From b16d5a4d8d5be83455e4f10f7fe0f34773dc2154 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=BE=84=E6=BD=AD?= Date: Thu, 19 Jan 2023 16:29:01 +0800 Subject: [PATCH] Support switching between mesh mode on or off (#140) --- Makefile.core.mk | 10 ++----- README.md | 29 ++---------------- README_EN.md | 29 +++--------------- helm/higress/templates/configmap.yaml | 12 ++++++-- .../templates/controller-deployment.yaml | 4 +++ helm/higress/templates/deployment.yaml | 15 ++++++++-- helm/higress/values.yaml | 11 ++++--- helm/istiod/values.yaml | 4 +-- helm/kind/higress/Chart.lock | 6 ++-- .../istio/20230119-custom-ca-cert-name.patch | 30 +++++++++++++++++++ 10 files changed, 76 insertions(+), 74 deletions(-) create mode 100644 istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch diff --git a/Makefile.core.mk b/Makefile.core.mk index 25929acca..c34ffc19e 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -115,22 +115,18 @@ define create_ns endef install: pre-install - helm install istio helm/kind/istio -n istio-system --create-namespace helm install higress helm/kind/higress -n higress-system --create-namespace -ENVOY_LATEST_IMAGE_TAG ?= 0.5.4 -ISTIO_LATEST_IMAGE_TAG ?= 0.5.4 +ENVOY_LATEST_IMAGE_TAG ?= 0.6.0 +ISTIO_LATEST_IMAGE_TAG ?= 0.6.0 install-dev: pre-install - helm install istio helm/istio -n istio-system --create-namespace --set-json='pilot.tag="$(ISTIO_LATEST_IMAGE_TAG)"' --set-json='global.kind=true' helm install higress helm/higress -n higress-system --create-namespace --set-json='controller.tag="$(TAG)"' --set-json='gateway.replicas=1' --set-json='gateway.tag="$(ENVOY_LATEST_IMAGE_TAG)"' --set-json='global.kind=true' uninstall: - helm uninstall istio -n istio-system helm uninstall higress -n higress-system upgrade: pre-install - helm upgrade istio helm/kind/istio -n istio-system helm upgrade higress helm/kind/higress -n higress-system helm-push: @@ -199,8 +195,6 @@ run-e2e-test: @echo -e "\n\033[36mRunning higress conformance tests...\033[0m" @echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n" kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available - @echo -e "\n\033[36mWaiting istiod to be ready...\033[0m\n" - kubectl wait --timeout=5m -n istio-system deployment/istiod --for=condition=Available @echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n" kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true --use-unique-ports=true diff --git a/README.md b/README.md index aafbd7adf..558ef699e 100644 --- a/README.md +++ b/README.md @@ -151,11 +151,9 @@ kind.exe create cluster --name higress --config=cluster.conf kubectl.exe config use-context kind-higress ``` -#### 第三步、 安装 istio & higress +#### 第三步、 安装 higress ```bash -kubectl create ns istio-system -helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local kubectl create ns higress-system helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local ``` @@ -182,38 +180,21 @@ curl localhost/bar ```bash kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.5.2/quickstart.yaml -helm uninstall istio -n istio-system - helm uninstall higress -n higress-system -kubectl delete ns istio-system - kubectl delete ns higress-system ``` ### 生产环境 -#### 第一步、 安装 istio - -可以选择安装 higress 发行的 istio 版本: - -```bash -kubectl create ns istio-system -helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio -``` - -或者选择安装官方 istio 版本 (将失去部分能力,例如通过 Ingress 注解实现限流的功能): - -https://istio.io/latest/docs/setup/install - -#### 第二步、 安装 higress +#### 第一步、 安装 higress ```bash kubectl create ns higress-system helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress ``` -#### 第三步、 创建 Ingress 资源并测试 +#### 第二步、 创建 Ingress 资源并测试 假设在 default 命名空间下已经部署了一个 test service,服务端口为 80 ,则创建下面这个 K8s Ingress @@ -245,12 +226,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa #### 卸载资源 ```bash -helm uninstall istio -n istio-system - helm uninstall higress -n higress-system -kubectl delete ns istio-system - kubectl delete ns higress-system ``` diff --git a/README_EN.md b/README_EN.md index cec74bbc1..e9bd97acb 100644 --- a/README_EN.md +++ b/README_EN.md @@ -124,10 +124,10 @@ kind.exe create cluster --name higress --config=cluster.conf kubectl.exe config use-context kind-higress ``` -#### step 3. install istio & higress +#### step 3. install higress ```bash -helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local +kubectl create ns higress-system helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local ``` Note: The helm version needs to be upgraded to **v3.8.0** and above @@ -151,38 +151,21 @@ curl localhost/bar ```bash kubectl delete -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml -helm uninstall istio -n istio-system - helm uninstall higress -n higress-system -kubectl delete ns istio-system - kubectl delete ns higress-system ``` ### Production Environment -#### step 1. install istio - -select higress istio: - -```bash -kubectl create ns istio-system -helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio -``` - -or select official istio (lose some abilities, such as using annotation to limit request rate): - -https://istio.io/latest/docs/setup/install - -#### step 2. install higress +#### step 1. install higress ```bash kubectl create ns higress-system helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress ``` -#### step 3. create the ingress and test it +#### step 2. create the ingress and test it for example there is a service `test` in default namespace. @@ -212,12 +195,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa #### Clean-Up ```bash -helm uninstall istio -n istio-system - helm uninstall higress -n higress-system -kubectl delete ns istio-system - kubectl delete ns higress-system ``` diff --git a/helm/higress/templates/configmap.yaml b/helm/higress/templates/configmap.yaml index 385eebafb..bc687280f 100644 --- a/helm/higress/templates/configmap.yaml +++ b/helm/higress/templates/configmap.yaml @@ -15,7 +15,11 @@ # When processing a leaf namespace Istio will search for declarations in that namespace first # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace # is processed as if it were declared in the leaf namespace. + {{- if .Values.global.enableMesh }} rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + {{- else }} + rootNamespace: {{ .Release.Namespace }} + {{- end }} configSources: - address: "xds://127.0.0.1:15051" @@ -34,7 +38,7 @@ {{- else if eq .Values.global.proxy.tracer "zipkin" }} zipkin: # Address of the Zipkin collector - address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Release.Namespace ":9411") }} {{- else if eq .Values.global.proxy.tracer "datadog" }} datadog: # Address of the Datadog Agent @@ -67,11 +71,15 @@ {{- if not .Values.global.externalIstiod }} discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 {{- else }} - discoveryAddress: {{ printf "higress-controller.%s.svc" .Release.Namespace }}:15012 + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 {{- end }} {{- else }} + {{- if .Values.global.enableMesh }} + discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012 + {{- else }} discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012 {{- end }} + {{- end }} proxyStatsMatcher: inclusionRegexps: - ".*" diff --git a/helm/higress/templates/controller-deployment.yaml b/helm/higress/templates/controller-deployment.yaml index 7be743fc3..0edfd4727 100644 --- a/helm/higress/templates/controller-deployment.yaml +++ b/helm/higress/templates/controller-deployment.yaml @@ -120,6 +120,10 @@ spec: value: "{{ .Values.global.istiod.enableAnalysis }}" - name: CLUSTER_ID value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + {{- if not .Values.global.enableMesh }} + - name: CUSTOM_CA_CERT_NAME + value: "higress-ca-root-cert" + {{- end }} {{- if not .Values.global.kind }} resources: {{- if .Values.pilot.resources }} diff --git a/helm/higress/templates/deployment.yaml b/helm/higress/templates/deployment.yaml index 09416f685..18ace4154 100644 --- a/helm/higress/templates/deployment.yaml +++ b/helm/higress/templates/deployment.yaml @@ -21,12 +21,19 @@ spec: strategy: rollingUpdate: maxSurge: {{ .Values.gateway.rollingMaxSurge }} + {{- if .Values.global.kind }} + maxUnavailable: 100% + {{- else }} maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }} + {{- end }} template: metadata: - {{- with .Values.gateway.