istio integration

Signed-off-by: Andre Baptista Aguas <[email protected]>

.golangci.yaml

@@ -30,17 +30,17 @@ linters:
  - dupl
  - gochecknoinits
 
- # don't enable:
- # - golint # deprecated
- # - whitespace
- # - funlen
- # - exhaustive
- # - gomnd
- # - gofmt
- # - deadcode # deprecated since v1.49.0
- # - structcheck # deprecated since v1.49.0
- # - varcheck # deprecated since v1.49.0
- # - rowserrcheck # rowserrcheck is disabled because of generics. You can track the evolution of the generics support by following the https://github.com/golangci/golangci-lint/issues/2649
+  # don't enable:
+  # - golint # deprecated
+  # - whitespace
+  # - funlen
+  # - exhaustive
+  # - gomnd
+  # - gofmt
+  # - deadcode # deprecated since v1.49.0
+  # - structcheck # deprecated since v1.49.0
+  # - varcheck # deprecated since v1.49.0
+  # - rowserrcheck # rowserrcheck is disabled because of generics. You can track the evolution of the generics support by following the https://github.com/golangci/golangci-lint/issues/2649
 
 run:
  deadline: 3m
@@ -55,6 +55,7 @@ linters-settings:
  main:
  allow:
  - $gostd
+ - istio.io/client-go
  - k8s.io/apimachinery
  - k8s.io/client-go
  - k8s.io/api

Makefile

@@ -84,6 +84,7 @@ STABLE_VERSION := "stable"
 BUNDLE_IMG ?= controller-bundle:$(VERSION)
 
 NGINX_INGRESS_VALUES_PATH ?= deploy/ingress/nginx-ingress-values.yaml
+ISTIO_INGRESS_VALUES_PATH ?= deploy/ingress/istio-ingress-values.yaml
 
 # options for 'bundle-build'
 ifneq ($(origin CHANNELS), undefined)
@@ -188,6 +189,20 @@ deploy-local-cluster:
  helm -n k8gb upgrade -i nginx-ingress nginx-stable/ingress-nginx \
  --version 4.0.15 -f $(NGINX_INGRESS_VALUES_PATH)
 
+ @echo -e "\n$(YELLOW)Install Istio CRDs $(NC)"
+ kubectl create namespace istio-system
+ helm repo add --force-update istio https://istio-release.storage.googleapis.com/charts
+ helm repo update
+ helm upgrade -i istio-base istio/base -n istio-system
+
+ @echo -e "\n$(YELLOW)Install Istiod $(NC)"
+ helm upgrade -i istiod istio/istiod -n istio-system --wait
+
+ @echo -e "\n$(YELLOW)Install Istio Ingress Gateway $(NC)"
+ kubectl create namespace istio-ingress
+ helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress \
+ -f $(ISTIO_INGRESS_VALUES_PATH)
+
  @if [ "$(DEPLOY_APPS)" = true ]; then $(MAKE) deploy-test-apps ; fi
 
  @echo -e "\n$(YELLOW)Wait until Ingress controller is ready $(NC)"
@@ -198,9 +213,15 @@ deploy-local-cluster:
 .PHONY: deploy-test-apps
 deploy-test-apps: ## Deploy Podinfo (example app) and Apply Gslb Custom Resources
  @echo -e "\n$(YELLOW)Deploy GSLB cr $(NC)"
- kubectl apply -f deploy/crds/test-namespace.yaml
- $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr.yaml)
- $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_failover.yaml)
+ kubectl apply -f deploy/crds/test-namespace-ingress.yaml
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_roundrobin_ingress.yaml)
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_failover_ingress.yaml)
+
+ kubectl apply -f deploy/crds/test-namespace-istio.yaml
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_roundrobin_istio.yaml)
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_failover_istio.yaml)
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_notfound_istio.yaml)
+ $(call apply-cr,deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_unhealthy_istio.yaml)
 
  @echo -e "\n$(YELLOW)Deploy podinfo $(NC)"
  kubectl apply -f deploy/test-apps
@@ -210,6 +231,11 @@ deploy-test-apps: ## Deploy Podinfo (example app) and Apply Gslb Custom Resource
  --set image.repository="$(PODINFO_IMAGE_REPO)" \
  podinfo/podinfo \
  --version 5.1.1
+ helm upgrade --install frontend --namespace test-gslb-istio -f deploy/test-apps/podinfo/podinfo-values.yaml \
+ --set ui.message="`$(call get-cluster-geo-tag)`" \
+ --set image.repository="$(PODINFO_IMAGE_REPO)" \
+ podinfo/podinfo \
+ --version 5.1.1
 
 .PHONY: deploy-kuar-app
 deploy-kuar-app:
@@ -342,11 +368,11 @@ docker-push: test
 
 .PHONY: init-failover
 init-failover:
- $(call init-test-strategy, "deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_failover.yaml")
+ $(call init-test-strategy, "deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_failover_ingress.yaml")
 
 .PHONY: init-round-robin
 init-round-robin:
- $(call init-test-strategy, "deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr.yaml")
+ $(call init-test-strategy, "deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_roundrobin_ingress.yaml")
 
 # creates infoblox secret in current cluster
 .PHONY: infoblox-secret
@@ -452,7 +478,7 @@ terratest: # Run terratest suite
  echo -e "$(RED)Make sure you run the tests against at least two running clusters$(NC)" ;\
  exit 1;\
  fi
- cd terratest/test/ && go mod download && CLUSTERS_NUMBER=$(RUNNING_CLUSTERS) go test -v -timeout 25m -parallel=12 --tags=$(TEST_TAGS)
+ cd terratest/test/ && go mod download && CLUSTERS_NUMBER=$(RUNNING_CLUSTERS) go test -v -timeout 35m -parallel=12 --tags=$(TEST_TAGS)
 
