Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

istioctl manifest has many unnecessary destination rule just for the tls.DISABLE #18654

Closed
incfly opened this issue Nov 5, 2019 · 4 comments
Closed

istioctl manifest has many unnecessary destination rule just for the tls.DISABLE #18654

incfly opened this issue Nov 5, 2019 · 4 comments
Assignees
@howardjohn
Labels
area/environments/operator Issues related to Operator or installation area/environments

Comments

@incfly
Copy link

incfly commented Nov 5, 2019
edited by istio-policy-bot
Loading

Bug description

➜  istio.io git:(automtls) ✗ kubectl get destinationrules.networking.istio.io --all-namespaces                       
NAMESPACE      NAME                                 HOST                                             AGE
istio-system   api-server                           kubernetes.default.svc.cluster.local             17m
istio-system   default                              *.local                                          7m
istio-system   grafana                              grafana.istio-system                             17m
istio-system   istio-multicluster-destinationrule   *.global                                         17m
istio-system   istio-policy                         istio-policy.istio-system.svc.cluster.local      17m
istio-system   istio-telemetry                      istio-telemetry.istio-system.svc.cluster.local   17m
istio-system   prometheus-full                      prometheus.istio-system.svc.cluster.local        17m
istio-system   prometheys                           prometheus.istio-system                          17m

Many of them are just for setting the TLS, which I don't think is needed.

kubectl get destinationrules.networking.istio.io --all-namespaces -oyaml | grep mode
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"Pilot","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0","release":"istio"},"name":"api-server","namespace":"istio-system"},"spec":{"host":"kubernetes.default.svc.cluster.local","trafficPolicy":{"tls":{"mode":"DISABLE"}}}}
        mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"Pilot","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0","release":"istio"},"name":"default","namespace":"istio-system"},"spec":{"host":"*.local","trafficPolicy":{"tls":{"mode":"DISABLE"}}}}
        mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"Grafana","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0"},"name":"grafana","namespace":"istio-system"},"spec":{"host":"grafana.istio-system","trafficPolicy":{"tls":{"mode":"DISABLE"}}}}
        mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"app":"istio-egressgateway","operator.istio.io/component":"EgressGateway","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0","release":"istio"},"name":"istio-multicluster-destinationrule","namespace":"istio-system"},"spec":{"host":"*.global","trafficPolicy":{"tls":{"mode":"ISTIO_MUTUAL"}}}}
        mode: ISTIO_MUTUAL
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"app":"istio-policy","operator.istio.io/component":"Policy","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0","release":"istio"},"name":"istio-policy","namespace":"istio-system"},"spec":{"host":"istio-policy.istio-system.svc.cluster.local","trafficPolicy":{"connectionPool":{"http":{"http2MaxRequests":10000,"maxRequestsPerConnection":10000}},"portLevelSettings":[{"port":{"number":15004},"tls":{"mode":"ISTIO_MUTUAL"}},{"port":{"number":9091},"tls":{"mode":"DISABLE"}}]}}}
          mode: ISTIO_MUTUAL
          mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"app":"istio-telemetry","operator.istio.io/component":"Telemetry","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0","release":"istio"},"name":"istio-telemetry","namespace":"istio-system"},"spec":{"host":"istio-telemetry.istio-system.svc.cluster.local","trafficPolicy":{"connectionPool":{"http":{"http2MaxRequests":10000,"maxRequestsPerConnection":10000}},"portLevelSettings":[{"port":{"number":15004},"tls":{"mode":"ISTIO_MUTUAL"}},{"port":{"number":9091},"tls":{"mode":"DISABLE"}}]}}}
          mode: ISTIO_MUTUAL
          mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"Prometheus","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0"},"name":"prometheus-full","namespace":"istio-system"},"spec":{"host":"prometheus.istio-system.svc.cluster.local","trafficPolicy":{"tls":{"mode":"DISABLE"}}}}
        mode: DISABLE
        {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"Prometheus","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.4.0"},"name":"prometheys","namespace":"istio-system"},"spec":{"host":"prometheus.istio-system","trafficPolicy":{"tls":{"mode":"DISABLE"}}}}

I didn't see that in previous demo profile and helm install, I haven't verified in 1.4.

[ X] Installation

Expected behavior

Steps to reproduce the bug

Version (include the output of istioctl version --remote and kubectl version)

How was Istio installed?
istioctl manifest apply --set profile=demo
@incfly
Copy link
Author

incfly commented Nov 5, 2019

istio-1.4-alpha.4c58b3d2f32c715f2188f227774256e2f81d865b build.

@incfly incfly added area/environments/installer area/environments/operator Issues related to Operator or installation labels Nov 5, 2019
@incfly
Copy link
Author

incfly commented Nov 5, 2019

I confirmed the old helm yaml does not have this issue

k apply -f install/kubernetes/istio-demo.yaml
kubectl get destinationrules.networking.istio.io --all-namespaces
NAMESPACE      NAME              HOST                                             AGE
istio-system   istio-policy      istio-policy.istio-system.svc.cluster.local      4m
istio-system   istio-telemetry   istio-telemetry.istio-system.svc.cluster.local   4m

@howardjohn howardjohn self-assigned this Nov 5, 2019
@howardjohn
Copy link
Member

@incfly noticed this as well, I am going to send a change to delete them

howardjohn added a commit to howardjohn/istio-installer that referenced this issue Nov 5, 2019
@howardjohn
Kill unneeded/broken DestinationRules
a5770c5 
See istio/istio#18654

This is especially bad because the config will be reconciled, so even if
manually fixed will still break
@howardjohn howardjohn mentioned this issue Nov 5, 2019
Merged
@incfly incfly mentioned this issue Nov 5, 2019
Merged
istio-testing pushed a commit to istio/installer that referenced this issue Nov 6, 2019
@howardjohn @istio-testing
Kill unneeded/broken DestinationRules (#489)
afbb82f 
* Kill unneeded/broken DestinationRules

See istio/istio#18654

This is especially bad because the config will be reconciled, so even if
manually fixed will still break

* api-server only when mtls enabled

* gen
istio-testing pushed a commit to istio-testing/installer that referenced this issue Nov 6, 2019
@howardjohn @istio-testing
Kill unneeded/broken DestinationRules
294c170 
See istio/istio#18654

This is especially bad because the config will be reconciled, so even if
manually fixed will still break
istio-testing added a commit to istio/installer that referenced this issue Nov 6, 2019
@istio-testing
[release-1.4] Kill unneeded/broken DestinationRules (#499)
fe1483d 
* Kill unneeded/broken DestinationRules

See istio/istio#18654

This is especially bad because the config will be reconciled, so even if
manually fixed will still break

* api-server only when mtls enabled

* gen
@howardjohn
Copy link
Member

Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@howardjohn howardjohn

Labels
area/environments/operator Issues related to Operator or installation area/environments
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@howardjohn @incfly @istio-policy-bot