Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix istioctl deployment #371

Merged
merged 3 commits into from
Dec 14, 2023
Merged

fix istioctl deployment #371

merged 3 commits into from
Dec 14, 2023

Conversation

eguzki
Copy link
Contributor

@eguzki eguzki commented Dec 11, 2023

When running with ISTIO_INSTALL_SAIL=false make local-setup two ingress gateways are present, one with type NodePort, the other created for the GWAPI Gateway as a LoadBalancer service (which never gets accepted as there is no load balancer provisioner).

We need to install metallb for istioctl installs as well as remove the old gateway.

@adam-cattermole adam-cattermole added the priority/must Required for the release to happen label Dec 11, 2023
Copy link

codecov bot commented Dec 11, 2023

Codecov Report

Merging #371 (371fd4f) into main (13c75de) will decrease coverage by 0.83%.
Report is 10 commits behind head on main.
The diff coverage is n/a.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #371      +/-   ##
==========================================
- Coverage   66.14%   65.32%   -0.83%     
==========================================
  Files          35       35              
  Lines        3843     3795      -48     
==========================================
- Hits         2542     2479      -63     
- Misses       1113     1124      +11     
- Partials      188      192       +4     
Flag Coverage Δ
integration 70.92% <ø> (-1.14%) ⬇️
unit 58.90% <ø> (-0.65%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
api/v1beta1 (u) ∅ <ø> (∅)
pkg/common (u) 76.92% <ø> (ø)
pkg/istio (u) 37.11% <ø> (ø)
pkg/log (u) 31.81% <ø> (ø)
pkg/reconcilers (u) 33.21% <ø> (ø)
pkg/rlptools (u) 56.46% <ø> (ø)
controllers (i) 70.92% <ø> (-1.14%) ⬇️

see 7 files with indirect coverage changes

@adam-cattermole adam-cattermole marked this pull request as ready for review December 11, 2023 15:16
@adam-cattermole adam-cattermole requested a review from a team as a code owner December 11, 2023 15:16
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure is it just me, but the curl command curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i is not resolving when running it 🤔

curl: (28) Failed to connect to 172.18.200.0 port 80 after 75004 ms: Couldn't connect to server

Seems to be happening on main also for me. Forwarding the port gives:

Error from server (NotFound): services "istio-ingressgateway" not found 

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KevFan What's the status of the gateway?

kubectl get gtw -n istio-system istio-ingressgateway -o yaml

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the status of the gateway:

addresses:
  - type: IPAddress
    value: 172.18.200.0
conditions:
  - lastTransitionTime: "2023-12-12T10:30:27Z"
    message: Resource accepted
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "2023-12-12T10:30:35Z"
    message: Resource programmed, assigned to service(s) istio-ingressgateway-istio.istio-system.svc.cluster.local:80
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
listeners:
  - attachedRoutes: 1
    conditions:
      - lastTransitionTime: "2023-12-12T10:30:27Z"
        message: No errors found
        observedGeneration: 1
        reason: Accepted
        status: "True"
        type: Accepted
      - lastTransitionTime: "2023-12-12T10:30:27Z"
        message: No errors found
        observedGeneration: 1
        reason: NoConflicts
        status: "False"
        type: Conflicted
      - lastTransitionTime: "2023-12-12T10:30:27Z"
        message: No errors found
        observedGeneration: 1
        reason: Programmed
        status: "True"
        type: Programmed
      - lastTransitionTime: "2023-12-12T10:30:27Z"
        message: No errors found
        observedGeneration: 1
        reason: ResolvedRefs
        status: "True"
        type: ResolvedRefs
    name: http
    supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
      - group: gateway.networking.k8s.io
        kind: GRPCRoute

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, that is the issue when deployed with ISTIO_INSTALL_SAIL=false, for some unknown reason, the gateway status does not export the same info. Therefore, the path walking specified is not working as expected,

export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')

Copy link
Member

@adam-cattermole adam-cattermole Dec 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The info is there for me for the changes in this branch:

ISTIO_INSTALL_SAIL=false make local-setup
kubectl get gtw -n istio-system istio-ingressgateway -o yaml
spec:
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: http
    port: 80
    protocol: HTTP
status:
  addresses:
  - type: IPAddress
    value: 172.19.200.0
export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo $GATEWAY_URL
172.19.200.0:80

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After you added the metallb LB, the LoadBalancer type service got the required address and the gateway resource has status.address field. When the LB service does not get the required address, the status does not have the addresses field

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KevFan I might be adding unneeded noise here. istio-ingressgateway is no longer the name of the service. Now it is istio-ingressgateway-istio.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

working for me now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following up with this, Adam found that aside from the service name is now istio-ingressgateway-istio, port forwarding is necessary for macOS systems as docker cant access loadbalancer ip (which is explained by https://github.com/chipmk/docker-mac-net-connect and as an alternative to port forwarding the service).

We're going with keeping the existing note for users might need to port forward instead of suggesting macOS users to have https://github.com/chipmk/docker-mac-net-connect installed as a prerequiste since the port forward approach is more generic

@alexsnaps alexsnaps added this to the v0.6.0 milestone Dec 12, 2023
Makefile Outdated Show resolved Hide resolved
doc/user-guides/authenticated-rl-for-app-developers.md Outdated Show resolved Hide resolved
doc/user-guides/simple-rl-for-app-developers.md Outdated Show resolved Hide resolved
> ```sh
> kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null &
> export GATEWAY_URL=localhost:9080
> curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: I like this one more

curl --resolve api.toystore.com:9080:127.0.0.1 -v "http://api.toystore.com:9080/toys -i

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I kinda thought this would be nice to set the GATEWAY_URL for the rest of the guide where they can copy paste the commands. I can update this single occurrence though if you think it makes sense?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was not about the GATEWAY_URL. This one also works for me

curl --resolve api.toystore.com:$INGRESS_PORT:$INGRESS_HOST -v "http://api.toystore.com:$INGRESS_PORT/toys -i

Copy link
Member

@adam-cattermole adam-cattermole Dec 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry I don't think I follow; if we're removing the use of the GATEWAY_URL var in this one curl command doesn't that obfuscate the usage for the others. Shouldn't we make them all match? is that the suggestion, remove the GATEWAY_URL and make all of the curl commands follow this above? and then set INGRESS_HOST and _PORT for both port-forward and non-port-forward requests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's a nitpick. I just wanted to point out that using --resolve flag of curl is better than setting the Host header. If it makes more sense as you say, go with it.

Copy link
Contributor

@KevFan KevFan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something minor. Seems some guides use /toys endpoint, while others use /toy

doc/user-guides/authenticated-rl-for-app-developers.md Outdated Show resolved Hide resolved
Copy link
Contributor

@KevFan KevFan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me !

@eguzki
Copy link
Contributor Author

eguzki commented Dec 13, 2023

I get an error when reading the port

❯ kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name==http)].port}'
error: error executing jsonpath "{.spec.listeners[?(@.name==http)].port}": Error executing template: unrecognized identifier http. Printing more information for debugging the template:
	template was:
		{.spec.listeners[?(@.name==http)].port}
	object given to jsonpath engine was:
....

I think it can be fixed with

export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')

@adam-cattermole
Copy link
Member

Thanks @eguzki, good spot - fixed it now

@eguzki
Copy link
Contributor Author

eguzki commented Dec 13, 2023

LGTM (I am the original author, so I cannot approve it)

@adam-cattermole adam-cattermole merged commit 78b3b9e into main Dec 14, 2023
22 checks passed
@adam-cattermole adam-cattermole deleted the fix-istioctl-deployment branch December 14, 2023 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/must Required for the release to happen
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants