Support for Multiple Gateways

[ymesika]

These changes add support for multiple ingress/egress gateway configuration in the Helm charts.
The new gateways field is an array that by default has one configuration (as it was before) but allows users to add more configurations to have multiple ingress/egress gateways deployed when installing the charts.

@rshriram Do you think there are fields which should be "common" to all configurations (e.g. serviceAccountName, resources) or we better allow users full customization?

[ymesika]

/assign @rshriram

[rshriram]

This is excellent! Some comments on reducing this further. This should ofcourse have a corresponding doc entry telling users how to generate their own gateway pods/services and when to generate such things vs when to reuse the existing gateway spec.

[rshriram]

And have unique labels.

[rshriram]

Get rid of this 31400

[rshriram]

And this as well

[rshriram]

Remove this and have one top level gateways array with enabled entry in each.

[rshriram]

Simplify this to the following:

gateways:
- name: istio-ingressgateway
   labels:
      istio: ingressgateway
   replica..
   type: Loadbalancer
   loadBalancerIP: ..
   annotations: {}
   ports:
   - name: http
      number: 80
      nodePort: ...
   secretVolumes:
   ...
    ....
 - name: istio-egressgateway
    ...
    type: ClusterIP
    labels:..

Essentially a single array of gateways. Every gateway here will be deployed. You can derive service name from the gateway.name, deployment labels from labels, service account from name, service ports from ports, container ports from service ports, etc. those who want more customization are typically knowledgeable enough to directly modify the service/deployment etc.

[ymesika]

Thought about it but wasn't bold enough to do such major changes. But now that you "approve" it..

[rshriram]

That would actually make things simple..

[ymesika]

Due to Helm parser limitations I can't have the array directly under gateways.
The workaround in my last commit has a list beneath it:

gateways:
  enabled: true
  list:
  - name: istio-ingressgateway
    enabled: true
    labels:
      istio: ingressgateway
     ...
  - name: istio-egressgateway
    enabled: true
    labels:
      istio: egressgateway
    replicaCount: 1
    ...

EDIT: Helm v2.7.2 doesn't like something like --set gateways.list[0].enabled=false

Alternatively, it can be something like this:

gateways:
  enabled: true
  istio-ingressgateway:
    enabled: true
    labels:
      istio: ingressgateway
  ...
  istio-egressgateway:
    enabled: true
    labels:
      istio: egressgateway
  ...

[ymesika]

Due to helm limitations mentioned above I decided to go with the second structure and committed those changes.

[codecov]

Codecov Report

Merging #6350 into master will decrease coverage by 1%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #6350    +/-   ##
=======================================
- Coverage      68%     68%   -<1%     
=======================================
  Files         351     351            
  Lines       30723   30661    -62     
=======================================
- Hits        20740   20676    -64     
- Misses       9137    9138     +1     
- Partials      846     847     +1

Impacted Files	Coverage Δ
mixer/adapter/solarwinds/metrics_handler.go	70% <0%> (-13%)	⬇️
pilot/pkg/serviceregistry/eureka/controller.go	82% <0%> (-9%)	⬇️
istioctl/pkg/writer/pilot/status.go	84% <0%> (-7%)	⬇️
mixer/adapter/stackdriver/stackdriver.go	50% <0%> (-6%)	⬇️
mixer/adapter/circonus/circonus.go	71% <0%> (-3%)	⬇️
pilot/pkg/proxy/envoy/v2/ads.go	71% <0%> (-2%)	⬇️
mixer/adapter/signalfx/signalfx.go	82% <0%> (-2%)	⬇️
pilot/pkg/proxy/envoy/v2/debug.go	27% <0%> (-1%)	⬇️
mixer/adapter/fluentd/fluentd.go	74% <0%> (-1%)	⬇️
mixer/pkg/protobuf/yaml/castUtil.go	94% <0%> (ø)	⬇️
... and 18 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f52044e...97fc43f. Read the comment docs.

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ymesika
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: rshriram

Assign the PR to them by writing /assign @rshriram in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[istio-testing]

@ymesika: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/e2e-bookInfoTests.sh	97fc43f	link	/test e2e-bookInfo
prow/istio-pilot-e2e.sh	97fc43f	link	/test istio-pilot-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[harpratap]

@ymesika Can you explain in which use case will this be useful? What can having multiple istio-gateways achieve that a simple scale up cannot?

[ymesika]

@harpratap One use case is having gateways with different certificates for different types of callers (e,g. one used for multi-cluster vs one used for public access).