Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump istioctl #1331

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Bump istioctl #1331

wants to merge 15 commits into from

Conversation

aerosouund
Copy link
Member

What this PR does / why we need it:

Bump Istio to the latest stable release

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1324

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Nov 26, 2024
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign davidvossel for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aerosouund
Copy link
Member Author

/test check-provision-k8s-1.29

@mhenriks
Copy link
Member

mhenriks commented Dec 3, 2024

@aerosouund thanks for taking a crack at this! I am very keen to get this in. Do you need any help? The current version we are using is very old, and is not compatible with kubevirt/kubevirt#13422. The istio sidecar injection code is somehow stealing the runStrategy: Always bit from virt-tail. And since the istio container is not meant to always run, the virt-luancher pod never gets to running state.

cc @EdDev

@aerosouund
Copy link
Member Author

@mhenriks
Thanks alot, I am facing a small challenge where after installation, checking the IstioOperator resource says that such a resource doesn't exist.
I am suspecting its because many things changed between the version we had and the version i am introducing 1.15 >> 1.24
I just need to check whats going on, but likely its not a big deal. I will ping you if i need any assistance!

@aerosouund
Copy link
Member Author

On inspecting the cluster post running istioctl install -y (the operator init has been deprecated) it seems it the IstioOperator resource is no longer used

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf api-resources | grep istio
wasmplugins                                      extensions.istio.io/v1alpha1      true         WasmPlugin
destinationrules                    dr           networking.istio.io/v1            true         DestinationRule
envoyfilters                                     networking.istio.io/v1alpha3      true         EnvoyFilter
gateways                            gw           networking.istio.io/v1            true         Gateway
proxyconfigs                                     networking.istio.io/v1beta1       true         ProxyConfig
serviceentries                      se           networking.istio.io/v1            true         ServiceEntry
sidecars                                         networking.istio.io/v1            true         Sidecar
virtualservices                     vs           networking.istio.io/v1            true         VirtualService
workloadentries                     we           networking.istio.io/v1            true         WorkloadEntry
workloadgroups                      wg           networking.istio.io/v1            true         WorkloadGroup
authorizationpolicies               ap           security.istio.io/v1              true         AuthorizationPolicy
peerauthentications                 pa           security.istio.io/v1              true         PeerAuthentication
requestauthentications              ra           security.istio.io/v1              true         RequestAuthentication
telemetries                         telemetry    telemetry.istio.io/v1             true         Telemetry

With that said, the yaml files we use to install the operator will no longer work (istio-operator.cr.yaml & istio-operator-with-cnao.cr.yaml)
This signifies a huge migration from what we have, previously what you would have in the cluster is

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A | grep istio
istio-operator   istio-operator-6c4fc4d784-2qqff            1/1     Running   0          2m50s
istio-system     istio-egressgateway-79c995f7cb-w4ppg       1/1     Running   0          88s
istio-system     istio-ingressgateway-775fdbc456-qq5cn      1/1     Running   0          88s
istio-system     istiod-5857496459-cnz5t                    1/1     Running   0          92s
kube-system      istio-cni-node-l99td                       1/1     Running   0          88s

After the upgrade, you only get

[vagrant@node01 ~]$ sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A | grep istio
istio-system   istio-ingressgateway-5f9df778cc-bl9sw      1/1     Running   0          33m
istio-system   istiod-69d6bb74c-z6fqk                     1/1     Running   0          34m

So we need to know how to get the same as what we had before in the previous version using 1.24. I might need help from the network team on this

cc: @oshoval @EdDev

@aerosouund
Copy link
Member Author

Alternatively, we may not jump to 1.24. Maybe a lesser version that still behaves similar to 1.15 and has the things you want supported.
Needs a discussion for sure

@oshoval
Copy link
Contributor

oshoval commented Dec 5, 2024

I am not familiar at all with Istio tbh, and currently on few other tasks,
if discussion will be still needed, i will try once i can, thanks

