-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update installation files for cluster-wide #685
Conversation
@andraxylia PR needs rebase |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only one question. Doesn't need to block PR progress.
@@ -3,6 +3,7 @@ apiVersion: v1 | |||
kind: Service | |||
metadata: | |||
name: grafana | |||
namespace: istio-system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't know that it really matters, but should we (if it is possible) have the addons be in a separate namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is possible, but it is an enhancement.
install/README.md
Outdated
@@ -15,6 +15,7 @@ The [updateVersion.sh](updateVersion.sh) script is used to update image versions | |||
* `-c <hub>,<tag>` new ca image | |||
* `-i <url>` new `istioctl` download URL | |||
* `-g` create a `git commit` titled "Updating istio version" for the changes | |||
* `-n` <namespace> namespace in which to install Istio control plane components (defaults to "istio-system") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't the default be the value that was last set in istio.VERSION (i.e., the current value), same as is done with other fields?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack.
install/updateVersion.sh
Outdated
@@ -134,30 +142,46 @@ export MIXER_TAG="${MIXER_TAG}" | |||
export ISTIOCTL_URL="${ISTIOCTL_URL}" | |||
export PILOT_HUB="${PILOT_HUB}" | |||
export PILOT_TAG="${PILOT_TAG}" | |||
export ISTIO_NAMESPACE="istio-system" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Value should be ${ISTIO_NAMESPACE}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, PTAL.
This should not be merged until cluster-pool is ready and can be tested in isolation. |
Please update.. |
@andraxylia PR needs rebase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so IMO there are only 3 "must change" left to get this in:
- revert the change to mixer_test or do it without loosing the feature
- the ISTIO_NAMESPACE="$(echo ${ISTIO_NAMESPACE}|cut -f1 -d,)"
- header in generated files
and ideally but I'm ok without it:
- .md update or remove mention of updateVersion
- getting rid of useless -alpha files
- follow up on double rbac apply
@@ -134,30 +151,42 @@ export MIXER_TAG="${MIXER_TAG}" | |||
export ISTIOCTL_URL="${ISTIOCTL_URL}" | |||
export PILOT_HUB="${PILOT_HUB}" | |||
export PILOT_TAG="${PILOT_TAG}" | |||
export ISTIO_NAMESPACE=${ISTIO_NAMESPACE} | |||
EOF | |||
} | |||
|
|||
function update_istio_install() { | |||
pushd $TEMP_DIR/templates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh I missed that initially, everything is copied in /tmp/templates and modified there
it probably should be a unique temp dir instead but I guess that's not a new problem created by this pr
hopefully we can agree this script can be improved and replaced by something less convoluted (not in this PR clearly, but for 0.3)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, sorry about the existence of this script :) The problem with these bash scripts is that they tend to grow beyond their original purpose. We should try to address the core problems (auth vs no auth) and obviate the need to customize installations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, it's a pain to write bash
ps: that /tmp/templates hardcoded non unique path - any chance it bites us on the cont build |
Will address the minor comments in a separate PR, so we can mitigate the risks introduced by istio/old_pilot_repo#1223. |
please revert the mixer_test change at minimum |
I'm making the changes I'm requesting, should be in shortly. |
Minimum set to get this PR in - the rest will wait
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are many small things needed in follow up but this will do for now as it is a major feature we need to get started testing
let's merge in 16 minutes once prow/e2e-suite-rbac-auth.sh passes |
I'm ok to merge the PR as is but not (without review) if it further changes |
@@ -7,3 +7,4 @@ export MIXER_TAG="1bc30a23190aa58635d02ff7fd31bf74de0d011e" | |||
export ISTIOCTL_URL="https://storage.googleapis.com/istio-artifacts/pilot/330dd286541d1b84c5ac1f4fc504556796c070af/artifacts/istioctl" | |||
export PILOT_HUB="gcr.io/istio-testing" | |||
export PILOT_TAG="330dd286541d1b84c5ac1f4fc504556796c070af" | |||
export ISTIO_NAMESPACE=istio-system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kyessenov this PR isn't changing pilot so let's fix the auth in a simple follow up which should have been done whenever that authPolicy change happened
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
* added redirect routing rule to e2e * review comments * bug fix * code review comments
* Update installation files for cluster-wide * Add zipkin-to-stackdriver template * Address code review comments * Put back rbac files where they were for e2e tests * Create a new file istio-cluster-wide.yaml to keep compatibility with e2e tests * Fix bad merge * Update README.md * Unify auth and non-auth templates * Fix mixer template * Changes tests to replace istio-system with the current namespace * Fix bazel * Bazel fix * Bazel fix * Revert wrong line * Remove logs creating error * Updates README * Fix kube-inject to point to the same namespace * Code review comments Minimum set to get this PR in - the rest will wait Former-commit-id: feeb301
Update installation files for cluster-wide
Unified auth and non-auth templates, and got rid of the istio-auth directory.
For backward compatibility, the files are still the same, except all istio*.yaml have rbac beta. Rbac is tricky around namespaces. I the next PR, istio-cluster-wide will become istio-yaml, istio-auth.yaml will disappear, and istio-no-auth.yaml will be created. This will require minimal changes.
Generated files go by default in istio-system. By running updateVersio,sh -n , you can generate same files for any namespace.