possible you've run into the same thing?

@kamaldon

This comment has been minimized.

Copy link

@kamaldon kamaldon commented Sep 15, 2019

@bcelenza My original attempt was trying to configure it through the "Configure via JSON" option which caused the failure. I tried inputting version 1.11.1 into the "Envoy Image" text field and I also clicked the Apply button and there are no errors, and I can even create the new revision but it doesn't actually update the docker image. The new task definition revision still has the 1.9.0 version.

For some reason the Apply button keeps defaulting it back to 1.9.0.

@tsykora-verimatrix

This comment has been minimized.

Copy link

@tsykora-verimatrix tsykora-verimatrix commented Sep 16, 2019

@tsykora-verimatrix Just to confirm:

1. Your ECS task is running in us-east-1 as well?

2. You have given the ECS task permissions to pull images from ECR? (see [these docs](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_ECS.html))

I ran a quick test to ensure that the ECR repository was open for pulling from all accounts:

$(aws ecr --region us-east-1 get-login --no-include-email --registry-ids 111345817488)

docker pull 111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod

v1.11.1.1-prod: Pulling from aws-appmesh-envoy
72d97abdfae3: Already exists 
083db2dc1aa4: Pull complete 
0ea0eef1b868: Pull complete 
97858b908079: Pull complete 
cb999a5ecfd0: Pull complete 
753534a07b32: Pull complete 
Digest: sha256:afea680c7ea35fd886be0c8599beb8d9285c2d62732480cd19a9ecda65291c13
Status: Downloaded newer image for 111345817488.dkr.ecr.us-east-1.amazonaws.com/aws-appmesh-envoy:v1.11.1.1-prod

To be very sure your account can pull, you could try to run the commands above.

thank you, indeed my IamTaskExecRole (automatically generated by CDK) was limited to my service container only, after extending it for envoy container the Fargate service I created was able to pull the envoy container.

So Envoy is now running as side-car container with my application.

Last missing piece of the puzzle is the missing Proxy/ initContainer functionality without which I can't really pass any traffic to AppMesh service. (I'm not using AWS console, instead I use CDK).

@bcelenza

This comment has been minimized.

Copy link
Contributor

@bcelenza bcelenza commented Sep 16, 2019

@kamaldon Yup, I'm able to reproduce that issue (Apply still sets as 1.9.0). Working on getting this resolved. Thanks for the clarification!

@bcelenza

This comment has been minimized.

Copy link
Contributor

@bcelenza bcelenza commented Sep 17, 2019

@tsykora-verimatrix Looks like you've already found it, but support for proxyConfiguration in the CDK is logged as aws/aws-cdk#3977.

@jamsajones

This comment has been minimized.

Copy link
Author

@jamsajones jamsajones commented Sep 30, 2019

We are done with the work required to allow App Mesh to work with Envoy upstream. Officially App Mesh auth via SigV4 will be available when milestone 1.12.0 completes (see: envoyproxy/envoy#8042). Outstanding work is X-Ray related and I am closing this issue in favor of #21 and #95.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
8 participants
You can’t perform that action at this time.