Add blog on inbound forwarding changes

[howardjohn]

This adds a new blog post to describe upcoming changes, and how users can detect and plan for the change

[istio-testing]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[frankbu]

What version of istioctl has these checks? Is it already in 1.9? If we post the blog before Istio 1.10 is released, you should mention what version they need to use to do the checking.

[howardjohn]

1.10 only unfortunately, and not easy to backport. Ill add a note

[rvennam]

istioctl experimental precheck right?

[linsun]

Q @howardjohn on the background and current behavior diagram, the application containers are 2 app containers? Are they really complete 2 different containers? Think of our samples like sleep or product page, it is just 1 app container.

[howardjohn]

Q @howardjohn on the background and current behavior diagram, the application containers are 2 app containers? Are they really complete 2 different containers? Think of our samples like sleep or product page, it is just 1 app container.

No, its supposed to be one app. Its just saying it can bind to one or both network interfaces. Maybe it would be more clear to have one blob that is the app

[linsun]

Suggested change

	Without action, these ports will no longer be accessible upon upgrade.
	**Without action, these ports will no longer be accessible upon upgrade.**

Suggest highlight this.

[linsun]

I think it makes sense to say if the error (since you are changing the msg from warning to error) has occurred, you must use revision based upgrade to thoroughly test your application continues to work with the new control plane.

[linsun]

Is the configuration for the port or defaultEndpoint field in sidecar resource? A simple example would be really helpful here.

Walking through a migration scenario, if I create the sidecar resource for my istio 1.10 cp, and also created my app with 1.10's data plane, would that sidecar resource break traffic for my app with 1.9's data plane? (Correct me if I am wrong, I think our sidecar resource is global for a ns regardless of which control plane revision?)

[howardjohn]

Is the configuration for the port or defaultEndpoint field in sidecar resource

Both are required fields

The steps would be:

• Create sidecar in 1.9. This is scoped to a workload. It has no impact.
• Upgrade to 1.10. Because of sidecar explicitly saying to connect to localhost, there is no change in behavior

[linsun]

Yea was trying to see if we could isolate the sidecar only for 1.10. I don't think we could. In that case, user should validate sidecar resource has no impact to the app (1.9 based) first before upgrading to 1.10.

Note: some of the stateful apps, we ask users to change certain configs to listen on localhost, probably a good time to revert that change after testing.

[howardjohn]

You can with istio.io/rev, but there is no real reason to. I already changed that in https://preliminary.istio.io/latest/about/faq#applications.

[linsun]

Q @howardjohn on the background and current behavior diagram, the application containers are 2 app containers? Are they really complete 2 different containers? Think of our samples like sleep or product page, it is just 1 app container.

No, its supposed to be one app. Its just saying it can bind to one or both network interfaces. Maybe it would be more clear to have one blob that is the app

Yes, I think it would.

[mandarjog]

@howardjohn the blog title is too vague.
“Upcoming changes ...”

We need to make it more about the specific topic about inbound networking and the fast that it is a breaking change.

[frankbu]

Suggested change

	title: "Upcoming changes to Istio networking In Istio 1.10"
	title: "Upcoming networking changes In Istio 1.10"

[frankbu]

Suggested change

	For example, to configure request to be sent to `localhost` for the `ratings` application:
	{{< text yaml >}}
	apiVersion: networking.istio.io/v1beta1
	kind: Sidecar
	metadata:
	name: ratings
	spec:
	workloadSelector:
	labels:
	app: ratings
	ingress:
	- port:
	number: 8080
	protocol: HTTP
	name: http
	defaultEndpoint: 127.0.0.1:8080
	{{< /text >}}
	For example, to configure request to be sent to `localhost` for the `ratings` application:
	{{< text yaml >}}
	apiVersion: networking.istio.io/v1beta1
	kind: Sidecar
	metadata:
	name: ratings
	spec:
	workloadSelector:
	labels:
	app: ratings
	ingress:
	- port:
	number: 8080
	protocol: HTTP
	name: http
	defaultEndpoint: 127.0.0.1:8080
	{{< /text >}}

[linsun]

Suggested change

	* Disable the change entirely with the `PILOT_ENABLE_INBOUND_PASSTHROUGH=false` environment variable in Istiod. This option will be removed in the future.
	* Disable the change entirely with the `PILOT_ENABLE_INBOUND_PASSTHROUGH=false` environment variable in Istiod to enable the same behavior as prior to Istio 1.10. This option will be removed in the future.

[linsun]

@howardjohn thank you - it is pretty clear to me!

[howardjohn]

@linsun @frankbu thanks, I applied your comments

[google-cla]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[craigbox]

@frankbu please pay homage to Googlebot when you have a chance.

[google-cla]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[howardjohn]

Does anyone mind if I make a post on #announcenents to get some extra eyes on this?

[frankbu]

/test doc.test.profile_default_istio.io

[ericvn]

/retest

[istio-testing]

In response to a cherrypick label: new pull request created: #9532