Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump istio installation #1331

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Conversation

aerosouund
Copy link
Member

What this PR does / why we need it:

Bump Istio to the latest stable release

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1324

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Nov 26, 2024
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign davidvossel for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aerosouund
Copy link
Member Author

/test check-provision-k8s-1.29

@mhenriks
Copy link
Member

mhenriks commented Dec 3, 2024

@aerosouund thanks for taking a crack at this! I am very keen to get this in. Do you need any help? The current version we are using is very old, and is not compatible with kubevirt/kubevirt#13422. The istio sidecar injection code is somehow stealing the runStrategy: Always bit from virt-tail. And since the istio container is not meant to always run, the virt-luancher pod never gets to running state.

cc @EdDev

@aerosouund
Copy link
Member Author

@mhenriks
Thanks alot, I am facing a small challenge where after installation, checking the IstioOperator resource says that such a resource doesn't exist.
I am suspecting its because many things changed between the version we had and the version i am introducing 1.15 >> 1.24
I just need to check whats going on, but likely its not a big deal. I will ping you if i need any assistance!

@aerosouund
Copy link
Member Author

On inspecting the cluster post running istioctl install -y (the operator init has been deprecated) it seems it the IstioOperator resource is no longer used

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf api-resources | grep istio
wasmplugins                                      extensions.istio.io/v1alpha1      true         WasmPlugin
destinationrules                    dr           networking.istio.io/v1            true         DestinationRule
envoyfilters                                     networking.istio.io/v1alpha3      true         EnvoyFilter
gateways                            gw           networking.istio.io/v1            true         Gateway
proxyconfigs                                     networking.istio.io/v1beta1       true         ProxyConfig
serviceentries                      se           networking.istio.io/v1            true         ServiceEntry
sidecars                                         networking.istio.io/v1            true         Sidecar
virtualservices                     vs           networking.istio.io/v1            true         VirtualService
workloadentries                     we           networking.istio.io/v1            true         WorkloadEntry
workloadgroups                      wg           networking.istio.io/v1            true         WorkloadGroup
authorizationpolicies               ap           security.istio.io/v1              true         AuthorizationPolicy
peerauthentications                 pa           security.istio.io/v1              true         PeerAuthentication
requestauthentications              ra           security.istio.io/v1              true         RequestAuthentication
telemetries                         telemetry    telemetry.istio.io/v1             true         Telemetry

With that said, the yaml files we use to install the operator will no longer work (istio-operator.cr.yaml & istio-operator-with-cnao.cr.yaml)
This signifies a huge migration from what we have, previously what you would have in the cluster is

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A | grep istio
istio-operator   istio-operator-6c4fc4d784-2qqff            1/1     Running   0          2m50s
istio-system     istio-egressgateway-79c995f7cb-w4ppg       1/1     Running   0          88s
istio-system     istio-ingressgateway-775fdbc456-qq5cn      1/1     Running   0          88s
istio-system     istiod-5857496459-cnz5t                    1/1     Running   0          92s
kube-system      istio-cni-node-l99td                       1/1     Running   0          88s

After the upgrade, you only get

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A | grep istio
istio-system   istio-ingressgateway-5f9df778cc-bl9sw      1/1     Running   0          33m
istio-system   istiod-69d6bb74c-z6fqk                     1/1     Running   0          34m

So we need to know how to get the same as what we had before in the previous version using 1.24. I might need help from the network team on this

cc: @oshoval @EdDev

@aerosouund
Copy link
Member Author

Alternatively, we may not jump to 1.24. Maybe a lesser version that still behaves similar to 1.15 and has the things you want supported.
Needs a discussion for sure

@oshoval
Copy link
Contributor

oshoval commented Dec 5, 2024

I am not familiar at all with Istio tbh, and currently on few other tasks,
if discussion will be still needed, i will try once i can, thanks

@aerosouund
Copy link
Member Author

@oshoval
based on what changed across the deployments three questions need answered:

  • is the egressgateway still needed or used ? has it's functionality been ported to any of the other components ?
  • is the istiocni now being installed separately from the operator ? is yes, how ?
  • would it be better to not skip to a very high version and upgrade to something intermediate? e.g: 1.18

@oshoval
Copy link
Contributor

oshoval commented Dec 5, 2024

the first two need deeper understanding that i dont have now sorry,
if the 3rd helps advancing, lets go for that first thing, wdyt?
knowing where it stopped working, can also assist in debug latest sometimes

@aerosouund
Copy link
Member Author

@mhenriks
whats the minimum compatible version that will contain the features you want ?

@mhenriks
Copy link
Member

mhenriks commented Dec 5, 2024

@mhenriks whats the minimum compatible version that will contain the features you want ?

1.20 is the oldest version that supports 1.29 (SideCar featuregate enabled) so that would be the minimum. But obviously latest would be best

https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases

@ormergi
Copy link
Contributor

ormergi commented Dec 5, 2024

* is the egressgateway still needed or used ? has it's functionality been ported to any of the other components ?

It seem we dont use in in e2e tests, we do use ingress-gateway though Istio API
https://github.com/kubevirt/kubevirt/blob/94d03645710c55dd35cf752bf6709bfb333518ad/tests/network/vmi_istio.go#L640
https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway

* is the istiocni now being installed separately from the operator ? is yes, how ?

From what I remember Istio operator account for deploying its CNI, we have no dedicated scripting for doing that.
Check out https://istio.io/latest/docs/setup/additional-setup/cni/#installing-the-cni-node-agent

* would it be better to not skip to a very high version and upgrade to something intermediate? e.g: 1.18

Please note kubevirt e2e tests relays on the sidecar injection functionally.