@aerosouund
Copy link
Member Author

@oshoval
based on what changed across the deployments three questions need answered:

  • is the egressgateway still needed or used ? has it's functionality been ported to any of the other components ?
  • is the istiocni now being installed separately from the operator ? is yes, how ?
  • would it be better to not skip to a very high version and upgrade to something intermediate? e.g: 1.18

@oshoval
Copy link
Contributor

oshoval commented Dec 5, 2024

the first two need deeper understanding that i dont have now sorry,
if the 3rd helps advancing, lets go for that first thing, wdyt?
knowing where it stopped working, can also assist in debug latest sometimes

@aerosouund
Copy link
Member Author

@mhenriks
whats the minimum compatible version that will contain the features you want ?

@mhenriks
Copy link
Member

mhenriks commented Dec 5, 2024

@mhenriks whats the minimum compatible version that will contain the features you want ?

1.20 is the oldest version that supports 1.29 (SideCar featuregate enabled) so that would be the minimum. But obviously latest would be best

https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases

@ormergi
Copy link
Contributor

ormergi commented Dec 5, 2024

* is the egressgateway still needed or used ? has it's functionality been ported to any of the other components ?

It seem we dont use in in e2e tests, we do use ingress-gateway though Istio API
https://github.com/kubevirt/kubevirt/blob/94d03645710c55dd35cf752bf6709bfb333518ad/tests/network/vmi_istio.go#L640
https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway

* is the istiocni now being installed separately from the operator ? is yes, how ?

From what I remember Istio operator account for deploying its CNI, we have no dedicated scripting for doing that.
Check out https://istio.io/latest/docs/setup/additional-setup/cni/#installing-the-cni-node-agent

* would it be better to not skip to a very high version and upgrade to something intermediate? e.g: 1.18

Please note kubevirt e2e tests relays on the sidecar injection functionally.

I suggest to test this PR on kubevirt/kubevirt on sig-network lane so we can see where it fails and realize what our options.

@aerosouund
Copy link
Member Author

@mhenriks @ormergi
Ok, based on this i will move the check for the IstioOperator resource (which is what's failing the tests here) and devise a way to install the CNI. Then we can run it against the sig network lane and see how it goes

@brianmcarey
Copy link
Member

/test all

@@ -14,6 +14,9 @@ quay.io/kubevirt/cdi-apiserver:v1.58.1
quay.io/kubevirt/cdi-controller:v1.58.1
quay.io/kubevirt/cdi-operator:v1.58.1
quay.io/kubevirt/cdi-uploadproxy:v1.58.1
docker.io/istio/install-cni:1.24.1
docker.io/istio/pilot:1.24.1
docker.io/istio/proxyv2:1.24.1
Copy link
Member

@brianmcarey brianmcarey Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to get these images copied over to our quay account so that we don't hit any docker io limits

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The older images at the top of the file can be removed

quay.io/kubevirtci/install-cni:1.15.0
quay.io/kubevirtci/operator:1.15.0
quay.io/kubevirtci/pilot:1.15.0

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asking to understand: @brianmcarey from what I know we have container image cache on CI, is it correct?
Is so, do we still need mirroring if we have cache?

@aerosouund
Copy link
Member Author

@brianmcarey
Thanks for looking at this, we also need the linux base image to be updated for the newer istio to be installed. Currently i am running the linux phase in CI for the code to work

PHASES="$PHASES_DEFAULT"

We can merge it as it is and then i will submit a tiny PR that reverts this change so we can go back to running the k8s phase in CI only

@mhenriks
Copy link
Member

/retest-required

@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Dec 23, 2024

@aerosouund: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
check-provision-k8s-1.29 ac32724 link true /test check-provision-k8s-1.29
check-provision-alpine-with-test-tooling 0c603e5 link false /test check-provision-alpine-with-test-tooling
check-up-kind-sriov 0c603e5 link true /test check-up-kind-sriov

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/enhancement size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bump Istio to the latest stable release
6 participants