Support switching between mesh mode on or off (#140)

2026-03-01 15:10:56 +08:00 · 2023-01-19 16:29:01 +08:00
parent a58c005dab
commit b16d5a4d8d
10 changed files with 76 additions and 74 deletions
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -115,22 +115,18 @@ define create_ns
 endef

 install: pre-install
-	helm install istio helm/kind/istio -n istio-system --create-namespace
 	helm install higress helm/kind/higress -n higress-system --create-namespace

-ENVOY_LATEST_IMAGE_TAG ?= 0.5.4
-ISTIO_LATEST_IMAGE_TAG ?= 0.5.4
+ENVOY_LATEST_IMAGE_TAG ?= 0.6.0
+ISTIO_LATEST_IMAGE_TAG ?= 0.6.0

 install-dev: pre-install
-	helm install istio helm/istio -n istio-system --create-namespace --set-json='pilot.tag="$(ISTIO_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'
 	helm install higress helm/higress -n higress-system --create-namespace --set-json='controller.tag="$(TAG)"' --set-json='gateway.replicas=1' --set-json='gateway.tag="$(ENVOY_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'

 uninstall:
-	helm uninstall istio -n istio-system
 	helm uninstall higress -n higress-system

 upgrade: pre-install
-	helm upgrade istio helm/kind/istio -n istio-system
 	helm upgrade higress helm/kind/higress -n higress-system

 helm-push:
@@ -199,8 +195,6 @@ run-e2e-test:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
 	kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available
-	@echo -e "\n\033[36mWaiting istiod to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n istio-system deployment/istiod --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available
 	go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true --use-unique-ports=true
--- a/README.md
+++ b/README.md
@@ -151,11 +151,9 @@ kind.exe create cluster --name higress --config=cluster.conf
 kubectl.exe config use-context kind-higress
 ```

-#### 第三步、 安装 istio & higress
+#### 第三步、 安装 higress

 ```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
 ```
@@ -182,38 +180,21 @@ curl localhost/bar
 ```bash
 kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.5.2/quickstart.yaml

-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system

-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```

 ### 生产环境

-#### 第一步、 安装 istio
-
-可以选择安装 higress 发行的 istio 版本:
-
-```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio
-```
-
-或者选择安装官方 istio 版本 (将失去部分能力，例如通过 Ingress 注解实现限流的功能):
-
-https://istio.io/latest/docs/setup/install
-
-#### 第二步、 安装 higress
+#### 第一步、 安装 higress

 ```bash
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
 ```

-#### 第三步、 创建 Ingress 资源并测试
+#### 第二步、 创建 Ingress 资源并测试

 假设在 default 命名空间下已经部署了一个 test service，服务端口为 80 ，则创建下面这个 K8s Ingress

@@ -245,12 +226,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa
 #### 卸载资源

 ```bash
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system

-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```

--- a/README_EN.md
+++ b/README_EN.md
@@ -124,10 +124,10 @@ kind.exe create cluster --name higress --config=cluster.conf
 kubectl.exe config use-context kind-higress
 ```

-#### step 3. install istio & higress
+#### step 3. install higress

 ```bash
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local
+kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
 ```
 Note: The helm version needs to be upgraded to **v3.8.0** and above
@@ -151,38 +151,21 @@ curl localhost/bar
 ```bash
 kubectl delete -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml

-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system

-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```

 ### Production Environment

-#### step 1. install istio
-
-select higress istio:
-
-```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio
-```
-
-or select official istio (lose some abilities, such as using annotation to limit request rate):
-
-https://istio.io/latest/docs/setup/install
-
-#### step 2. install higress
+#### step 1. install higress

 ```bash
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
 ```

-#### step 3. create the ingress and test it
+#### step 2. create the ingress and test it

 for example there is a service `test` in default namespace.

@@ -212,12 +195,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa
 #### Clean-Up

 ```bash
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system

-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```

--- a/helm/higress/templates/configmap.yaml
+++ b/helm/higress/templates/configmap.yaml
@@ -15,7 +15,11 @@
    # When processing a leaf namespace Istio will search for declarations in that namespace first
    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
    # is processed as if it were declared in the leaf namespace.
+    {{- if .Values.global.enableMesh }}
    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+    {{- else }}
+    rootNamespace: {{ .Release.Namespace }}
+    {{- end }}

