Add redirect params as annotations to pod resolves issue #12906 #14171
Conversation
pilot/pkg/kube/inject/inject.go
Outdated
| @@ -947,3 +957,27 @@ func potentialPodName(metadata *metav1.ObjectMeta) string { | |||
| } | |||
| return "" | |||
| } | |||
|
|
|||
| // rewriteCniPodSPec will check if values from the sidecar injector Helm | |||
| // values need to be inserted as Pod annotations so the CNI will apply | |||
There was a problem hiding this comment.
File is not gofmt-ed with -s (from gofmt)
pilot/pkg/kube/inject/inject.go
Outdated
| if len(spec.CniExtraConfig) == 0 { | ||
| return nil | ||
| } | ||
| for k, _ := range annotationRegistry { |
There was a problem hiding this comment.
File is not gofmt-ed with -s (from gofmt)
|
Could you change the subject to something like "Add redirect params as annotations to pod" or something more descriptive? |
| {{- end }} | ||
| {{- if .Values.istio_cni.enabled }} |
There was a problem hiding this comment.
IMO we should always add these values as annotations if they exist in the proxyConfig.
There was a problem hiding this comment.
Agree, I don't think there is anything wrong with additional annotations?
There was a problem hiding this comment.
Well from a quick check if we add the annotations to the pods for all cases then I have to modify 90% of the test cases. I don't have a ton of time in the next week due to kubecon so wondering if it is worth the effort.
There was a problem hiding this comment.
set REFRESH_GOLDEN=1 in your env does it automatically if it is the tests I am thinking of. Just use with caution, don't blindly accept the output our the tests are really testing anything.
I don't care too much one way or another though
pilot/pkg/kube/inject/inject.go
Outdated
| if annotations[k] == spec.CniExtraConfig[k] { | ||
| continue | ||
| } else if annotations[k] != "" { | ||
| err = fmt.Errorf("Helm redirection inconsistent with pod spec annotation %s", annotations[k]) |
There was a problem hiding this comment.
error strings should not be capitalized or end with punctuation or a newline (from golint)
| {{- end }} | ||
| {{- if .Values.istio_cni.enabled }} |
There was a problem hiding this comment.
Agree, I don't think there is anything wrong with additional annotations?
pilot/pkg/kube/inject/inject.go
Outdated
| // rewriteCniPodSPec will check if values from the sidecar injector Helm | ||
| // values need to be inserted as Pod annotations so the CNI will apply | ||
| // the proper redirection rules. | ||
| func rewriteCniPodSPec(annotations map[string]string, spec *SidecarInjectionSpec) error { |
There was a problem hiding this comment.
Need some tests. Should be as simple as adding a couple yamls using cni to the testdata directory
There was a problem hiding this comment.
Starting looking to add some tests, but I don't see an example for how to make things conditional in the current test cases based helm values. I didn't search that hard yet but if there is another case or parameter to use as a recipe let me know. I might not get to this for a few days due to kubecon travel.
john-a-joyce
changed the title
pilot/pkg/kube/inject/inject.go
Outdated
| // rewriteCniPodSPec will check if values from the sidecar injector Helm | ||
| // values need to be inserted as Pod annotations so the CNI will apply | ||
| // the proper redirection rules. | ||
| func rewriteCniPodSPec(annotations map[string]string, spec *SidecarInjectionSpec) { |
There was a problem hiding this comment.
File is not gofmt-ed with -s (from gofmt)
| {{- end }} | ||
| podRedirectAnnot: |
There was a problem hiding this comment.
With merge of #13970 need to add traffic.sidecar.istio.io/excludeOutboundPorts as well.
There was a problem hiding this comment.
I can add here, but the change is missing on the CNI side so it won't change any behavior until that change goes in.
There was a problem hiding this comment.
Right... it will just help so when we do add the functionality to istio/cni this will already be in place.
|
looks good but need to incorporate: |
This change resolves issue 12906 by adding support for include and exclude CIDRs and ports that are specified via Helm options when the CNI is enabled.
Tests are updated to reflect the annotations being added regardless of cni being enabled.
| sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' | ||
| traffic.sidecar.istio.io/excludeInboundPorts: 4,5,6 | ||
| traffic.sidecar.istio.io/excludeInboundPorts: 4,5,6,15020 |
There was a problem hiding this comment.
This will not impact non-CNI users, right? This annotation is read at inject time only, so this change does nothing (unless using CNI)?
There was a problem hiding this comment.
AFAIK, this is the post-injected app yaml under test so it's just validating that the annotation is getting added with the correct value.
There was a problem hiding this comment.
The current template logic merges the helm values and the annotations and sends that as parameters to the istio_init container. This PR will merge the helm and annotation and write back to annotation so CNI can use. So it doesn't change the non-CNI case in anyway
|
/test istio-pilot-e2e-envoyv2-v1alpha3-master |
|
@tiswanso @howardjohn - i think this is ready to go after a rebase. Please have a look if you can. |
| traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" | ||
| traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" | ||
| {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} |
There was a problem hiding this comment.
Any reason that this is wrapped in the if but the others are not?
There was a problem hiding this comment.
@howardjohn - I was matching the logic that is used when setting the parameters passed to the init container when the init container is doing the redirection. On reflection it was done that way for the init container to set up the extra option flag and you are correct I didn't really need the if here.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: howardjohn, john-a-joyce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test e2e-simpleTests-master |
|
@john-a-joyce: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
* Add support for annotations when CNI enabled This change resolves issue 12906 by adding support for include and exclude CIDRs and ports that are specified via Helm options when the CNI is enabled. * Fix some issues found during testing * Fix lint * More lint * Improve corner case * Add annotations do the pods for all cases Tests are updated to reflect the annotations being added regardless of cni being enabled. * Remove error as return value * Lint fixes * Add support for outbound exclude ports. (cherry picked from commit 6b43aad)
* Sync changes to old installer Cherrypicks istio#13392, istio#13666, istio#13982, istio#14077, istio#14059 * Cherrypick istio#14301 * Cherrypick istio#13638 * cherrypick istio#14606 * istio#14171 * istio#14438 * istio#14674 * istio#14974 * 14904 * istio#14796 * istio#15346 * istio#15345 * istio#15383 * istio#14815 * istio#15690 * istio#15681 * istio#15014 * istio#15503 * istio#16084 * istio#16146 * istio#16147 * Fix tests
When Helm is used to specify additional redirection parameters they are passed to the istio_init container via command line args. When the CNI is used there is normally not an istio_init container and these redirection parameters are lost. The CNI already has logic to handle all of these additional redirection parameters when applied directly to the pod spec. This PR enhances the istio kube injection logic so any parameters specified via Helm values are added to the pod spec during the injection process (only when cni is enabled) so Istio CNI will perform the proper actions.