helm chart failed with sidecar injector #2957
Conversation
|
@linsun master(7ce862d) works for me (with helm --dry-run) with Kubernetes 1.9.2 after running I'm sorting out how to enable the mutating webhook now. Is there a defined policy on a minimum version pin for Kubernetes for the installation tools? It appears master has been modified to work with kubernetes>=1.9.0. Cheers |
|
So we support k8s 1.7, 1.8 and 1.9. Only mutating web hook is supported in 1.9 as an alpha feature. The default helm chart should be targeted for 1.7 or 1.8 with manual injection, with a flag to allow users to enable mutating web hooks on 1.9 if they choose to. |
|
@linsun thanks for the response. Note the initializer worked for me in 1.8 without manual injection. Does the new injection code work on 1.8, or only 1.9? I have searched a bit for mutating web hook on google, and can't seem to find a definition of what it does in documentation. Do you happen to have a link handy? |
|
The mutating webhooks require k8s 1.9. Unfortunately, the initializers have been deprecated in 1.9, so we were forced to deprecate them as well. We will have to use manual injection for k8s < 1.9. https://istio.io/docs/setup/kubernetes/sidecar-injection.html |
|
See https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/admission-control-webhooks.md for background information on mutating webhooks. https://kubernetes.io/docs/admin/extensible-admission-controllers/#external-admission-webhooks hasn't been updated yet for Mutating webhooks and the admissionregistration.k8s.io/v1beta1` API group. |
| @@ -1,5 +1,5 @@ | |||
| {{- if .Values.global.rbacEnabled }} | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |||
There was a problem hiding this comment.
Why are we regressing on version here?
There was a problem hiding this comment.
because we have clusters on 1.7.
There was a problem hiding this comment.
if you look at istio-auth.yaml, we are also using v1beta1
|
Able to deploy helm istio chart. This is work in progress but could we get it in so that we can also merge @luisyonaldo too? |
| @@ -0,0 +1,29 @@ | |||
| {{- if .Values.global.sidecarInjectEnabled }} | |||
There was a problem hiding this comment.
Should service and deployment use the same sidecarInjectEnabled guard?
There was a problem hiding this comment.
there is also a global.sidecar.enabled flag - which probably does the same thing as thing as this conditional. I'm unclear if this helm chart has been tested on 1.9 with the webhooks (or simply 1.7).
There was a problem hiding this comment.
@ayj I think that makes sense. I'll do it in a separate PR.
|
We have several defects in this Helm chart as it stands. I also think all of @linsun's work is an improvement given the policy of supporting kubernetes>=1.7. Trying to fix all the various problems in one patch stream seems problematic (harder to review and test as there is no gating on the helm chart). @linsun can you confirm if you have tested on 1.9? If not, I'll take a look (thanks @ayj and @andraxylia for the pointers on injection). |
|
/lgtm |
|
Thank you @sdake - I don't have a 1.9 env, it would be great if you could take up on that. I'll work on a gating test cc @luisyonaldo |
|
Just make sure we are all on the same page, the goal is istio works on manual injection for 1.7 and 1.8, and manual & auto injection on 1.9+ while auto injection starts as alpha/dev feature for now till it is improved. cc @sdake @luisyonaldo @ayj |
|
sgtm |
|
Current logic check that you have sidecar-injector enabled and that you have mutation we hook api enabled. If not the only manual injection is possible. Haven't tested the auto injection yet. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ayj, sdake Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