    configSources:
      - address: "xds://127.0.0.1:15051"
@@ -34,7 +38,7 @@
      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
        zipkin:
          # Address of the Zipkin collector
-          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Release.Namespace ":9411") }}
      {{- else if eq .Values.global.proxy.tracer "datadog" }}
        datadog:
          # Address of the Datadog Agent
@@ -67,11 +71,15 @@
      {{- if not .Values.global.externalIstiod }}
      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
      {{- else }}
-      discoveryAddress: {{ printf "higress-controller.%s.svc" .Release.Namespace }}:15012
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
      {{- end }}
      {{- else }}
+      {{- if .Values.global.enableMesh }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
+      {{- else }}
      discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
      {{- end }}
+      {{- end }}
      proxyStatsMatcher:
        inclusionRegexps:
        - ".*"
--- a/helm/higress/templates/controller-deployment.yaml
+++ b/helm/higress/templates/controller-deployment.yaml
@@ -120,6 +120,10 @@ spec:
            value: "{{ .Values.global.istiod.enableAnalysis }}"
          - name: CLUSTER_ID
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          {{- if not .Values.global.enableMesh }}
+          - name: CUSTOM_CA_CERT_NAME
+            value: "higress-ca-root-cert"
+          {{- end }}
          {{- if not .Values.global.kind  }}
          resources:
 {{- if .Values.pilot.resources }}
--- a/helm/higress/templates/deployment.yaml
+++ b/helm/higress/templates/deployment.yaml
@@ -21,12 +21,19 @@ spec:
  strategy:
    rollingUpdate:
      maxSurge: {{ .Values.gateway.rollingMaxSurge }}
+      {{- if .Values.global.kind }}
+      maxUnavailable: 100%
+      {{- else }}
      maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
+      {{- end }}
  template:
    metadata:
-      {{- with .Values.gateway.podAnnotations }}
      annotations:
-        {{- toYaml . | nindent 8 }}
+      {{- if .Values.global.enableMesh }}
+        "enableMesh": "true"
+      {{- end }}
+      {{- if .Values.gateway.podAnnotations }}
+        {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
      {{- end }}
      labels:
        sidecar.istio.io/inject: "false"
@@ -209,7 +216,11 @@ spec:
      {{- end }}
      - name: istio-ca-root-cert
        configMap:
+      {{- if .Values.global.enableMesh }}
          name: istio-ca-root-cert
+      {{- else }}
+          name: higress-ca-root-cert
+      {{- end }}
      - name: config
        configMap:
          name: higress-config
--- a/helm/higress/values.yaml
+++ b/helm/higress/values.yaml
@@ -5,7 +5,7 @@ global:
  kind: false
  enableMesh: false
  # Used to locate istiod.
-  istioNamespace: higress-system
+  istioNamespace: istio-system
  # enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
@@ -30,7 +30,7 @@ global:
  # Dev builds from prow are on gcr.io
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  # Default tag for Istio images.
-  tag: 0.5.4
+  tag: 0.6.0

  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
@@ -322,7 +322,6 @@ ingressClass: ""
 watchNamespace: ""
 enableStatus: false
 clusterName: ""
-istioNamespace: "higress-system"
 # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
 meshConfig:
@@ -357,7 +356,7 @@ gateway:
  name: "higress-gateway"
  replicas: 2
  image: gateway
-  tag: "0.5.4"
+  tag: "0.6.0"
  # revision declares which revision this gateway is a part of
  revision: ""

@@ -449,7 +448,7 @@ controller:
  name: "higress-controller"
  replicas: 1
  image: higress
-  tag: "0.5.4"
+  tag: "0.6.0"
  env: {}

  labels: {}
@@ -539,7 +538,7 @@ pilot:
  rollingMaxUnavailable: 25%

  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 0.5.4
+  tag: 0.6.0

  # Can be a full hub/image:tag
  image: pilot
--- a/helm/istiod/values.yaml
+++ b/helm/istiod/values.yaml
@@ -10,7 +10,7 @@ pilot:
  rollingMaxUnavailable: 25%

  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 0.5.4
+  tag: 0.6.0

  # Can be a full hub/image:tag
  image: pilot
@@ -256,7 +256,7 @@ global:
  # Dev builds from prow are on gcr.io
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  # Default tag for Istio images.
-  tag: 0.5.4
+  tag: 0.6.0

  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
--- a/helm/kind/higress/Chart.lock
+++ b/helm/kind/higress/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: higress
  repository: file://../../higress
-  version: 0.5.4
-digest: sha256:ea2475e2ba790a07811de045f03ae1a2279a6596bcaa750109f149e8ae2c61bd
-generated: "2023-01-18T10:57:50.379427+08:00"
+  version: 0.6.0
+digest: sha256:d5a9a1a3ee640635a1251ac1535a95db79975b39f6ab6b7c742c3e0d11f33533
+generated: "2023-01-19T10:31:59.206741+08:00"
--- a/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch
+++ b/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch
@@ -0,0 +1,30 @@
+diff -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2023-01-19 11:17:16.000000000 +0800
+++ istio_new/pilot/pkg/features/pilot.go	2023-01-19 11:03:37.000000000 +0800
+@@ -562,6 +562,11 @@
+ 
+ 	PrioritizedLeaderElection = env.RegisterBoolVar("PRIORITIZED_LEADER_ELECTION", true,
+ 		"If enabled, the default revision will steal leader locks from non-default revisions").Get()
+
+	// Added by ingress
+	CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
+		"Defines the configmap's name of  istio's root ca certificate").Get()
+	// End added by ingress
+ )
+ 
+ // UnsafeFeaturesEnabled returns true if any unsafe features are enabled.
+diff -Naur istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go
+--- istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go	2023-01-19 11:17:19.000000000 +0800
+++ istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go	2023-01-19 11:20:32.000000000 +0800
+@@ -50,6 +50,11 @@
+ 	if features.ClusterName != "" && features.ClusterName != "Kubernetes" {
+ 		dynamicCACertNamespaceConfigMap = fmt.Sprintf("%s-ca-root-cert", features.ClusterName)
+ 	}
+	// Added by ingress
+	if features.CustomCACertConfigMapName != "" {
+		dynamicCACertNamespaceConfigMap = features.CustomCACertConfigMapName
+	}
+	// End added by ingress
+ }
+ 
+ // NamespaceController manages reconciles a configmap in each namespace with a desired set of data.