-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy: Dedicated DaemonSet for Envoy Proxy #25076
Closed
mhofstetter
wants to merge
17
commits into
cilium:main
from
mhofstetter:pr/mhofstetter/envoy-daemonset
Closed
Proxy: Dedicated DaemonSet for Envoy Proxy #25076
mhofstetter
wants to merge
17
commits into
cilium:main
from
mhofstetter:pr/mhofstetter/envoy-daemonset
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mhofstetter
added
area/proxy
Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.
release-note/major
This PR introduces major new functionality to Cilium.
area/servicemesh
GH issues or PRs regarding servicemesh
labels
Apr 24, 2023
mhofstetter
force-pushed
the
pr/mhofstetter/envoy-daemonset
branch
from
April 24, 2023 08:48
130fc1c
to
fe4844b
Compare
This commit introduces the Dockerfile for building the Cilium Proxy image. For now, it builds on top of the runtime image and copies the proxy binary from github.com/cilium/proxy Docker Image. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adds the necessary Make targets to build the Cilium Proxy Docker image. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adds building the Cilium Proxy Docker Image to the GitHub Action. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the /var/run/cilium is used as state and runtime directory for various aspects. The Unix Sockets for the communciation between Cilium Agent & Cilium Proxy (Envoy) (xDS, Admin, AccessLog)are created in this directory too. With the need of sharing the sockets between Agent & Proxy Pod via hostmount in the future, this commit moves the sockets into the directory /var/run/proxy. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the Cilium Proxy is started as standalone process embedded within the Cilium Agent Pod. During the transition towards having a dedicated DaemonSet for the Cilium Proxy, this commit introduces the possibility to configure whether the embedded proxy should be enabled or not via Cilium config property `proxy-embedded-enabled`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit refactors the initialization of the embedded Envoy Proxy instance by introducing a EnvoyAdminClient interface which encapsulates the communication with the Envoy Proxy instance - whether this is the embedded or standalone (DaemonSet) instance. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
mhofstetter
force-pushed
the
pr/mhofstetter/envoy-daemonset
branch
from
April 24, 2023 08:49
fe4844b
to
ee534fd
Compare
This commit introduces the DaemonSet for the Cilium Proxy. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
With this commit, the Helm values for local kind environments is adapted to support the locally built proxy image. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adapts the change of the envoy unix socket location when dumping the Envoy config & metrics. Unix Sockets are now located within `/var/run/proxy`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the metrics listener is added dynamically at runtime - mainly to prevent the embedded Envoy from not starting if the port is already used. In case of an dedicated Proxy DaemonSet, the metrics listener is gets configured as static resource within the bootstrap config. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
With this commit, the Proxy DaemonSet uses the "/ready" from the Envoy admin interface for health probes (startup, live & ready). Therefore, it resuses the listener of the metrics listener - mainly to prevent the need for another port. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the Envoy version of the Cilium proxy gets checked at startup via the binaries version command. Due to extraction of the Cilium Proxy into its own DaemonSet, this commits retrieves the version via Envoys admin interface. Therefore, version check happens after initializing the EnvoyAdminClient. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the embedded Envoy Proxy instance supports changing the log path from stdout to a file via cilium config property `envoy-log`. This commit introduces the Helm property `proxy.log.path` which configures the Cilium property and the Cilium DaemonSet start arguments. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the embedded Envoy Proxy instance hardcodes Envoys application log format to an adapted form of the Cilium log format and switches to the default Envoy log format if a log path is defined. By having the Cilium Proxy in a dedicated DaemonSet, the default is the Envoy log format. In addition, this commit provides the possibiliity to configure the log format via Helm value `proxy.log.format`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adapts Envoys Log Level in the Proxy DaemonSet to use the debug & debug-verbose options from the Helm Chart. * "debug.verbose" contains "envoy" -> trace * "debug.enabled" & "debug.verbose" contains "flow" -> debug * default -> info Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit refactors all aspects of the embedded Envoy proxy instance into a separate file `embedded_envoy.go` and separates it from other aspects like EnvoyAdminClient. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
mhofstetter
force-pushed
the
pr/mhofstetter/envoy-daemonset
branch
2 times, most recently
from
April 24, 2023 08:56
488a4c9
to
853fae3
Compare
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
mhofstetter
force-pushed
the
pr/mhofstetter/envoy-daemonset
branch
from
April 24, 2023 08:57
853fae3
to
33ffea8
Compare
closed in favor of #25081 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/proxy
Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.
area/servicemesh
GH issues or PRs regarding servicemesh
release-note/major
This PR introduces major new functionality to Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, whenever L7 capabilities are required, the Cilium L7 Proxy (Envoy) gets executed as separate process within the CIlium Agent k8s container.
This PR adds support for deploying Envoy independently as a separate K8s DaemonSet for availability, performance, and (potentially ) security benefits.
Potential Benefits
Tasks
quay.io/cilium/proxy
)/ready
endpoint as health endpoint for Cilium Proxy PodsConformance Kind
for testing Cilium connectivity tests against cilium with proxy in DaemonSetThis PR tries to cover the relevant tasks to provide support for deploying Envoy in its own DaemonSet - without getting too big. The following tasks were out of scope.
Please review the individual commits! They are more or less aligned with above tasks.
Installation
For the time being, the default will still be the "embedded" envoy proxy. Therefore, Proxy as DaemonSet must be explicitly enabled via helm value
proxy.enabled=true
.ℹ️ Adaptions (status, sysdump, install) in cilium/cilium-cli will follow soon
Release Note