This is far from finished, but it reduces memory usage by ~10%. Pulling the following changes from github.com/istio/proxy: 2656f34 Update Envoy SHA to latest with MetricImpl optimizations (release-1.0). (istio#1939) Pulling the following changes from github.com/envoyproxy/envoy: c1cc68dda stats: refactoring MetricImpl without strings (istio#4190) 36809d80a fuzz: coverage profile generation instructions. (istio#4193) ba40cc933 upstream: rebuild cluster when health check config is changed (istio#4075) 05c0d52d3 build: use clang-6.0. (istio#4168) 01f403ec4 thrift_proxy: introduce header transport (istio#4082) 564d256fb tcp: allow connection pool callers to store protocol state (istio#4131) 3e1d643b9 configs: match latest API changes (istio#4185) bc6a10c2f Fix wrong mock function name. (istio#4187) e994c1c0b Bump yaml-cpp so it builds with Visual Studio 15.8 (istio#4182) 3d1325e89 Converting envoy configs to V2 (istio#2957) 8d0680feb Add timestamp to HealthCheckEvent definition (istio#4119) 497efb95b server: handle non-EnvoyExceptions safely if thrown in constructor. (istio#4173) 6d6fafdb3 config: strengthen validation for gRPC config sources. (istio#4171) 132302caf fuzz: reduce log level when running under fuzz engine. (istio#4161) 7c04ac255 test: fix V6EmptyOptions in coverage with IPv6 enable (istio#4155) 1b2219bd7 ci: remove deprecated bazel --batch option (istio#4166) 2db6a4ce1 ci: update clang to version 6.0 in the Ubuntu build image. (istio#4157) 71152b710 ratelimit: Add ratelimit custom response headers (istio#4015) 306287418 ssl: make Ssl::Connection const everywhere (istio#4179) 706e26238 Handle validation of non expiring tokens in jwt_authn filter (istio#4007) f06e9588a fuzz: tag trivial fuzzers with no_fuzz. (istio#4156) 27fb1d353 thrift_proxy: add service name matching to router implementation (istio#4130) 8c189a552 Make over provisioning factor configurable (istio#4003) 6c08fb43c Making test less flaky (istio#4149) 592775b7b fuzz: bare bones HCM fuzzer. (istio#4118) For istio#7912. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This is far from finished, but it reduces memory usage by ~10%. Pulling the following changes from github.com/istio/proxy: c9d2230 Update Envoy SHA to latest with MetricImpl optimizations. (istio#1938) a32a587 Add a check cache test for string map sub keys (istio#1931) Pulling the following changes from github.com/envoyproxy/envoy: c1cc68dda stats: refactoring MetricImpl without strings (istio#4190) 36809d80a fuzz: coverage profile generation instructions. (istio#4193) ba40cc933 upstream: rebuild cluster when health check config is changed (istio#4075) 05c0d52d3 build: use clang-6.0. (istio#4168) 01f403ec4 thrift_proxy: introduce header transport (istio#4082) 564d256fb tcp: allow connection pool callers to store protocol state (istio#4131) 3e1d643b9 configs: match latest API changes (istio#4185) bc6a10c2f Fix wrong mock function name. (istio#4187) e994c1c0b Bump yaml-cpp so it builds with Visual Studio 15.8 (istio#4182) 3d1325e89 Converting envoy configs to V2 (istio#2957) 8d0680feb Add timestamp to HealthCheckEvent definition (istio#4119) 497efb95b server: handle non-EnvoyExceptions safely if thrown in constructor. (istio#4173) 6d6fafdb3 config: strengthen validation for gRPC config sources. (istio#4171) 132302caf fuzz: reduce log level when running under fuzz engine. (istio#4161) 7c04ac255 test: fix V6EmptyOptions in coverage with IPv6 enable (istio#4155) 1b2219bd7 ci: remove deprecated bazel --batch option (istio#4166) 2db6a4ce1 ci: update clang to version 6.0 in the Ubuntu build image. (istio#4157) 71152b710 ratelimit: Add ratelimit custom response headers (istio#4015) 306287418 ssl: make Ssl::Connection const everywhere (istio#4179) 706e26238 Handle validation of non expiring tokens in jwt_authn filter (istio#4007) f06e9588a fuzz: tag trivial fuzzers with no_fuzz. (istio#4156) 27fb1d353 thrift_proxy: add service name matching to router implementation (istio#4130) 8c189a552 Make over provisioning factor configurable (istio#4003) 6c08fb43c Making test less flaky (istio#4149) 592775b7b fuzz: bare bones HCM fuzzer. (istio#4118) For istio#7912. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
