(bugfix/kubernetes/rbac): Bring alpha and beta rbac rules into sync #333
Conversation
|
Is the "ingresses/status" needed for beta? The ingress status gets updated for me without this. |
|
I'm still seeing it under beta -- See comment in #327 |
|
This would limit to "default" namespace. |
| @@ -3,6 +3,9 @@ | |||
| # Also helps to enable logging on apiserver 'wrap' to see the URLs. | |||
| # Each RBAC deny needs to be mapped into a rule for the role. | |||
| # If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC' | |||
| # | |||
| # NOTE: If deploying istio to a namespace other than 'default' then change the | |||
| # ClusterRoleBinding namspace target appropriately. | |||
There was a problem hiding this comment.
I don't think we can ask users to edit the file - can you use RoleBinding instead ?
There was a problem hiding this comment.
We can if we scope the manager scope it's TPR list request to namespace only see initial logs in #327
There was a problem hiding this comment.
@costinm the Kubernetes default is that service accounts are created in the default namespace. For the vast majority of users, they won't need to edit anything.
If they want to run istio in a different namespace however, then they'll need ensure the namespace of the service account used by ClusterRoleBinding matches.
I think part of the confusion is that ClusterRoleBinding is scoped to the entire cluster—not a namespace—while it depends on a service account that is scoped to a namespace.
There was a problem hiding this comment.
@seanknox: that is my understanding as well, but Istio service accounts are created in the project namespace, at least with the configs we ship.
AFAIK, "RoleBinding" creates a binding between a local (namespaced)
service account and the cluster role.
The proposed change - creating a ClusterRoleBinding - would bind the same cluster role, but to a service account in a different (hardcoded) namespace.
Maybe I've missed some other change, but if the service accounts are created in the user's namespace, than we do need either RoleBinding or ClusterRoleBinding + specific "namespace:custom". My understanding is that both options
will work.
If something changed and Istio service accounts are all created in the default namespace - this PR is good and required. However I'm not sure it's a good idea to have all namespaces create service accounts in default - it doesn't
seem very clean or secure.
|
BTW - I didn't do anything here but bring the alpha and beta rbac rules that were already in the repo into sync. This isn't adding any new functionality. It seems folks have been testing against alpha and things were broken in beta. |
|
You are absolutely correct @andraxylia. My bad -- the log message can be found here -- #329 |
|
Ok, good to know this is still the case with beta. Since I no longer hit the issue, I wrongly presumed the "status" got fixed to be part of "ingress". |
|
I think the only problem with this PR is the namespace - if you can use RoleBinding instead of ClusterRoleBinding it would be great. Both grant the same ClusterRole - the main difference is that the |
|
@costinm Agreed. I think we just need a to change the scope (to the current namespace) of the ThirdPartyResource list in the code then we won't need to use ClusterRole and simply use RoleBinding. |
|
@lachie83 This seems to be a regression from 0.1.5. I am happy to merge this but our release process is stalled as our repos are undergoing some restructuring. So to unblock folks who are facing this issue, But I need to know what exactly needs to be done. And couple of folks have to confirm that this fixed version works on kube 1.6, 1.5.2,1.5.3. cc @todkap @craigyam @andraxylia The typo in your last comment is making it hard to understand what is the exact solution. RoleBinding or ClusterRoleBinding with regard to comments from @costinm. |
|
I tried to do some validation of the updated istio-rbac-beta.yaml on Istio 0.1.6 and still hitting issues with the patch. Please let me know if I can provide additional info.
|
|
we need to reproduce this issue, then fix it in the 0.1 branch - but not blindly if we don't have a repro first cc @frankbu |
|
@rshriram apologies for the confusion. I've updated my comment. Hopefully that helps. I don't think that this is a regression but suspect that it was tested in a k8s 1.5 cluster which I believe uses the alpha RBAC APIs which already included the changes that are in this PR. When I used this on a 1.6 cluster the beta RBAC APIs are used which is where I could repro quickly. LMK if you need more details on the repro. |
|
0.1.6 and beta rbac (1.6 k8s) works for me so yes I'd like to understand what is different in your setup |
|
@ldemailly I am more than willing to help provide details on my deployment. Please let me know if I can provide output from any kubectl or iostoctl commands. |
|
Quick update. I was able to refocus back on debugging my deployment and found that I had some environment path issues and was pointing to the incorrect istio-rbac-beta.yaml (still pointing at the non-patched one). When I used the one from the pull request, I saw a new set of errors (this time from the pilot).
