istio-ecosystem / wharf-multicluster-sync Goto Github PK

View Code? Open in Web Editor NEW

4.0 4.0 6.0 8.03 MB

wharf-multicluster-sync: User friendly Multicluster Istio configuration

License: Apache License 2.0

Makefile 2.25% Go 94.41% Dockerfile 0.08% Shell 3.25%

wharf-multicluster-sync's People

Contributors

Stargazers

Watchers

Forkers

mbanikazemi fabolive knrc gyliu513 kalantar sergiopozoh

wharf-multicluster-sync's Issues

Run root CA on one of the other clusters

Find a way to run the root CA on one of the clusters rather than its own.

Server-side Istio resources created in default namespace

To reproduce, create a non-default ServiceExpositionPolicy

apiVersion: multicluster.istio.io/v1alpha1
kind: ServiceExpositionPolicy
metadata:
  annotations:
  name: ratings
  namespace: bookinfo
spec:
  exposed:
  - name: ratings
    port: 9080

Run the CLI tool:
mc-tool --filename /tmp/ratings_sep.yaml --mc-conf-filename /tmp/mc-config.yaml

The stdout Istio config will be in the default, not bookinfo, namespace.

E2e tests

Use Istio's testing framework (with its preliminary support for Multi-Cluster) to conduct an e2e test.
Test should be able to run on CircleCI.

Experiment running the POC without CRDs

Following community feedback, examine the implications of running the same POC scenarios with:

Replacing the ServiceExpositionPolicy with service annotations
Replacing the RemoteServiceBinding with ServiceEntry. May require modifying the ServiceEntry definition.

Tutorial agents fail with "Peer agent [cluster2] is not accessible. response status code is not OK"

The agents are running servers, and the servers do what is expected:

kubectl --context $CLUSTER2 -n istio-system exec -it mc-agent-6b5cd56595-5gcxc -- wget -O - mc-agent.istio-system.svc.cluster.local:8999/exposed/cluster1

However the services are not exposed to the outside. I get 503s

curl  169.62.214.226:80/exposed/cluster1
upstream connect error or disconnect/reset before headers

The error is 503.

I see a VirtualService directing /exposed to mc-agent.istio-system.svc.cluster.local port 8999 so I don't know what is going wrong.

install_citadel.sh doesn't set up root CA on some ICP installations

Configuration example showing "*.global" as secondary search path

Deploy the bookinfo pods with *.global and configure DNS so that *.global resolves to something.

This will be a proof point that we can deploy unchanged applications and get their logs to indicate if they are making local or off-mesh service invocations.

Add "standalone CA" to tutorial pictures

Documentation

install_citadel.sh expects unknown variable.

install_citadel.sh depends on $ROOTCA being defined. I think the expectation is that source ./demo_context.sh will set this. However, this is not the case. Only $ROOTCA_NAME is set.

Work around: ROOTCA=$ROOTCA_NAME ./demo_context.sh <args>

Script install_citadal.sh has wrong name

docs/install/install_citadal.sh should be docs/install/install_citadel.sh

(e, not a)

Extend CLI to support multiple generation styles (egress/ingress vs direct ingress)

This includes adding support for merging existing Istio configuration with new Multicluster config.

Well defined agent API

Consider using a gRPC and protobuf to create a well defined yet generic API between the agents.
This API / agent may also be used for other design such as the Multi-Cloud.

istio-citadel-standalone.yaml shouldn't create Istio Namespace

Deployment should fail if Istio isn't there.

Because the namespace is "created" in this way (even if it exists), kubectl delete -f istio-citadel-standalone.yaml deletes all of Istio.

Better organize the code and scripts

Cleanup unnecessary files
Simplify scripts
Make sure documentation is updated

Tutorial that works with two clusters

The current tutorial requires 3 clusters. This work item is to change the tutorial to put Ratings on Cluster1.

It is unclear if we should replace the tutorial with the two-cluster version or keep the three-cluster version as a secondary tutorial.

Add sidecar to the agent pod

This will add the support for running an mTLS connection between the agent and the other Istio components (ingress / egress).

Reconciler should not try to recreate K8s service if only IP has changed

The spec.clusterIP field is immutable and incorrect error messages are produced.

Blog

Document the work done in this POC and steps to run it by publishing a blog about it.
Publication channel is yet to be determined.

"make build" should build local CLI

mc-tool CLI not creating K8s Service

Both if --gengo is selected and when YAML is generated.

Agent logging many "forbidden" warnings

Every second the agent logs

E1008 19:18:48.768821       1 reflector.go:205] github.ibm.com/istio-research/multicluster-roadmap/vendor/istio.io/istio/pilot/pkg/config/kube/crd/controller.go:208: Failed to list *crd.ServiceEntry: serviceentries.networking.istio.io is forbidden: User "system:serviceaccount:default:multi-cluster-agent-service-account" cannot list serviceentries.networking.istio.io at the cluster scope

and also logs the same thing for destinationrules.networking.istio.io, serviceexpositionpolicies.multicluster.istio.io, servicerolebindings.rbac.istio.io, remoteservicebindings.multicluster.istio.io, virtualservices.networking.istio.io, gateways.networking.istio.io, quotaspecs.config.istio.io, httpapispecbindings.config.istio.io, httpapispecs.config.istio.io, rbacconfigs.rbac.istio.io, envoyfilters.networking.istio.io, serviceroles.rbac.istio.io, meshpolicies.authentication.istio.io, quotaspecbindings.config.istio.io, policies.authentication.istio.io