-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIALI-660: Check Istio sidecars of services #188
Conversation
1016ec7
to
0c888f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@israel-hdez , this looks pretty good, I do have a few comments for you so please take a look.
The main comment though is that while you were working on this @lucasponce consolidated some existing appenders into the new "IstioAppender". We did this to avoid querying k8s many times for the same information. Instead, that appender now calls IstioClient.GetServiceDetails one time for each service and annotates the graph in multiple ways in one pass. It currently adds circuit breaker and route rule information.
Because GetServiceDetails also calls GetServicePods under the covers, I think the sidecar check could be (and should be) integrated into the new appender.
If you like, we can move forward with this appender and do the merge as a follow-up task. Or, you can update this PR to do the merge now, it's up to you.
graph/appender/sidecards_check.go
Outdated
"strings" | ||
) | ||
|
||
type SidecardsCheckAppender struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it Sidecard or Sidecar? I think it's the envoy Sidecar you are interested in, right? If I'm wrong just ignore this comment but otherwise please update everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, wrong name. I'll rename in all places.
graph/cytoscape/cytoscape.go
Outdated
IsGroup string `json:"isGroup,omitempty"` // set to the grouping type, current values: [ 'version' ] | ||
IsRoot string `json:"isRoot,omitempty"` // true | false | ||
IsUnused string `json:"isUnused,omitempty"` // true | false | ||
PodsCount int `json:"podsCount,omitempty"` // integer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need 3 new fields for the results of the sidecar check? I'm not sure of the client-side requirements for this PR but unless we have to have it I'd prefer that we stay with our general approach of using the graph to flag areas of interest, and let the user drill down into the details page. Maybe a single field like HasMissingSidecars with either a boolean value, or possibly a string with the number of missing sidecars (i.e. PodsCount-PodsWithSidecars)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can use the single field HasMissingSidecars. I'll go that way.
Probably, the other data won't be too useful in the graph. This will simplify a little the code.
@jshaughn I see GetIstioDetails currently isn't collecting the pods. I guess it was GetServiceDetails. |
@israel-hdez You are right, my mistake, the new Istio appender does things a little differently than I originally thought. Let's keep this appender independent for now, we can consolidate later if it makes sense. |
6624461
to
9ff3526
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments about integration with the point of view I used to design this validation part.
Thank you for waiting for me. And sorry for the delay.
const sidecarsCheckerType = "sidecar" | ||
const SidecarContainerImage = "docker.io/istio/proxy" | ||
|
||
func (checker *SidecarsChecker) Check() *models.IstioValidations { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@israel-hdez I would move the logic of the checker into a subfolder pods
. I was thinking about grouping all the checkers by type. This way, we can validate pods on other terms and with no need to mix with the other checkers.
Another reason of why I did this subfolder is because we might want to run validations among objects (currently we only have individual validations). So we would have checkers validation how objects interfere among each others.
So I would suggest to follow same pattern of route_rule_checker.go
. It is calling individual checkers and group checkers. The logic here, it would be into a file in this subfolder pods
.
checker.K8sClient = k8sClient | ||
} | ||
|
||
pods, err := checker.K8sClient.GetServicePods(checker.Namespace, checker.ServiceName, checker.ServiceVersion, "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I thought about this solution, I didn't think about coupling connection with validation logic. Otherwise, you have one checker only for service pods, but not for every single pod. If you see the route rules checker, it can validate any kind of array of route rules independently where they are from.
So this logic would come either from istio_validations
or an specific *_validations
file. If you want to use same endpoint as istio_validations
, then just fetch service pods from there and pass it to the checker.
return []ObjectChecker{ | ||
checkers.RouteRuleChecker{istioDetails.RouteRules}, | ||
&checkers.SidecarsChecker{Namespace: namespace, ServiceName: service, K8sClient: validationService.k8s}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is the point. Adding this, you are coupling the object fetching to its validations. If you see the previous line, we pass the objects to checker. This way, we prevent the coupling.
Perhaps you miss that, in the description of #180, you can find an high-level explanation of this validation part. If you see anything that could improve that, let me know and I will update it :) |
@israel-hdez, I am fine with this PR, it can be merged when @xeviknal is happy. |
2028509
to
359c05e
Compare
@xeviknal I've made changes. I hope to have solved your comments. |
- Add graph appender to provide information about missing sidecars in the services. - Add checker to the istio_validations endpoint. - Fix a bug in the istio_validations endpoint: channel closed early when more than one checker is available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! All comments addressed. After some discussion, now the implementation follows the architecture in the way it was designed.
Good approached @israel-hdez 🔝
the services.
early when more than one checker is available.
JSON returned for the istio_validations endpoint is like this: