Giter VIP home page Giter VIP logo

sail-operator's Introduction

Sail-operator

The Sail-operator manages the lifecycle of your Istio control plane. It provides custom resources for you to deploy and manage your control plane components.

User Documentation

This document aims to provide an overview of the project and some information for contributors. For information on how to use the operator, take a look at the User Documentation.

Table of Contents

How it works

You manage your controlplane through an Istio resource.

apiVersion: operator.istio.io/v1alpha1
kind: Istio
metadata:
  name: example
spec:
  namespace: istio-system
  version: v1.22.0

When you create an Istio resource, the sail operator then creates an IstioRevision that represents a control plane deployment.

apiVersion: operator.istio.io/v1alpha1
kind: IstioRevision
metadata:
  name: example
  ...
spec:
  namespace: istio-system
  version: v1.22.0
status:
  ...
  state: Healthy

You can customize your controlplane installation through the Istio resource using Istio's Helm configuration values:

apiVersion: operator.istio.io/v1alpha1
kind: Istio
metadata:
  name: example
spec:
  version: v1.20.0
  values:
    global:
      mtls:
        enabled: true
      trustDomainAliases:
      - example.net
    meshConfig:
      trustDomain: example.com
      trustDomainAliases:
      - example.net

Getting Started

You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster. Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info shows).

Deploying the operator

Deploy the operator to the cluster:

make deploy

Alternatively, you can deploy the operator using OLM:

make deploy-olm

Make sure that the HUB and TAG environment variables point to your container image repository and that the repository is publicly accessible.

Deploying the Istio Control Plane

Create an instance of the Istio resource to install the Istio Control Plane.

Use the istio-sample-kubernetes.yaml file on vanilla Kubernetes:

# Namespace must exist prior to creating istio resource
kubectl get ns istio-system || kubectl create ns istio-system
kubectl apply -f chart/samples/istio-sample-kubernetes.yaml

Use the istio-sample-openshift.yaml file on OpenShift:

# Namespace must exist prior to creating istio resource
kubectl get ns istio-system || kubectl create ns istio-system
kubectl apply -f chart/samples/istio-sample-openshift.yaml

On OpenShift, you must also deploy the Istio CNI plugin by creating an instance of the IstioCNI resource:

kubectl apply -f chart/samples/istiocni-sample.yaml

View your controlplane:

kubectl get istio default

Undeploying the operator

Undeploy the operator from the cluster:

make undeploy

Development

This project aims to follow the Kubernetes Operator pattern.

It uses Controllers, which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.

Repository Setup

We're using gitleaks to scan the repository for secrets. After cloning, please enable the pre-commit hook by running make git-hook. This will make sure that gitleaks scans your contributions before you push them to GitHub, avoiding any potential secret leaks.

make git-hook

You will also need to sign off your commits to this repository. This can be done by adding the -s flag to your git commit command. If you want to automate that for this repository, take a look at .git/hooks/prepare-commit-msg.sample, it contains an example to do just that.

Test It Out

  1. Install the CRDs into the cluster:
make install
  1. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run

NOTE: You can also run this in one step by running: make install run

Modifying the API definitions

If you are editing the API definitions, generate the manifests such as CRs or CRDs using:

make manifests

NOTE: Run make help for more information on all potential make targets

More information can be found via the Kubebuilder Documentation

Writing Tests

Please try to keep business logic in separate packages that can be independently tested wherever possible, especially if you can avoid the usage of Kubernetes clients. It greatly simplifies testing if we don't need to use envtest everywhere.

E2E and integration tests should use the ginkgo-style BDD testing method, an example can be found in tests/integration/api/istio_test.go for the test code and suite setup in tests/integration/api/suite_test.go. Unit tests should use standard golang xUnit-style tests (see pkg/kube/finalizers_test.go for an example).

Integration Tests

Please check the specific instructions for the integration tests in the integration directory.

To run the integration tests, you can use the following command:

make test.integration

End-to-End Tests

Please check the specific instructions for the end-to-end tests in the e2e directory.

To run the end-to-end tests, you can use the following command:

make test.e2e.kind

or

make test.e2e.ocp

Community Support and Contributing

Please refer to the CONTRIBUTING-SAIL-PROJECT.md file for more information on how to contribute to the sail-operator project. This file contains all the information you need to get started with contributing to the project.

Issue management

Please refer to the ISSUE-MANAGEMENT.md file for more information on how to report bugs and feature requests to the sail-operator team.

