Validate guides for 1.9 release

[b3a-dev]

• Managed k8s

  • EKS (@nathanjsweet )
  • GKE (@ti-mo ) docs: GKE - fix some indentation, specify bash code segments #13645
  • AKS (@twpayne ) docs/gettingstarted: Update AKS instructions #13632

• Self-managed

  • Quick-install (@rolinh )
  • w/ external etcd (@fristonio ) docs: fix minor issue in cilium support with external etcd gsg #13651
  • Azure Cloud (@jrajahalme ) docs: Add Azure troubleshooting tips #13714 keep in beta
  • Openshift (@michi-covalent ) doc: Update OpenShift GSG #13713

• Guides

  • Kubernetes without kube-proxy (@pchaigno ) docs: Updates kube-proxy-free getting started guide #13692
  • XDP on GKE (@gandro ) - Still not supported docs: NodePort XDP on GCP is not supported #13665
  • XDP on Azure (@tklauser ) Various fixes for NodePort XDP kube-proxy free guide #13674, docs: update NodePort XDP kube-proxy-free GSG for Azure AKS #13685
  • Clustermesh on GKE (@nathanjsweet / @aanm ) Documentation: cluster mesh guide for inter-regional deployments missing key details #13740
  • Transparent encryption (@kkourt ) transparent encryption: interface detection #13662 transparent encryption: setting nodEncryption=true results in nodes being unreachable #13663
  • Host Firewall (@qmonnet ) docs: improve Host Firewall GSG #13673
  • Bandwidth Manager (@jrfastab )
  • Local Redirect Policy (@nebril ) docs: Various LRP gsg fixups #13737 redirectpolicy: Check lrp type before restoring lrp service #13741
  • Istio guide (@nebril )
  • CNI chaining - Calico (@tklauser )

• Monitoring

  • Metrics/Grafana (@twpayne ) docs/gettingstarted: Fix minor issues in Metrics guide #13668
  • Troubleshooting with Hubble/HubbleRelay (@tklauser )
    • Only minor issues found: Fixes for troubleshooting guide re. Hubble/Hubble Relay #13644

• Other Orchestrators

  • Docker (@jibi ) docs: docker: update some command outputs #13695

[joestringer]

FYI I have disabled the "v1.9" branch docs for now in favor of the "v1.9.0-rc2" docs. Please follow the docs from here:

https://docs.cilium.io/en/v1.9.0-rc2/

EDIT: I updated the links in the guides above.

[ti-mo]

GKE instructions seem solid, everything works as expected. Addresses some nits in #13645.

(I can't update the issue description..)

[michi-covalent]

having trouble running openshift-install:

% ./openshift-install create install-config --dir "${CLUSTER_NAME}" --log-level debug
DEBUG OpenShift Installer 4.5.0-0.okd-2020-10-15-235428
DEBUG Built from commit 63200c80c431b8dbaa06c0cc13282d819bd7e5f8
DEBUG Fetching Install Config...
DEBUG Loading Install Config...
DEBUG   Loading SSH Key...
DEBUG   Loading Base Domain...
DEBUG     Loading Platform...
DEBUG   Loading Cluster Name...
DEBUG     Loading Base Domain...
DEBUG     Loading Platform...
DEBUG   Loading Pull Secret...
DEBUG   Loading Platform...
DEBUG   Fetching SSH Key...
DEBUG   Generating SSH Key...
? SSH Public Key /path/to/id_rsa.pub
DEBUG   Fetching Base Domain...
DEBUG     Fetching Platform...
DEBUG     Generating Platform...
? Platform gcp
INFO Credentials loaded from environment variable "GOOGLE_CREDENTIALS", file "/path/to/key.json"
? Region us-central1
DEBUG   Generating Base Domain...
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to generate asset "Base Domain": could not retrieve base domains: googleapi: Error 400: Invalid resource field value in the request., invalidParameter

• i found unable to use GCP without using a service account key openshift/installer#4232 from @errordeveloper , which kind of seems related, but not sure what the fix was.
• also https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/k8s-install-openshift-okd/#k8s-install-openshift-okd uses GOOGLE_APPLICATION_CREDENTIALS instead of GOOGLE_CREDENTIALS. are they both supposed to work?

[aditighag]

@nebril Please hold off on testing the Local Redirect Policy guide until #13543 is merged.

[nathanjsweet]

EKS is looking good. I had no issue.

[kkourt]

Some issues with transparent encryption:

Failure to autodetect interface

Using:

$ helm install cilium cilium/cilium --version 1.9.0-rc2 --namespace kube-system --set encryption.enabled=true --set encryption.nodeEncryption=false

Failed.

The problem seemed to be with cilium guess the interface wrong:

...
level=info msg="  --encrypt-interface='eth0'" subsys=daemon
...
level=warning msg="Device \"eth0\" does not exist." subsys=datapath-loader

There was no eth0 interface on the machine, and specifying the interface --set encryption.interface=ens4 seems to solve the issue.

The guide states the following:

If direct routing is being used, an additional argument can be used to identify
the network-facing interface. If no interface is specified, the default route
link is chosen by inspecting the routing tables.

Which might be interpreted so that it means that the interface can only be set when using direct routing.

An attempt to clarify this can be found in: #13660

Long term, we might want to improve the interface detection.

nodeEncryption=true does not seem to work

Specifying --set encryption.nodeEncryption=true results in k8s nodes being unreachable (e.g., unable to ping them, rendered unavailable). Not clear what is wrong in this case. No relevant errors/warnings in cilium logs.

Some info that might be useful:

kkourt@t1:~$ ip r
default via 10.172.0.1 dev ens4 proto dhcp src 10.172.15.198 metric 100 
10.0.0.0/24 via 10.0.0.26 dev cilium_host src 10.0.0.26 mtu 1333 
10.0.0.26 dev cilium_host scope link 
10.0.1.0/24 via 10.0.0.26 dev cilium_host src 10.0.0.26 mtu 1333 
10.172.0.1 dev ens4 proto dhcp scope link src 10.172.15.198 metric 100 
10.172.15.199 dev cilium_host proto eigrp mtu 1333 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
kkourt@t1:~$ ip route get 10.172.15.199
10.172.15.199 dev cilium_host src 10.172.15.198 uid 1001 
    cache mtu 1333 
kkourt@t1:~$ ping 10.172.15.199
PING 10.172.15.199 (10.172.15.199) 56(84) bytes of data.
^C
--- 10.172.15.199 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1036ms

[pchaigno]

@kkourt Could you open dedicated issues for:

There was no eth0 interface on the machine, and specifying the interface --set encryption.interface=ens4 seems to solve the issue.

and

Specifying --set encryption.nodeEncryption=true results in k8s nodes being unreachable (e.g., unable to ping them, rendered unavailable). Not clear what is wrong in this case. No relevant errors/warnings in cilium logs.

[kkourt]

@kkourt Could you open dedicated issues for:

Sure.

There was no eth0 interface on the machine, and specifying the interface --set encryption.interface=ens4 seems to solve the issue.

#13662

and

Specifying --set encryption.nodeEncryption=true results in k8s nodes being unreachable (e.g., unable to ping them, rendered unavailable). Not clear what is wrong in this case. No relevant errors/warnings in cilium logs.

#13663

[rolinh]

The quick install guide is fine. While validating it, I noticed that we sometimes refer to slack by using Slack channel, which leads to the glossary page when clicked (note: it's not really obvious that the element is clickable) and sometimes by providing a link with anchor to the help page. We should probably strive for more consistency.

[nebril]

Got some CRD and Ingress api version deprecation warnings when running ./cilium-istioctl manifest apply -y , looks like istio deployed correctly, but process exited with an error:

Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition (repeated 1 times)

Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress (repeated 1 times)

I think this is fine, but wanted to put this out there.

As a side note, minikube start uses docker backend by default, do we want to add virtualbox backend option to the docs? I had some issues with image downloads from within the docker node, not sure if that's just my setup though.

Small nitpick - "Copy All" button copies brackets with preceding backslash, which causes the script to fail - this happens on zsh only, not in bash, or when pasting into vim.

for service in ratings-v1 reviews-v2; do \
      kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.9.0-rc2/examples/kubernetes-istio/bookinfo-${service}.yaml ; done

Last one is this error message an expected one at the end of step 5?

[2020-10-21 13:09:03,955] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.protocol.types.SchemaException: Error reading field 'responses': Error reading field 'partition_responses': Error reading field 'record_set': Bytes size -1 cannot be negative
        at org.apache.kafka.common.protocol.types.Schema.read(Schema.java:73)
        at org.apache.kafka.clients.NetworkClient.parseResponse(NetworkClient.java:380)
        at org.apache.kafka.clients.NetworkClient.handleCompletedReceives(NetworkClient.java:449)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:269)
        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:232)
        at org.apache.kafka.clients.consumer.KafkaConsumer.pollOnce(KafkaConsumer.java:1031)
        at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:979)
        at kafka.consumer.NewShinyConsumer.receive(BaseConsumer.scala:100)
        at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:120)
        at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:75)
        at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:50)
        at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)

Overall, I think the guide works good.

[michi-covalent]

opened #13713 for some minor modifications for openshift gsg. well done @errordeveloper i don't know how you figured out all these steps 💯 🚀

[nathanjsweet]

I did a multi-regional deployment in GKE to test cluster-mesh. One of the things that I ran into is that I needed to turn "global access" on manually for the internal loadbalancers for etcd ala this guide. I filed this issue for us to fix it.