I introduced a new config element in the rbac to try to move past this. Now I am seeing issues with timeouts from the Ingress when I try to route through that. I can directly hit the Node app the Ingress is fronting.
I will continue debugging. Not sure if the pilot addition I made was the correct one(based it upon the istio-ingress-service-account. |
|
Just updated to include the rename from manager to pilot |
|
I'm pretty sure some of those changes are already made (manager->pilot specifically) - can you rebase (either on release-0.1 or on master) ? |
This reverts commit ffcac4d.
93a40e7 to
fedb135
Compare
|
rebase master |
|
Merge conflicts. Please fix and we can merge after tests pass. |
…lachie83/istio into bugfix-resync-alpha-beta-rbac-manifests * 'bugfix-resync-alpha-beta-rbac-manifests' of github.com:lachie83/istio: Fix misc RBAC issues on 1.6.6 (istio#477)
|
Looks like @andraxylia committed changes 18 hours ago that make most of this PR now irrelevant. There's one line left to change. |
|
@lachie83 : I had to fix RBAC because it was not working anymore for me with the GKE 1.6.6 cluster |
* Flip the switch on the website for the Istio launch! This will change the index page back to the real landing page, deleting our temporary page, and also changes the date of the blog post to be the launch date. This will be submitted at 7:00 PST on May 24th. * Fix some links that were wrong: grpc isn't on https, and the images were using \ instead of /. * Fix issues link to point to actual issues, not just issues repo, plus fix twitter capitalization.
…stio#333) * Fixes istio#327 Bring alpha and beta rbac rules into sync * handle manager->pilot rename * Revert "handle manager->pilot rename" This reverts commit 72aa8c5b572dedd4bf87e43750975f3955954dea [formerly ffcac4d]. * removed extra comments that were not originally present Former-commit-id: 84031fe
Automatic merge from submit-queue. [DO NOT MERGE] Auto PR to update dependencies of mixerclient This PR will be merged automatically once checks are successful. ```release-note none ```
…mongodb (istio#333) Signed-off-by: rcernich <rcernich@redhat.com>
* MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (istio#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (istio#333)
* MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (istio#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (istio#333)
* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (istio#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (istio#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (istio#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (istio#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (istio#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (istio#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (istio#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (istio#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (istio#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (istio#422) MAISTRA-2297 Support updates of federation resources (istio#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (istio#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (istio#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (istio#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (istio#440) Log actual error returned by pollServices() (istio#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (istio#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (istio#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (istio#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (istio#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (istio#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (istio#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (istio#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (istio#521) * OSSM-1529 Improve federation example script (istio#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (istio#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>
…stio#699) * [federation] Introduces federation deployment (istio#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (istio#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (istio#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (istio#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (istio#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (istio#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (istio#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (istio#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (istio#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (istio#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (istio#422) MAISTRA-2297 Support updates of federation resources (istio#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (istio#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (istio#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (istio#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (istio#440) Log actual error returned by pollServices() (istio#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (istio#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (istio#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (istio#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (istio#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (istio#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (istio#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (istio#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (istio#521) * OSSM-1529 Improve federation example script (istio#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (istio#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (istio#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (istio#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (istio#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (istio#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (istio#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (istio#717) (istio#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (istio#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (istio#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (istio#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
…stio#844) * [federation] Introduces federation deployment (istio#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (istio#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (istio#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (istio#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (istio#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (istio#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (istio#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (istio#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (istio#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (istio#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (istio#422) MAISTRA-2297 Support updates of federation resources (istio#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (istio#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (istio#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (istio#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (istio#440) Log actual error returned by pollServices() (istio#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (istio#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (istio#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (istio#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (istio#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (istio#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (istio#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (istio#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (istio#521) * OSSM-1529 Improve federation example script (istio#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (istio#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (istio#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (istio#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (istio#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (istio#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (istio#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (istio#717) (istio#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (istio#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (istio#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (istio#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Reimplement InstancesByPort method `InstancesByPort` is used by the federation server, which was removed in the upstream istio#46329. We reimplement it to support the federation server. --------- Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <yuanlin.xu@redhat.com> Co-authored-by: Brian Mangoenpawiro <bmangoen@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> Signed-off-by: Yann Liu <yannliu@redhat.com>
…io#333) Signed-off-by: Yann Liu <yannliu@redhat.com>
Fixes #327