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- if .Values.global.enableMesh }} + "enableMesh": "true" + {{- end }} + {{- if .Values.gateway.podAnnotations }} + {{- toYaml .Values.gateway.podAnnotations | nindent 8 }} {{- end }} labels: sidecar.istio.io/inject: "false" @@ -209,7 +216,11 @@ spec: {{- end }} - name: istio-ca-root-cert configMap: + {{- if .Values.global.enableMesh }} name: istio-ca-root-cert + {{- else }} + name: higress-ca-root-cert + {{- end }} - name: config configMap: name: higress-config diff --git a/helm/higress/values.yaml b/helm/higress/values.yaml index 4a6a33a7e..a2efb2a0c 100644 --- a/helm/higress/values.yaml +++ b/helm/higress/values.yaml @@ -5,7 +5,7 @@ global: kind: false enableMesh: false # Used to locate istiod. - istioNamespace: higress-system + istioNamespace: istio-system # enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: @@ -30,7 +30,7 @@ global: # Dev builds from prow are on gcr.io hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress # Default tag for Istio images. - tag: 0.5.4 + tag: 0.6.0 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -322,7 +322,6 @@ ingressClass: "" watchNamespace: "" enableStatus: false clusterName: "" -istioNamespace: "higress-system" # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options meshConfig: @@ -357,7 +356,7 @@ gateway: name: "higress-gateway" replicas: 2 image: gateway - tag: "0.5.4" + tag: "0.6.0" # revision declares which revision this gateway is a part of revision: "" @@ -449,7 +448,7 @@ controller: name: "higress-controller" replicas: 1 image: higress - tag: "0.5.4" + tag: "0.6.0" env: {} labels: {} @@ -539,7 +538,7 @@ pilot: rollingMaxUnavailable: 25% hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress - tag: 0.5.4 + tag: 0.6.0 # Can be a full hub/image:tag image: pilot diff --git a/helm/istiod/values.yaml b/helm/istiod/values.yaml index 3c231dfa7..dc2bc7085 100644 --- a/helm/istiod/values.yaml +++ b/helm/istiod/values.yaml @@ -10,7 +10,7 @@ pilot: rollingMaxUnavailable: 25% hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress - tag: 0.5.4 + tag: 0.6.0 # Can be a full hub/image:tag image: pilot @@ -256,7 +256,7 @@ global: # Dev builds from prow are on gcr.io hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress # Default tag for Istio images. - tag: 0.5.4 + tag: 0.6.0 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/helm/kind/higress/Chart.lock b/helm/kind/higress/Chart.lock index c020164da..2c73f7f45 100644 --- a/helm/kind/higress/Chart.lock +++ b/helm/kind/higress/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: higress repository: file://../../higress - version: 0.5.4 -digest: sha256:ea2475e2ba790a07811de045f03ae1a2279a6596bcaa750109f149e8ae2c61bd -generated: "2023-01-18T10:57:50.379427+08:00" + version: 0.6.0 +digest: sha256:d5a9a1a3ee640635a1251ac1535a95db79975b39f6ab6b7c742c3e0d11f33533 +generated: "2023-01-19T10:31:59.206741+08:00" diff --git a/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch b/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch new file mode 100644 index 000000000..8b27c4576 --- /dev/null +++ b/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch @@ -0,0 +1,30 @@ +diff -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go +--- istio/pilot/pkg/features/pilot.go 2023-01-19 11:17:16.000000000 +0800 ++++ istio_new/pilot/pkg/features/pilot.go 2023-01-19 11:03:37.000000000 +0800 +@@ -562,6 +562,11 @@ + + PrioritizedLeaderElection = env.RegisterBoolVar("PRIORITIZED_LEADER_ELECTION", true, + "If enabled, the default revision will steal leader locks from non-default revisions").Get() ++ ++ // Added by ingress ++ CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "", ++ "Defines the configmap's name of istio's root ca certificate").Get() ++ // End added by ingress + ) + + // UnsafeFeaturesEnabled returns true if any unsafe features are enabled. +diff -Naur istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go +--- istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-01-19 11:17:19.000000000 +0800 ++++ istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-01-19 11:20:32.000000000 +0800 +@@ -50,6 +50,11 @@ + if features.ClusterName != "" && features.ClusterName != "Kubernetes" { + dynamicCACertNamespaceConfigMap = fmt.Sprintf("%s-ca-root-cert", features.ClusterName) + } ++ // Added by ingress ++ if features.CustomCACertConfigMapName != "" { ++ dynamicCACertNamespaceConfigMap = features.CustomCACertConfigMapName ++ } ++ // End added by ingress + } + + // NamespaceController manages reconciles a configmap in each namespace with a desired set of data.