helm: mixer cluster tuning #5568
Conversation
Signed-off-by: Kuat Yessenov <kuat@google.com>
4597a8b to
c92248d
Compare
| name: istio-policy | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| name: istio-policy.{{ .Release.Namespace }}.svc.cluster.local |
There was a problem hiding this comment.
@rshriram is this how it is supposed to work? how do we verify this takes effect without stressing the system?
There was a problem hiding this comment.
Set the maxRequests and maxReq/conn values to absurdly low numbers so that even moderate stress will cause the same issue.
Since this is simply restoring the config that has always existed, I don't think we need to do the above test.
There was a problem hiding this comment.
As mandar says. Also you can dump proxy config (/debug/adsz) to see it it shows up.
There was a problem hiding this comment.
You should also set mTLS here if using control plane auth.
There was a problem hiding this comment.
Ping. Does CDS respect the override relative to data plane auth flag?
|
Per Costin there is no control plane auth flag anymore. It's equivalent
with the regular data plane auth flag.
…On Fri, May 11, 2018, 6:58 PM Shriram Rajagopalan ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In install/kubernetes/helm/istio/charts/pilot/templates/config.yaml
<#5568 (comment)>:
> @@ -0,0 +1,28 @@
+{{ define "config.yaml.tpl" }}
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-policy
+ namespace: {{ .Release.Namespace }}
+spec:
+ name: istio-policy.{{ .Release.Namespace }}.svc.cluster.local
You should also set mTLS here if using control plane auth.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#5568 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AJGIxn5-xqJrm4zg_Ak6Lv2ByKq5Ymqpks5txkHYgaJpZM4T8EG7>
.
|
| @@ -0,0 +1,28 @@ | |||
| {{ define "config.yaml.tpl" }} | |||
There was a problem hiding this comment.
This should go in the mixer chart ( it's not specific to pilot )
There was a problem hiding this comment.
No, mixer does not define these CRDs so it is inappropriate to submit pilot CRs in mixer helm chart. How would isolated mixer install work?
There was a problem hiding this comment.
Use 'pilot.enabled' to exclude - if mixer can run without pilot.
There was a problem hiding this comment.
This is not about enablement, but the fact that CRDs are defined in pilot.
There was a problem hiding this comment.
@costinm if pilot.enabled=false the CRD job would not be rendered.
There was a problem hiding this comment.
If pilot.enabled is false istio won't work.
We can move the CRDs to the top - but that's not really a priority, in 0.8 we don't support istio without pilot.
| @@ -0,0 +1,14 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
What is this ? Why in pilot ?
There was a problem hiding this comment.
This is the standard way to install CRs. Helm applies YAMLs in an arbitrary order, so you have to do round-about way to force ordering with hooks.
There was a problem hiding this comment.
Did you test with helm template as well ( i.e. no helm ) ?
There was a problem hiding this comment.
No, I don't have a way to run locally. CI/CD passed the tests.
|
I repeat that we cannot move pilot config to mixer. If mixer is installed prior to pilot by helm, then it will fail. |
|
Order is not guaranteed - moving all crds in pilot template doesn't guarantee they'll be run before pilot is ready. |
|
And those are not 'pilot configs' - but istio configs. Pilot may not run at all, or some other implementation may be used - but configs should still be installed |
|
I'm not sure I understand what you're saying. Please take over this PR and submit at your will. |
|
Just move the configs to mixer. |
There was a problem hiding this comment.
@kyessenov when we originally did this work, we put all of the pilot CRDs in mixer. I'm not really sure why they ended up there rather than pilot (which is what creates the CRDs which is what I think your arguing related to configmaps). The technique of just adding the configmaps to mixer should be fine for now, as the hacky workaround we have for this problem until Helm solves it properly.
| @@ -0,0 +1,28 @@ | |||
| {{ define "config.yaml.tpl" }} | |||
There was a problem hiding this comment.
@costinm if pilot.enabled=false the CRD job would not be rendered.
|
Also the filename is
|
Codecov Report
@@ Coverage Diff @@
## release-0.8 #5568 +/- ##
============================================
+ Coverage 73% 74% +1%
============================================
Files 322 324 +2
Lines 27609 27479 -130
============================================
- Hits 20140 20074 -66
+ Misses 6681 6609 -72
- Partials 788 796 +8
Continue to review full report at Codecov.
|
|
@sdake Are you sure that pilot's CRDs are defined in mixer helm chart? https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/charts/pilot/templates/crds.yaml#L52 |
|
@sdake Regarding the naming: I have followed what mixer does about the same problem (submitting CRs after CRDs), so the name is like this for consistency mostly. |
|
@sdake Mixer job only defines Mixer CRs. It is best to keep CRs with the component that defines CRDs for it. Since |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdake The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
This is not an issue for an alternative implementation of pilot. Using mixer standalone with direct API does not need any pilot configs. |
|
@kyessenov: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Fixing #5635 - I noticed you may need a patch verb addition. |
|
@sdake Yeah, "patch" would be useful. Don't think it's going to break anything now, since this is the first config that comes with pilot by default. |
|
@kyessenov re patch, your right not needed for this particular patch, however, it appears with Kubernetes 1.10+ a security vulnerability was repaired which permitted patching a CRD without proper RBAC rules. This will need to go into a follow-on patch if you don't mind so upgrade from 0.8 to 1.0 works properly. Cheers |
|
I abandoned this PR. |
Copied 10k max requests setting (increase from 1024) for mixer clusters.
Fixes #5546