Update Istio/SPIRE demo to use SPIRE Controller Manager #12680
Conversation
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
added
the
size/L
|
/test all |
|
This doc looks like a good candidate for a doc test: https://github.com/istio/istio.io/tree/master/tests#test-authoring-overview That way you can be sure it continues to work over time. |
Great idea, I'll add a test. Thanks for the info! |
jaellio
force-pushed
the
updatespiredemo
branch
from
686ba83 to
016b009
Compare
istio-testing
added
size/XL
istio-testing
removed
the
do-not-merge/work-in-progress
content/en/docs/ops/integrations/spire/automatic_registration_test.sh
Outdated
Show resolved
Hide resolved
|
This PR should be retested after istio/istio#43346 is merged to verify the doc.test.profile_none_istio.io succeeds. |
|
I hope that istio/istio#43346 will merge today, so the automation of the weekend should pull that commit into the test. Once that passes tests, is approved, and merged, we can retest this. |
|
/test doc.test.profile_none |
|
/retest |
|
Retesting after the completion of #12788 |
|
As a part of moving Istio under the CNCF, we will be updating the CLA requirements for contributing Istio to use the CNCF CLA. This will be a multi-stage process, which has already started. If you have not already signed the CNCF CLA, you may find instructions to do so here. We expect to remove the requirement for signing the Google CLA in the upcoming weeks. Thank you for your patience, and please respond here if you run into difficulty with the new CLA process. |
| # @setup profile=none | ||
| set +u # Do not exit when value is unset. CHECK_FILE in the IstioOperator might be unset | ||
| snip_define_istio_operator | ||
| if ! istioctl install --set tag="$TAG" --set hub="$HUB" --skip-confirmation -f ./istio.yaml |
There was a problem hiding this comment.
Note: Since the istio-ingressgateway will not be ready, this command will take at least 5 minutes to execute before it returns an error. I can set the readiness timeout on install to be less than 5 minutes, but I don't want this to cause the other components to fail.
There was a problem hiding this comment.
Would it be reasonable to set the readiness timeout to 30s or 1m?
There was a problem hiding this comment.
I'm not sure I understand exactly why it is expected to time out, but would it be better if you use istioctl manifest generate | kubectl apply instead of istioctl install? https://preliminary.istio.io/latest/docs/setup/install/istioctl/#generate-a-manifest-before-installation
There was a problem hiding this comment.
I was installing Istio before applying the ClusterSPIFFEID. Therefore the istio-ingressgateway wasn't registered with SPIRE and couldn't obtain its certificates. The install command would timeout after 5 min of waiting for the gateway to be ready. This was the expected behavior given how the demo was organized. To improve the customer experience and testability of the demo I have modified the demo's workflow so that the ClusterSPIFFEID is created prior to installing Istio. The Istio installation should complete successfully with this change.
Manager instead of k8s workload registration. Signed-off-by: jaellio <[email protected]>
controller manager. During cleanup, removes generated istio.yaml and chaim.pem files. Updates label to spiffe.io/spire-managed-identity. Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Created ClusterSPIFFEID before install istio. Previously install would fail because the ingress gateway wasn't registered/ Signed-off-by: jaellio <[email protected]>
| 1. Apply the configuration: | ||
|
|
||
| {{< text syntax=bash snip_id=none >}} | ||
| $ istioctl install --skip-confirmation -f ./istio.yaml |
There was a problem hiding this comment.
IIUC, this call is expected to hang for 5 mins. If so, maybe it would be better to avoid that by using:
| $ istioctl install --skip-confirmation -f ./istio.yaml | |
| $ istioctl manifest generate --skip-confirmation -f ./istio.yaml | kubectl apply -f - |
There was a problem hiding this comment.
I was thinking of adding tests and updating the demo for the manual registration option in a separate PR. Should I still include this change here? You are correct that this call will hang. Currently, this PR is focussing on the automatic registration/SPIRE controller manager integration option.
There was a problem hiding this comment.
I would, but it's up to you, esp. if you are planning to change it further in a followup PR soon.
There was a problem hiding this comment.
I want to make sure using istioctl manifest generate doesn't break anything unexpectedly which I can confirm with a docs test for the manual registration option (and through manual testing). For example, if I updated istioctl install to istioctl manifest generate I would need to include the cmd to create the istio-system ns since it isn't created automatically.
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
* Update Istio/SPIRE integration demo to use SPIRE Controller Manager instead of k8s workload registration. Signed-off-by: jaellio <[email protected]> * Adds test for automatic workload registration via the SPIRE controller manager. During cleanup, removes generated istio.yaml and chaim.pem files. Updates label to spiffe.io/spire-managed-identity. Signed-off-by: jaellio <[email protected]> * Adds missing newline Signed-off-by: jaellio <[email protected]> * Fix spelling error Signed-off-by: jaellio <[email protected]> * Add missing ns flag on role and rolebinding resource commands Signed-off-by: jaellio <[email protected]> * Delete sleep resources and uninstall before SPIRE Signed-off-by: jaellio <[email protected]> * Reconfigures demo so istio install is not expected to fail. Created ClusterSPIFFEID before install istio. Previously install would fail because the ingress gateway wasn't registered/ Signed-off-by: jaellio <[email protected]> * Remove references to v1.14 and update required version to 1.14+ Signed-off-by: jaellio <[email protected]> * Fix lint errors Signed-off-by: jaellio <[email protected]> --------- Signed-off-by: jaellio <[email protected]>
Please provide a description of what this PR is for.
Updates the Istio/SPIRE integration doc and demo to reference
the SPIRE Controller Manager instead of the k8s workload
registrar.
Notable Changes:
kubectl exec -i -t $SPIRE_SERVER_POD -n spire -c spire-server -- /bin/sh -c "bin/spire-server entry show -socketPath /run/spire/sockets/server.sock") failed with the following error:Error: connection error: desc = "transport: error while dialing: dial unix /run/spire/sockets: connect: no such file or directory"kubectl exec -t $SPIRE_SERVER_POD -n spire -c spire-server -- ./bin/spire-server entry showResolves #12577
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.