…). (#8161) This is far from finished, but it reduces memory usage by ~10%. Pulling the following changes from github.com/istio/proxy: 2656f34 Update Envoy SHA to latest with MetricImpl optimizations (release-1.0). (#1939) Pulling the following changes from github.com/envoyproxy/envoy: c1cc68dda stats: refactoring MetricImpl without strings (#4190) 36809d80a fuzz: coverage profile generation instructions. (#4193) ba40cc933 upstream: rebuild cluster when health check config is changed (#4075) 05c0d52d3 build: use clang-6.0. (#4168) 01f403ec4 thrift_proxy: introduce header transport (#4082) 564d256fb tcp: allow connection pool callers to store protocol state (#4131) 3e1d643b9 configs: match latest API changes (#4185) bc6a10c2f Fix wrong mock function name. (#4187) e994c1c0b Bump yaml-cpp so it builds with Visual Studio 15.8 (#4182) 3d1325e89 Converting envoy configs to V2 (#2957) 8d0680feb Add timestamp to HealthCheckEvent definition (#4119) 497efb95b server: handle non-EnvoyExceptions safely if thrown in constructor. (#4173) 6d6fafdb3 config: strengthen validation for gRPC config sources. (#4171) 132302caf fuzz: reduce log level when running under fuzz engine. (#4161) 7c04ac255 test: fix V6EmptyOptions in coverage with IPv6 enable (#4155) 1b2219bd7 ci: remove deprecated bazel --batch option (#4166) 2db6a4ce1 ci: update clang to version 6.0 in the Ubuntu build image. (#4157) 71152b710 ratelimit: Add ratelimit custom response headers (#4015) 306287418 ssl: make Ssl::Connection const everywhere (#4179) 706e26238 Handle validation of non expiring tokens in jwt_authn filter (#4007) f06e9588a fuzz: tag trivial fuzzers with no_fuzz. (#4156) 27fb1d353 thrift_proxy: add service name matching to router implementation (#4130) 8c189a552 Make over provisioning factor configurable (#4003) 6c08fb43c Making test less flaky (#4149) 592775b7b fuzz: bare bones HCM fuzzer. (#4118) For #7912. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This is far from finished, but it reduces memory usage by ~10%. Pulling the following changes from github.com/istio/proxy: c9d2230 Update Envoy SHA to latest with MetricImpl optimizations. (#1938) a32a587 Add a check cache test for string map sub keys (#1931) Pulling the following changes from github.com/envoyproxy/envoy: c1cc68dda stats: refactoring MetricImpl without strings (#4190) 36809d80a fuzz: coverage profile generation instructions. (#4193) ba40cc933 upstream: rebuild cluster when health check config is changed (#4075) 05c0d52d3 build: use clang-6.0. (#4168) 01f403ec4 thrift_proxy: introduce header transport (#4082) 564d256fb tcp: allow connection pool callers to store protocol state (#4131) 3e1d643b9 configs: match latest API changes (#4185) bc6a10c2f Fix wrong mock function name. (#4187) e994c1c0b Bump yaml-cpp so it builds with Visual Studio 15.8 (#4182) 3d1325e89 Converting envoy configs to V2 (#2957) 8d0680feb Add timestamp to HealthCheckEvent definition (#4119) 497efb95b server: handle non-EnvoyExceptions safely if thrown in constructor. (#4173) 6d6fafdb3 config: strengthen validation for gRPC config sources. (#4171) 132302caf fuzz: reduce log level when running under fuzz engine. (#4161) 7c04ac255 test: fix V6EmptyOptions in coverage with IPv6 enable (#4155) 1b2219bd7 ci: remove deprecated bazel --batch option (#4166) 2db6a4ce1 ci: update clang to version 6.0 in the Ubuntu build image. (#4157) 71152b710 ratelimit: Add ratelimit custom response headers (#4015) 306287418 ssl: make Ssl::Connection const everywhere (#4179) 706e26238 Handle validation of non expiring tokens in jwt_authn filter (#4007) f06e9588a fuzz: tag trivial fuzzers with no_fuzz. (#4156) 27fb1d353 thrift_proxy: add service name matching to router implementation (#4130) 8c189a552 Make over provisioning factor configurable (#4003) 6c08fb43c Making test less flaky (#4149) 592775b7b fuzz: bare bones HCM fuzzer. (#4118) For #7912. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
#2935, able to get a dry run working
helm install --dry-run --debug istio, will work on clean up tmr.cc @sdake @ayj