I suggest to test this PR on kubevirt/kubevirt on sig-network lane so we can see where it fails and realize what our options.

@aerosouund
Copy link
Member Author

@mhenriks @ormergi
Ok, based on this i will move the check for the IstioOperator resource (which is what's failing the tests here) and devise a way to install the CNI. Then we can run it against the sig network lane and see how it goes

@brianmcarey
Copy link
Member

/test all

@@ -14,6 +14,9 @@ quay.io/kubevirt/cdi-apiserver:v1.58.1
quay.io/kubevirt/cdi-controller:v1.58.1
quay.io/kubevirt/cdi-operator:v1.58.1
quay.io/kubevirt/cdi-uploadproxy:v1.58.1
docker.io/istio/install-cni:1.24.1
docker.io/istio/pilot:1.24.1
docker.io/istio/proxyv2:1.24.1
Copy link
Member

@brianmcarey brianmcarey Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to get these images copied over to our quay account so that we don't hit any docker io limits

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The older images at the top of the file can be removed

quay.io/kubevirtci/install-cni:1.15.0
quay.io/kubevirtci/operator:1.15.0
quay.io/kubevirtci/pilot:1.15.0

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asking to understand: @brianmcarey from what I know we have container image cache on CI, is it correct?
Is so, do we still need mirroring if we have cache?

@aerosouund
Copy link
Member Author

@brianmcarey
Thanks for looking at this, we also need the linux base image to be updated for the newer istio to be installed. Currently i am running the linux phase in CI for the code to work

PHASES="$PHASES_DEFAULT"

We can merge it as it is and then i will submit a tiny PR that reverts this change so we can go back to running the k8s phase in CI only

@mhenriks
Copy link
Member

/retest-required

@aerosouund
Copy link
Member Author

@mhenriks
CI is looking good now, whats next ? is the code acceptable in its current state or do you have nay remarks ?

@akalenyu
Copy link
Contributor

@mhenriks is out, but maybe @ormergi can help driver this further
BTW the PR title is a little bit misleading, since you're bumping the istio installation as a whole and not the cli tool

@aerosouund aerosouund changed the title Bump istioctl Bump istio installation Dec 25, 2024
@ormergi
Copy link
Contributor

ormergi commented Dec 25, 2024

@aerosouund please make sure istio bump pass all kubevirt/kubevirt CI lanes, specifically sig-network lanes.
Note that check-provision lanes run conformance tests only (subset of sig-network tests).
You can do that by posting a draft PR on kubevirt/kubevirt with this PR changes.

@aerosouund
Copy link
Member Author

@ormergi This PR changes the gocli and the packages installed on the provider images in the provisioning phase. My assumption is that new versions for the gocli and providers need to be built and published on quay to make this testable on kv/kv since only the cluster-up part gets copied to kv/kv.
If those assumptions are false let me know and any suggestions you have on how we can test this

@akalenyu
Copy link
Contributor

akalenyu commented Dec 25, 2024

@ormergi This PR changes the gocli and the packages installed on the provider images in the provisioning phase. My assumption is that new versions for the gocli and providers need to be built and published on quay to make this testable on kv/kv since only the cluster-up part gets copied to kv/kv. If those assumptions are false let me know and any suggestions you have on how we can test this

It's actually possible to test prior to that - https://github.com/kubevirt/kubevirtci/blob/main/KUBEVIRTCI_LOCAL_TESTING.md

Ping me on k8s slack if you need help

@mhenriks
Copy link
Member

mhenriks commented Jan 8, 2025

/retest-required

@kubevirt-bot
Copy link
Contributor

@aerosouund: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
check-provision-k8s-1.29 ac32724 link true /test check-provision-k8s-1.29
check-provision-alpine-with-test-tooling 0c603e5 link false /test check-provision-alpine-with-test-tooling
check-up-kind-sriov 0c603e5 link true /test check-up-kind-sriov

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2025
@kubevirt-bot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ormergi
Copy link
Contributor

ormergi commented Jan 23, 2025

Hi, I managed to make istio-1.24 work on kubevirtci cluster, and verified istio tests are passing.
Including on kubevirt that is build with kubevirt/kubevirt#13422.

While troubleshooting the issues with 1.24 on kubevirtci, I saw istio-cni is not deployed as privileged , result VM creation failures.The privileged change is introduced in 1.24.
Istio 1.23 should work as expected, I suggest using this version.

In addition, IstioOperator API has been changed, see bellow config that worked for me:

kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-operator
spec:
  profile: demo
  components:
    cni:
      enabled: true
      namespace: kube-system
  values:
    global:
      jwtPolicy: first-party-jwt
    cni:
      chained: false
      cniBinDir: /opt/cni/bin
      cniConfDir: /etc/cni/multus/net.d
      privileged: true
      excludeNamespaces:
       - istio-system
       - kube-system
      logLevel: debug
    pilot:
      cni:
        enabled: true
        provider: "multus"
    sidecarInjectorWebhook:
      injectedAnnotations:
        k8s.v1.cni.cncf.io/networks: istio-cni

The missing configuration are:

  • spec.values.pilot.cni
    This is a new API for triggering CNI deployment.
    The filed provider=multus acts like the known chained=false option (maybe in can be removed, need to verify).
  • sidecarInjectorWebhook
    On istio >= 1.19, istio will append 'default/istio-cni' to the pod's k8s.v1.cni.cncf.io/networks is exist. Result in VMs failures.
    This cant work for kubevirtci env because we do not create the istio-cni NAD in the default namespace, but at the test namespace.
    In general it seems wrong because it means all pods in the cluster can connect to the mesh, becasuse all pods can connect to a NAD resied in default namespaces, no isolation allowed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/enhancement needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bump Istio to the latest stable release
7 participants