If you found a bug in Istio, please refer to the Istio GitHub repository

sail-operator's People

Contributors

asmigala avatar bmangoen avatar deandoyle1502 avatar dgn avatar filipb avatar fjglira avatar istio-testing avatar jwendell avatar longmuir avatar luksa avatar maistra-bot avatar maleck13 avatar mattmahoneyrh avatar nrfox avatar rh-tokeefe avatar sridhargaddam avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jwendell openshift-service-mesh maistra-bot istio-testing fjglira luksa dgn bmangoen rh-tokeefe nrfox filipb asmigala sridhargaddam

sail-operator's Issues

Create user documentation under /docs

We'll need to update our user documentation, as the README.md doesn't cover all of the features of the sail-operator anymore. It should be in Markdown and cover all major features and API resources.

Add current multi-cluster support / instructions to user docs

Is this the right place to submit this?

  • This is not a question about how to use the sail-operator

Feature Description

Current state of support for multi-cluster deployments should be added to the user docs along with installation instructions for what is currently supported (primary-primary).

Additional Information

No response

Support use of istio-injection label in RevisionBased deployments

Currently, we do not support the use of the istio-injection label when using the RevisionBased updateStrategy type. Instead, users have to use the istio.io/rev label to select workloads or namespaces for injection. We should make sure that the operator sets the default revision to the currently active revision so that the istio-injection label can be used.

[FEATURE] Operator runs without istio CRDs installed

Is this the right place to submit this?

  • This is not a question about how to use the sail-operator

Feature Description

As part of primary-remote support, the operator should be able to run / reconcile the sail CRDs without the istio CRDs installed in the cluster.

Additional Information

No response

Update documentation about Way of Work

We need to update the information in the repository about the Ways to Work in the project. This will be based in the documentation that we already agree and adding valuable information that is already created in the upstream documentation for Istio

Automatic helm chart releases

Whenever we create a release, we'll also want to create a helm chart tarball that we can release e.g. here on GitHub releases

Acceptance Criteria:

  • generate a Helm chart tarball when a new tag is created in the repository
  • upload the Helm chart tarball to GitHub Releases
  • tests:
    • verify that the chart installs correctly
    • chart linting

Verify that user has required privileges to install Istio

Feature Description

We will need to verify that the user has the required privileges to run an instance of Istio. In the past, we verified this using a SubjectAccessReview check. We might have to do something similar.

Acceptance Criteria

  • verify that users can not perform privilege escalation through the operator

e2e multicluster tests

There needs to be e2e tests to ensure you can use the Sail operator and APIs to setup a multicluster istio deployment. The tests need to cover setting up:

  1. multi-primary
  2. primary-remote
  3. external controlplane

These e2e tests should:

v1.20.3 does not work on OpenShift

It looks like the openshift profile is broken.

Deploying workloads fails during injection:

2m7s        Warning   FailedCreate        replicaset/productpage-v1-78dd566f6f   Error creating: pods "productpage-v1-78dd566f6f-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000680000, 1000689999], provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "NET_ADMIN": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

It looks like istio_cni.enabled is not set to true

Add templates for Issues

We need to add templates to define the different types of issues that we want to add to this project. Initially, we will create templates for feature requests, bugs and Epics

Wrong image pushed when using bundle-push

The bundle-push target calls the docker-push target, which in turn depends on docker-build.

The effect of this is that when running make bundle-push, the operator image is built and pushed under the -bundle tag.

Change version to 0.1

Instead of 3.0.0 (the downstream version), the version should be set to 0.1.0.

This should also include making sure that the nightly builds will go to a 0.1-nightly channel going forward.

Verify that users have privileges to deploy Istio, IstioCNI

In the past, we performed a SubjectAccessReview on behalf of the user who created/modified the CR in order to find out whether they have the required privileges. We don't currently do this in sail-operator, which is a potential security issue as it could enable privilege escalation.

Update the main README with more user focused info

Is this the right place to submit this?

  • This is not a question about how to use the sail-operator

Feature Description

Most of the user facing information for what the sail operator is and how to use it is located in the bundle/README. Whereas the information under the main README is focused more towards developers of the operator. The user facing information should be moved (or at least copied) to the main README and the developer focused information can either move to its own section in the README or can move to a separate README.

Additional Information

No response

Improve debug information when e2e test run fail

Now we have some debug information when the e2e test run fails, but we need to improve and add more information that can be helpful to detect earlier the failure.

Current debug information:

  • Istio CR Yaml
  • Pods in Istio CR namespace
  • Logs from sail-operator pod
  • Logs from istiod pod

We need to add more debugging information as:

  • Operator Pod YAML
  • OC describe
  • More logs if possible

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.