Introduce Istio/ASM Kustomize component #1601
Conversation
gbrayut
force-pushed
the
issue-1203-istio-docs
branch
from
dc4fe8a
to
0408929
Compare
|
@NimJay I finished the first draft of the new README (see rendered version here) and this should now be ready for review. I forgot that changing from istio-ingressgateway to Kubernetes Gateway API also means changing from Istio CRDs to the Gateway CRDs. Those are still "The Future" of ASM/Istio, but may be more disruptive if other demos still rely on the Istio way of configuring things. But it does eliminate a lot of steps like having to deploy the istio-ingress namespace/deployment/service resources. Take a look at the frontend-gateway.yaml and if you think that is too much change right now I can try separating the Gateway API stuff into another component. |
Will Review SoonJust so you're not left in the dark: I plan on reviewing this tomorrow. |
|
No worries, take all the time you need. Also, the more I think about it, the more I feel it probably is not best to fully replace the Istio classic resources (Istio Gateway and VirtualService CRDs) with the new Kubernetes Gateway and HTTPRoute method of configuring the service mesh. I think a better approach would be keeping the service-mesh-istio component as it currently stands and then:
The classic CRDs won't ever go away, and if adoption of the new gateway/HTTPRoute picks up and becomes preferred the static manifest could be updated. But removing those entirely right now is probably not great. Happy to add that to this PR... let me know your thoughts. |
Online Boutique is introducing a new Kustomize Component for Anthos Service Mesh. See pull-request: GoogleCloudPlatform/microservices-demo#1601 The 3 files inside the /istio-manifests folder will eventually be deleted.
There was a problem hiding this comment.
Thanks again, @gbrayut, for creating this pull-request!
Things are looking good.
I've left a few comments.
Kubernetes Gateway API
You mentioned
"I feel it probably is not best to fully replace the Istio classic resources (Istio Gateway and VirtualService CRDs) with the new Kubernetes Gateway and HTTPRoute"
I think Online Boutique should embrace the new "Kubernetes Gateway and HTTPRoute" way of deploying Istio resources. Reasons:
- Istio intends to make it the default API for traffic management [source].
- I want to avoid having to maintain multiple manifests doing the same thing.
- I worry it could confuse users. Online Boutique should pick a single approach and imply "this is how it should be done".
Related note:
- I eventually want to delete the
/release/istio-manifests.yamlfile.
| @@ -124,8 +124,7 @@ The [`/terraform` folder](terraform) contains instructions for using [Terraform] | |||
|
|
|||
| ## Other deployment variations | |||
|
|
|||
| - **Istio**: [See these instructions.](docs/service-mesh.md) | |||
| - **Anthos Service Mesh**: [See these instructions](/docs/service-mesh.md) | |||
| - **Istio/Anthos Service Mesh**: [See these instructions.](/kustomize/components/service-mesh-istio/README.md) | |||
There was a problem hiding this comment.
Praise: Thanks for thoroughly updating the surrounding documentation!
| - ../../components/google-cloud-operations | ||
| - ../../components/network-policies | ||
| - ../../components/service-accounts | ||
| - ../../components/service-mesh-istio |
There was a problem hiding this comment.
Praise: Thanks for pro-actively adding this test.
| # - components/spanner | ||
| # - components/service-mesh-istio | ||
| # - components/without-loadgenerator |
There was a problem hiding this comment.
Question:
Should we remove the
# - components/native-grpc-health-check
# - components/without-loadgenerator
lines at the bottom (since we've just moved it up)?
Also, thanks for catching this!
There was a problem hiding this comment.
I removed the duplicate without-loadgenerator and confirmed they work in the listed order. native-grpc-health-check was not duplicated and I think it needs to be at the end since it also modifies the image tags. But I could be wrong there.
There was a problem hiding this comment.
"confirmed they work in the listed order"
Thank you for being so thorough!
"native-grpc-health-check ... needs to be at the end since it also modifies the image tags"
Ah, that's a good thought!
If I had to guess the order, it would be:
# - components/container-images-tag
# - components/native-grpc-health-check
# - components/container-images-tag-suffix
# - components/container-images-registry
Reason for my guess: Both native-grpc-health-check and container-images-tag use the newTag field, so they should be in the same position.
But I doubt anyone using native-grpc-health-check would use any of: container-images-tags, container-images-tag-suffix, or container-images-registry. So let's let it be. :)
|
|
||
| # Configure Managed Data Plane (automatic restart of workloads when envoy sidecar is updated) | ||
| kubectl annotate --overwrite namespace default \ | ||
| mesh.cloud.google.com/proxy='{"managed":"false"}' |
There was a problem hiding this comment.
Nitpick: For readability and consistency:
| mesh.cloud.google.com/proxy='{"managed":"false"}' | |
| mesh.cloud.google.com/proxy='{"managed":"false"}' |
|
|
||
| # Update firewall rule (or create a new one) to allow webhook port 15017 | ||
| gcloud compute firewall-rules update gke-onlineboutique-c94d71e8-master \ | ||
| --allow tcp:10250,tcp:443,tcp:15017 |
There was a problem hiding this comment.
Nitpick: For readability and consistency:
| --allow tcp:10250,tcp:443,tcp:15017 | |
| --allow tcp:10250,tcp:443,tcp:15017 |
There was a problem hiding this comment.
Issue:
Please bring back these files:
istio-manifests/frontend.yamlistio-manifests/frontend-gateway.yamlistio-manifests/allow-egress-googleapis.yaml
I realized that it's currently being used in https://github.com/GoogleCloudPlatform/cloud-ops-sandbox/blob/milestone/0.9/provisioning/kustomize/online-boutique/no-loadgenerator/with-ingress/kustomization.yaml.
I will eventually delete them from Online Boutique once I fix GoogleCloudPlatform/cloud-ops-sandbox#1012.
You made a good point about preserving git history (via git mv).
But that's okay — we can live without the git history attached to the new files.
Hopefully, anyone investigating the git history will come across this pull-request. :)
| virtualservice.networking.istio.io/frontend created | ||
| ``` | ||
|
|
||
| ## Deploy via `istio-manifests.yaml` |
There was a problem hiding this comment.
Suggestion (feel free to ignore):
Let's remove this "Deploy via istio-manifests.yaml".
Ideally, we would stop supporting this method — for ease of maintenance.
NimJay
changed the title
NimJay
changed the title
gbrayut
force-pushed
the
issue-1203-istio-docs
branch
from
69a24f4
to
9478993
Compare
|
Branch updated with requested changes and should be ready for final review. I assume you'll handle the "out-of-date with base" and/or do a squash commit. Also it looks like your gmail (which gets used for the recommended changes) doesn't pass the CLA check, so I had to force-push that commit out of the branch.
|
There was a problem hiding this comment.
Thank you for addressing my comments so quickly, @gbrayut!
Everything looks good.
You did an incredible job here. 🤯
Approved!
CLA issue with my personal email
Ah, yes, I noticed that my suggestion's commits use my personal email.
I'll look into fixing this issue (either force GitHub to use my Google email for suggestion commits or CLA-approve my personal email).
(Tip: we can also use go/gh-prinfo to override the CLA check.)
| @@ -23,11 +23,11 @@ components: | |||
| # - components/network-policies | |||
| # - components/non-public-frontend | |||
| # - components/service-accounts | |||
| # - components/alloydb | |||
There was a problem hiding this comment.
FYI: While merging conflicts, I put components/alloydb under components/service-accounts. This is intentional. components/alloydb modifies the cartservice ServiceAccount — so it needs to come after (to avoid Kustomize errors). :)
* Move istio-manifests to kustomize/components/service-mesh-istio * Create Istio kustomize component * Create test for Istio kustomize component * update hack/make-release-artifacts.sh and kustomize/kustomization.yaml * Move docs/service-mesh.md to kustomize/components/service-mesh-istio/README.md * Update README.md and cloudshell-tutorial.md references to previous service-mesh.md * Convert frontend-gateway.yaml from Istio CRDs to Kubernetes Gateway CRDs * Draft updates to service-mesh-istio/README.md * Restore istio-manifests (cannot be deleted yet) * fixup pr comments --------- Co-authored-by: Nim Jayawardena <[email protected]>
* Move istio-manifests to kustomize/components/service-mesh-istio * Create Istio kustomize component * Create test for Istio kustomize component * update hack/make-release-artifacts.sh and kustomize/kustomization.yaml * Move docs/service-mesh.md to kustomize/components/service-mesh-istio/README.md * Update README.md and cloudshell-tutorial.md references to previous service-mesh.md * Convert frontend-gateway.yaml from Istio CRDs to Kubernetes Gateway CRDs * Draft updates to service-mesh-istio/README.md * Restore istio-manifests (cannot be deleted yet) * fixup pr comments --------- Co-authored-by: Nim Jayawardena <[email protected]>
Background
The current service mesh instructions only include the OSS Istio installation instructions and does not mention the preferred approach for GKE, which is ASM via Fleet API. The instruction also are not using Kustomize components, which is now the preferred approach for demo variants.
Fixes
Fixes #1203
Change Summary
Additional Notes
Remaining Tasks for this PR:
Testing Procedure
Install Anthos Service Mesh or Istio OSS, setup an Istio Ingress Gateway, and make sure sidecar injection is enabled in target namespace.
Then from the
kustomize/folder at the root level of this repository:kustomize edit add component components/service-accounts kustomize edit add component components/service-mesh-istio kubectl apply -k .