-
Notifications
You must be signed in to change notification settings - Fork 889
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ambient profile installation for istio #2822
Open
biswajit-9776
wants to merge
6
commits into
kubeflow:master
Choose a base branch
from
biswajit-9776:ambient_branch
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
00e684c
Added ambient profile installation for istio
biswajit-9776 dd3d477
Fixed yaml formats
biswajit-9776 b78ccb8
Fixed yaml formats for common/istio-ambient-1-22
biswajit-9776 32b500d
Fixed yaml formats
biswajit-9776 2a8bf87
Fixed yaml formats
biswajit-9776 a06d755
Added sync-istio-ambient script to hhack
biswajit-9776 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,4 +11,4 @@ spec: | |
app: cluster-local-gateway | ||
istio: cluster-local-gateway | ||
rules: | ||
- {} | ||
- {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 3 additions & 3 deletions
6
common/istio-1-22/istio-install/base/patches/disable-debugging.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,4 +23,3 @@ spec: | |
global: | ||
configValidation: true | ||
istioNamespace: istio-system | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
# Istio | ||
|
||
## Upgrade Istio Manifests | ||
|
||
Istio ships with an installer called `istioctl`, which is a deployment / | ||
debugging / configuration management tool for Istio all in one package. | ||
In this section, we explain how to upgrade our istio kustomize packages | ||
by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the | ||
old version is `X1.Y1.Z1`: | ||
|
||
1. Make a copy of the old istio manifests tree, which will become the | ||
kustomization for the new Istio version: | ||
|
||
$ export MANIFESTS_SRC=<path/to/manifests/repo> | ||
$ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1 | ||
$ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y | ||
$ cp -a $ISTIO_OLD $ISTIO_NEW | ||
|
||
2. Download `istioctl` for version `X.Y.Z`: | ||
|
||
$ ISTIO_VERSION="X.Y.Z" | ||
$ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | ||
$ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz | ||
# sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl | ||
|
||
3. Use `istioctl` to generate an `IstioOperator` resource, the | ||
CustomResource used to describe the Istio Control Plane: | ||
|
||
$ cd $ISTIO_NEW | ||
$ istioctl profile dump default > profile.yaml | ||
|
||
--- | ||
**NOTE** | ||
|
||
`istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) | ||
(`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default. | ||
|
||
--- | ||
|
||
4. Generate manifests and add them to their respective packages. We | ||
will generate manifests using `istioctl`, the | ||
`profile.yaml` file from upstream and the | ||
`profile-overlay.yaml` file that contains our desired | ||
changes: | ||
|
||
$ export PATH="$MANIFESTS_SRC/scripts:$PATH" | ||
$ cd $ISTIO_NEW | ||
$ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml | ||
$ ./split-istio-packages -f dump.yaml | ||
$ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base | ||
$ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base | ||
$ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base | ||
$ rm dump.yaml | ||
|
||
--- | ||
**NOTE** | ||
|
||
`split-istio-packages` is a python script in the same folder as this file. | ||
The `ruamel.yaml` version used is 0.16.12. | ||
|
||
`--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically | ||
detect default settings. Ensure you have a target cluster ready before running the above commands. | ||
We set this flag because `istioctl manifest generate` generates manifest files with resources that are no | ||
longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220 | ||
|
||
--- | ||
|
||
## Changes to Istio's upstream manifests | ||
|
||
### Changes to the upstream IstioOperator profile | ||
|
||
Changes to Istio's upstream profile `default` are the following: | ||
|
||
- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59. | ||
- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity. | ||
|
||
Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) | ||
file. | ||
|
||
### Changes to the upstream manifests using kustomize | ||
|
||
The Istio kustomizations make the following changes: | ||
|
||
- Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See: | ||
- https://github.com/istio/istio/issues/12602 | ||
- https://github.com/istio/istio/issues/24000 | ||
- Add EnvoyFilter for adding an `X-Forwarded-For` header in requests passing through the Istio Ingressgateway, inside the `istio-install` kustomization. | ||
- Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway. | ||
- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model). | ||
- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions. | ||
- Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions. | ||
- Configure TCP KeepAlives. | ||
- Disable tracing as it causes DNS breakdown. See: | ||
https://github.com/istio/istio/issues/29898 | ||
- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hansinikarunarathne can you help here? We should allow to have multiple yamls in a single file separated by "---"