-
Notifications
You must be signed in to change notification settings - Fork 91
Implement Istio sidecar initializer #1041
Changes from 5 commits
5e633bd
5821103
edccd4d
cd6a2d2
634d97e
ea5355a
e418f33
0ceff20
0c21943
fa370bd
664fdc2
67a49a0
2910770
2e75453
ffedeb6
e6ebaa8
58f5137
dc88338
3c9d1d1
6441f47
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") | ||
|
||
go_library( | ||
name = "go_default_library", | ||
srcs = ["main.go"], | ||
visibility = ["//visibility:private"], | ||
deps = [ | ||
"//cmd:go_default_library", | ||
"//platform/kube:go_default_library", | ||
"//platform/kube/inject:go_default_library", | ||
"//tools/version:go_default_library", | ||
"@com_github_davecgh_go_spew//spew:go_default_library", | ||
"@com_github_golang_glog//:go_default_library", | ||
"@com_github_hashicorp_go_multierror//:go_default_library", | ||
"@com_github_spf13_cobra//:go_default_library", | ||
"@io_k8s_api//core/v1:go_default_library", | ||
], | ||
) | ||
|
||
go_binary( | ||
name = "sidecar-initializer", | ||
library = ":go_default_library", | ||
visibility = ["//visibility:public"], | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
// Copyright 2017 Istio Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package main | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
"time" | ||
|
||
"k8s.io/api/core/v1" | ||
|
||
"istio.io/pilot/cmd" | ||
"istio.io/pilot/platform/kube" | ||
"istio.io/pilot/platform/kube/inject" | ||
"istio.io/pilot/tools/version" | ||
|
||
"github.com/davecgh/go-spew/spew" | ||
"github.com/golang/glog" | ||
multierror "github.com/hashicorp/go-multierror" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
func getRootCmd() *cobra.Command { | ||
flags := struct { | ||
kubeconfig string | ||
meshconfig string | ||
hub string | ||
tag string | ||
namespace string | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does this enable initializer for a given namespace? If so, won't we need one initializer per namespace? Is there a possibility to watch some config map or something to pick up namespaces enabled for Istio? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The initializer is enabled with the InitializerConfiguration resource. InitializerConfiguration is cluster scoped and there is no way through that to restrict which namespace(s) require initialization - its all or nothing. Some proposals to fix this problem are documented here but nothing is designed/implemented. This |
||
policy string | ||
resyncPeriod time.Duration | ||
}{} | ||
|
||
root := &cobra.Command{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/root/rootCmd |
||
Use: "sidecar-initializer", | ||
Short: "Kubernetes initializer for Istio sidecar", | ||
RunE: func(*cobra.Command, []string) error { | ||
switch inject.InjectionPolicy(flags.policy) { | ||
case inject.InjectionPolicyOff, inject.InjectionPolicyOptIn, inject.InjectionPolicyOptOut: | ||
default: | ||
return fmt.Errorf("unknown namespace injection policy: %v", flags.policy) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit. unknown injection policy. (omit the namespace) |
||
} | ||
|
||
client, err := kube.CreateInterface(flags.kubeconfig) | ||
if err != nil { | ||
return multierror.Prefix(err, "failed to connect to Kubernetes API.") | ||
} | ||
|
||
glog.V(2).Infof("version %s", version.Line()) | ||
glog.V(2).Infof("flags %s", spew.Sdump(flags)) | ||
|
||
// receive mesh configuration | ||
mesh, err := cmd.ReadMeshConfig(flags.meshconfig) | ||
if err != nil { | ||
return multierror.Prefix(err, "failed to read mesh configuration.") | ||
} | ||
|
||
options := inject.InitializerOptions{ | ||
ResyncPeriod: flags.resyncPeriod, | ||
Hub: flags.hub, | ||
Tag: flags.tag, | ||
Namespace: flags.namespace, | ||
|
||
InjectionPolicy: inject.InjectionPolicy(flags.policy), | ||
} | ||
initializer := inject.NewInitializer(client, mesh, options) | ||
|
||
stop := make(chan struct{}) | ||
go initializer.Run(stop) | ||
cmd.WaitSignal(stop) | ||
|
||
return nil | ||
}, | ||
} | ||
|
||
root.PersistentFlags().StringVar(&flags.hub, "hub", "docker.io/istio", "Docker hub") | ||
root.PersistentFlags().StringVar(&flags.tag, "tag", "0.1", "Docker tag") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Make 0.2 default since this is unlikely to work with 0.1. |
||
root.PersistentFlags().StringVar(&flags.namespace, "namespace", | ||
v1.NamespaceDefault, "Namespace managed by initializer") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should "all" be default? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I went back and forth on the default here ."all" is a reasonable default for cluster-wide installations of Istio. It causes problems for namespace isolated installs. For internal testing we override it anyway so maybe its reasonable for cluster-wide installs to leave this as "all" to avoid broken deployments. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's use "all". "default" is not really default in the k8s context. |
||
root.PersistentFlags().StringVar(&flags.policy, "policy", | ||
string(inject.InjectionPolicyOff), "default injection policy") | ||
|
||
root.PersistentFlags().StringVar(&flags.kubeconfig, "kubeconfig", "", | ||
"Use a Kubernetes configuration file instead of in-cluster configuration") | ||
root.PersistentFlags().StringVar(&flags.meshconfig, "meshConfig", "/etc/istio/config/mesh", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think I call it "meshconfig" in other places. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Discovery and Istioctl use "meshConfig". The agent uses "meshconfig". I'm happy to make this consistent with either - let me know :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. let's rename both to meshconfig to be consistent with kubeconfig. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed to |
||
fmt.Sprintf("File name for Istio mesh configuration")) | ||
root.PersistentFlags().DurationVar(&flags.resyncPeriod, "resync", time.Duration(0), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is 0 resync reliable enough? maybe make it a few minutes? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't know. I'll increase to 30 seconds just in case. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. for cluster-wide, probably 5 minutes is enough time not to overwhelm the config server. |
||
"Initializers resync interval") | ||
|
||
cmd.AddFlags(root) | ||
|
||
return root | ||
} | ||
|
||
func main() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just nit, is it possible to update this file a bit to keep consistent with other files as following format?
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I prefer this approach which limits the use of global variables. |
||
if err := getRootCmd().Execute(); err != nil { | ||
os.Exit(-1) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,3 +2,4 @@ client | |
server | ||
pilot-agent | ||
pilot-discovery | ||
sidecar-initializer |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
FROM scratch | ||
ADD sidecar-initializer /usr/local/bin/ | ||
ENTRYPOINT ["/usr/local/bin/sidecar-initializer"] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You probably want some TLS certs here (assuming we need to talk to something other than kube API) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The current version only ever interacts with the k8s apiserver via patch/list/watch. It uses the in-cluster config similar to pilot discovery service. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok, then it's fine. Running out of cluster would not use docker anyways. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing copyright?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We haven't been adding copyright to the BUILD files.