Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ingress: Support NodePort for dedicated Ingress #22974

Merged
merged 1 commit into from
Jan 24, 2023
Merged

ingress: Support NodePort for dedicated Ingress #22974

merged 1 commit into from
Jan 24, 2023

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Jan 9, 2023
edited
Loading

Description

This commit is to support NodePort service in dedicated mode. Shared service NodePort can be configured via helm as per #22583.

Relates: #22583
Signed-off-by: Tam Mach tam.mach@cilium.io

Testing

Testing was done locally as per below

# Basic ingress for istio bookinfo demo application, which can be found in below
# https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: basic-ingress
  namespace: default
  annotations:
    io.cilium.ingress/service-type: "NodePort"
    io.cilium.ingress/insecure-node-port: "30000"
    io.cilium.ingress/secure-node-port: "30001"
    io.cilium.ingress/loadbalancer-mode: "dedicated"
spec:
  ingressClassName: cilium
  rules:
  - http:
      paths:
      - backend:
          service:
            name: details
            port:
              number: 9080
        path: /details
        pathType: Prefix
      - backend:
          service:
            name: productpage
            port:
              number: 9080
        path: /
        pathType: Prefix

Sending traffic to NodePort service

$ kgsvc       
NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
cilium-ingress-basic-ingress   NodePort    10.106.157.226   <none>        80:30000/TCP,443:30001/TCP   3s
details                        ClusterIP   10.96.85.227     <none>        9080/TCP                     26m
kubernetes                     ClusterIP   10.96.0.1        <none>        443/TCP                      35m
productpage                    ClusterIP   10.104.152.26    <none>        9080/TCP                     26m
ratings                        ClusterIP   10.105.230.48    <none>        9080/TCP                     26m
reviews                        ClusterIP   10.102.73.248    <none>        9080/TCP                     26m

$ curl http://192.168.49.2:30000/details/1
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 9, 2023
@sayboras sayboras added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jan 9, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 9, 2023
@sayboras sayboras added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. area/servicemesh GH issues or PRs regarding servicemesh labels Jan 9, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 9, 2023
@sayboras sayboras added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Jan 9, 2023
@sayboras sayboras marked this pull request as ready for review January 9, 2023 06:55
@sayboras sayboras requested review from a team as code owners January 9, 2023 06:55
@sayboras
Copy link
Member Author

sayboras commented Jan 9, 2023
edited by maintainer-s-little-helper bot
Loading

/test

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sAgentChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running

Failure Output

FAIL: Endpoints are not ready after timeout

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.16-kernel-4.9' failed:

Click to show.

Test Name

K8sKafkaPolicyTest Kafka Policy Tests KafkaPolicies

Failure Output

FAIL: Found 1 io.cilium/app=operator logs matching list of errors that must be investigated:

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.9 so I can create one.

@sayboras sayboras added the release-blocker/1.13 This issue will prevent the release of the next version of Cilium. label Jan 9, 2023
qmonnet
qmonnet approved these changes Jan 9, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good as far as I can tell

operator/pkg/model/model.go Outdated Show resolved Hide resolved
@joestringer
Copy link
Member

@sayboras Why was release-blocker/1.13 added to this feature PR? We closed the window for new features about a month ago.

@sayboras
Copy link
Member Author

Why was release-blocker/1.13 added to this feature PR? We closed the window for new features about a month ago.

We partially added this feature in #22583, hence I think we can just wrap it off for NodePort support.

joestringer
joestringer reviewed Jan 13, 2023
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking back over the PR, it looks like just adding parsing for a couple of extra service annotations and adding some minor translation code for that, and hence it fleshes out the remaining pieces of a brand new feature (ie no risk of breaking existing features). I'm not a big fan of sneaking PRs in this late during the cycle, but the PR does look innocent enough 😇

How do we test this and know it works? Is it just ensuring that when certain objects are ingested into operator/pkg/model/ingress, they are properly translated? Do we need some sort of dataplane / integration testing?

sahid
sahid approved these changes Jan 16, 2023
View reviewed changes
Copy link
Member

@sahid sahid left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Tam, looks good, just one suggestion, but I may not not noticed a check that is already present.

@sayboras
Copy link
Member Author

sayboras commented Jan 17, 2023
edited by maintainer-s-little-helper bot
Loading

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: cannot import l7 policy: /home/jenkins/workspace/Cilium-PR-K8s-1.24-kernel-5.4/src/github.com/cilium/cilium/test/k8s/manifests/l7-policy.yaml

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

youngnick
youngnick reviewed Jan 18, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself LGTM, but I agree with Joe that it would be worth adding some extra tests:

  • an e2e test that tests what happens when there's a mistake with the config (from the other comment). We should lock in the "you get an LB service instead" behavior with a test of some sort, so that if someone "fixes" that, we'll know.
  • Some unit testing of the GetAnnotation functions would also be nice.

operator/pkg/model/translation/ingress/dedicated_ingress.go Outdated Show resolved Hide resolved
@sayboras
Copy link
Member Author

sayboras commented Jan 18, 2023
edited by maintainer-s-little-helper bot
Loading

/mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4

👍 created #23150

@joestringer
Copy link
Member

/test-1.24-5.4

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 18, 2023
@christarazi christarazi added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Jan 18, 2023
@sayboras sayboras removed the release-blocker/1.13 This issue will prevent the release of the next version of Cilium. label Jan 19, 2023
@sayboras sayboras marked this pull request as draft January 19, 2023 20:28
@sayboras sayboras removed the dont-merge/bad-bot To prevent MLH from marking ready-to-merge. label Jan 23, 2023
@sayboras
Copy link
Member Author

I haved address the lack of testing for this change, mainly unit tests on individual phases (e.g. annotations, ingestion, and translation).

The lack of control plane tests will be tracked in #23234

@sayboras sayboras marked this pull request as ready for review January 23, 2023 04:33
@sayboras
Copy link
Member Author

/test

@sayboras sayboras added the release-blocker/1.13 This issue will prevent the release of the next version of Cilium. label Jan 23, 2023
@sayboras
Copy link
Member Author

/test

@sayboras
ingress: Support NodePort for dedicated Ingress
a39e186 
This commit is to support NodePort service in dedicated mode. Shared
service NodePort can be configured via helm as per cilium#22583.

Relates: cilium#22583
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
Copy link
Member Author

/test

@aanm aanm merged commit dc70484 into cilium:master Jan 24, 2023
@sayboras sayboras deleted the tam/ingress-nodeport branch January 24, 2023 11:06
@sayboras sayboras mentioned this pull request Jan 24, 2023
Merged
9 tasks
@sayboras sayboras added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jan 24, 2023
@aanm aanm added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahid sahid sahid approved these changes

@nebril nebril nebril approved these changes

@qmonnet qmonnet qmonnet approved these changes

@youngnick youngnick Awaiting requested review from youngnick

@joestringer joestringer Awaiting requested review from joestringer

Assignees

@sayboras sayboras

Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. area/servicemesh GH issues or PRs regarding servicemesh backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@sayboras @joestringer @sahid @nebril @youngnick @qmonnet @christarazi @aanm