Update installation files for cluster-wide #685
Conversation
andraxylia
requested review from
kyessenov,
douglas-reid,
wattli and
frankbu
|
@andraxylia PR needs rebase |
istio-merge-robot
added
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
istio-merge-robot
removed
the
needs-rebase
| @@ -3,6 +3,7 @@ apiVersion: v1 | |||
| kind: Service | |||
| metadata: | |||
| name: grafana | |||
| namespace: istio-system | |||
There was a problem hiding this comment.
i don't know that it really matters, but should we (if it is possible) have the addons be in a separate namespace?
There was a problem hiding this comment.
it is possible, but it is an enhancement.
install/README.md
Outdated
| @@ -15,6 +15,7 @@ The [updateVersion.sh](updateVersion.sh) script is used to update image versions | |||
| * `-c <hub>,<tag>` new ca image | |||
| * `-i <url>` new `istioctl` download URL | |||
| * `-g` create a `git commit` titled "Updating istio version" for the changes | |||
| * `-n` <namespace> namespace in which to install Istio control plane components (defaults to "istio-system") | |||
There was a problem hiding this comment.
Shouldn't the default be the value that was last set in istio.VERSION (i.e., the current value), same as is done with other fields?
install/updateVersion.sh
Outdated
| @@ -134,30 +142,46 @@ export MIXER_TAG="${MIXER_TAG}" | |||
| export ISTIOCTL_URL="${ISTIOCTL_URL}" | |||
| export PILOT_HUB="${PILOT_HUB}" | |||
| export PILOT_TAG="${PILOT_TAG}" | |||
| export ISTIO_NAMESPACE="istio-system" | |||
There was a problem hiding this comment.
Value should be ${ISTIO_NAMESPACE}
|
This should not be merged until cluster-pool is ready and can be tested in isolation. |
|
Please update.. |
|
@andraxylia PR needs rebase |
istio-merge-robot
added
the
needs-rebase
istio-merge-robot
removed
the
needs-rebase
There was a problem hiding this comment.
so IMO there are only 3 "must change" left to get this in:
- revert the change to mixer_test or do it without loosing the feature
- the ISTIO_NAMESPACE="$(echo ${ISTIO_NAMESPACE}|cut -f1 -d,)"
- header in generated files
and ideally but I'm ok without it:
- .md update or remove mention of updateVersion
- getting rid of useless -alpha files
- follow up on double rbac apply
| @@ -134,30 +151,42 @@ export MIXER_TAG="${MIXER_TAG}" | |||
| export ISTIOCTL_URL="${ISTIOCTL_URL}" | |||
| export PILOT_HUB="${PILOT_HUB}" | |||
| export PILOT_TAG="${PILOT_TAG}" | |||
| export ISTIO_NAMESPACE=${ISTIO_NAMESPACE} | |||
| EOF | |||
| } | |||
|
|
|||
| function update_istio_install() { | |||
| pushd $TEMP_DIR/templates | |||
There was a problem hiding this comment.
oh I missed that initially, everything is copied in /tmp/templates and modified there
it probably should be a unique temp dir instead but I guess that's not a new problem created by this pr
hopefully we can agree this script can be improved and replaced by something less convoluted (not in this PR clearly, but for 0.3)
There was a problem hiding this comment.
Yes, sorry about the existence of this script :) The problem with these bash scripts is that they tend to grow beyond their original purpose. We should try to address the core problems (auth vs no auth) and obviate the need to customize installations.
There was a problem hiding this comment.
+1, it's a pain to write bash
ldemailly
added
cla: yes
and removed
cla: no
|
ps: that /tmp/templates hardcoded non unique path - any chance it bites us on the cont build |
|
Will address the minor comments in a separate PR, so we can mitigate the risks introduced by istio/old_pilot_repo#1223. |
|
please revert the mixer_test change at minimum |
|
I'm making the changes I'm requesting, should be in shortly. |
Minimum set to get this PR in - the rest will wait
googlebot
added
cla: no
ldemailly
added
cla: human-approved
and removed
cla: no
|
let's merge in 16 minutes once prow/e2e-suite-rbac-auth.sh passes |
|
I'm ok to merge the PR as is but not (without review) if it further changes |
| @@ -7,3 +7,4 @@ export MIXER_TAG="1bc30a23190aa58635d02ff7fd31bf74de0d011e" | |||
| export ISTIOCTL_URL="https://storage.googleapis.com/istio-artifacts/pilot/330dd286541d1b84c5ac1f4fc504556796c070af/artifacts/istioctl" | |||
| export PILOT_HUB="gcr.io/istio-testing" | |||
| export PILOT_TAG="330dd286541d1b84c5ac1f4fc504556796c070af" | |||
| export ISTIO_NAMESPACE=istio-system | |||
There was a problem hiding this comment.
@kyessenov this PR isn't changing pilot so let's fix the auth in a simple follow up which should have been done whenever that authPolicy change happened
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
* added redirect routing rule to e2e * review comments * bug fix * code review comments
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
Update installation files for cluster-wide
Unified auth and non-auth templates, and got rid of the istio-auth directory.
For backward compatibility, the files are still the same, except all istio*.yaml have rbac beta. Rbac is tricky around namespaces. I the next PR, istio-cluster-wide will become istio-yaml, istio-auth.yaml will disappear, and istio-no-auth.yaml will be created. This will require minimal changes.
Generated files go by default in istio-system. By running updateVersio,sh -n , you can generate same files for any namespace.