 .PHONY: website
 website:
@@ -554,9 +580,9 @@ endef
 
 define debug
  $(call manifest)
- kubectl apply -f deploy/crds/test-namespace.yaml
+ kubectl apply -f deploy/crds/test-namespace-ingress.yaml
  kubectl apply -f ./chart/k8gb/templates/k8gb.absa.oss_gslbs.yaml
- kubectl apply -f ./deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr.yaml
+ kubectl apply -f ./deploy/crds/k8gb.absa.oss_v1beta1_gslb_cr_roundrobin_ingress.yaml
  dlv $1
 endef
 

api/v1beta1/gslb_types.go

@@ -44,7 +44,8 @@ type Strategy struct {
 // +k8s:openapi-gen=true
 type ResourceRef struct {
  // Ingress selects a kubernetes.networking.k8s.io/v1.Ingress resource
- Ingress metav1.LabelSelector `json:"ingress,omitempty"`
+ Ingress metav1.LabelSelector `json:"ingress,omitempty"`
+ IstioVirtualService metav1.LabelSelector `json:"istioVirtualService,omitempty"`
 }
 
 // GslbSpec defines the desired state of Gslb

chart/k8gb/crd/k8gb.absa.oss_gslbs.yaml

@@ -346,11 +346,62 @@ spec:
  items:
  type: string
  type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ istioVirtualService:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
  required:
  - key
  - operator
  type: object
  type: array
+ x-kubernetes-list-type: atomic
  matchLabels:
  additionalProperties:
  type: string

chart/k8gb/templates/role.yaml

@@ -56,4 +56,15 @@ rules:
  verbs:
  - update
 {{- end }}
+{{- if .Values.istio.enabled }}
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - virtualservices
+ - gateways
+ verbs:
+ - 'get'
+ - 'list'
+ - 'watch'
+{{- end }}
 {{- end }}

chart/k8gb/values.schema.json

@@ -32,7 +32,7 @@
  },
  "azuredns": {
  "$ref": "#/definitions/AzureDNS"
- }, 
+ },
  "cloudflare": {
  "$ref": "#/definitions/Cloudflare"
  },
@@ -41,6 +41,9 @@
  },
  "tracing": {
  "$ref": "#/definitions/Tracing"
+ },
+ "istio": {
+ "$ref": "#/definitions/Istio"
  }
  }
  },
@@ -628,42 +631,42 @@
  },
  "createAuthSecret": {
  "type": "object",
-  "additionalProperties": false,
-  "properties": {
- "enabled": {
-  "type": "boolean"
- },
- "tenantId": {
-  "type": "string",
-  "minLength": 1
- },
- "subscriptionId": {
-  "type": "string",
-  "minLength": 1
- },
- "resourceGroup": {
-  "type": "string",
-  "minLength": 1
- },
- "aadClientId": {
-  "type": "string"
- },
- "aadClientSecret": {
-  "type": "string"
- },
- "useManagedIdentityExtension": {
-  "type": "boolean",
-  "default": false
- },
- "userAssignedIdentityID": {
-  "type": "string"
- },
- "useWorkloadIdentityExtension": {
-  "type": "boolean",
-  "default": false
- }
-  }
- }
+  "additionalProperties": false,
+  "properties": {
+ "enabled": {
+  "type": "boolean"
+ },
+ "tenantId": {
+  "type": "string",
+  "minLength": 1
+ },
+ "subscriptionId": {
+  "type": "string",
+  "minLength": 1
+ },
+ "resourceGroup": {
+  "type": "string",
+  "minLength": 1
+ },
+ "aadClientId": {
+  "type": "string"
+ },
+ "aadClientSecret": {
+  "type": "string"
+ },
+ "useManagedIdentityExtension": {
+  "type": "boolean",
+  "default": false
+ },
+ "userAssignedIdentityID": {
+  "type": "string"
+ },
+ "useWorkloadIdentityExtension": {
+  "type": "boolean",
+  "default": false
+ }
+  }
+ }
  },
  "required": [
  "enabled"
@@ -729,6 +732,19 @@
  "enabled"
  ],
  "title": "Tracing"
+ },
+ "Istio": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "title": "Istio"
  }
  }
 }

chart/k8gb/values.yaml

@@ -21,8 +21,8 @@ k8gb:
  edgeDNSZone: "example.com" # main zone which would contain gslb zone to delegate
  # -- host/ip[:port] format is supported here where port defaults to 53
  edgeDNSServers:
-  # -- use this DNS server as a main resolver to enable cross k8gb DNS based communication
-  - "1.1.1.1"
+ # -- use this DNS server as a main resolver to enable cross k8gb DNS based communication
+ - "1.1.1.1"
  # -- used for places where we need to distinguish between different Gslb instances
  clusterGeoTag: "eu"
  # -- comma-separated list of external gslb geo tags to pair with
@@ -171,13 +171,12 @@ azuredns:
  # -- Azure client secret that is associated with the Service Principal.
  aadClientSecret: myAadClientSecret
  # -- Use either AKS Kubelet Identity or AAD Pod Identities
- useManagedIdentityExtension : false
+ useManagedIdentityExtension: false
  # -- Client id from the Managed identitty when using the AAD Pod Identities
  userAssignedIdentityID: myUserAssignedIdentityID
  # -- Use AKS workload identity extension
  useWorkloadIdentityExtension: false
 
-
 cloudflare:
  # -- Enable Cloudflare provider
  enabled: false
@@ -224,3 +223,7 @@ tracing:
  repository: jaegertracing/all-in-one
  tag: 1.59.0
  pullPolicy: Always
+
+istio:
+ # -- install istio RBAC
+ enabled: true