Fixes and tests for k8s, istio version combinations and v0.9 release …

…notes. (#95)

CONTRIBUTING.md

@@ -35,3 +35,16 @@ $ADMIRAL_HOME/install/scripts/cluster-secret.sh <Path_to_Kubeconfig_Admiral_Clus
 
 ## Protobuf code generation
 * If you've made changes to protobuf model objects and need to re-generate their clientsets, use `sh hack/update-codegen.sh` and checkin the generated files
+
+## Integration tests
+### Single cluster
+Single cluster integration tests can be run locally using minikube.
+```
+cd $ADMIRAL_HOME/tests
+./master_run.sh
+```
+* Multi-cluster 
+```
+TODO
+```
+

admiral/pkg/clusters/handler.go

@@ -159,13 +159,13 @@ func getDestinationRule(host string, locality string, gtpWrapper *v1.GlobalTraff
 			}
 			loadBalancerSettings.LocalityLbSetting = localityLbSettings
 			dr.TrafficPolicy.LoadBalancer = loadBalancerSettings
-			dr.TrafficPolicy.OutlierDetection = &v1alpha32.OutlierDetection{
-				BaseEjectionTime:  &types.Duration{Seconds: 120},
-				ConsecutiveErrors: 10,
-				Interval:          &types.Duration{Seconds: 60},
-			}
 		}
 	}
+	dr.TrafficPolicy.OutlierDetection = &v1alpha32.OutlierDetection{
+		BaseEjectionTime:  &types.Duration{Seconds: 120},
+		Consecutive_5XxErrors: &types.UInt32Value{Value: 10},
+		Interval:          &types.Duration{Seconds: 5},
+	}
 	return dr
 }
 

admiral/pkg/clusters/handler_test.go

@@ -60,7 +60,11 @@ func TestIgnoreIstioResource(t *testing.T) {
 
 func TestGetDestinationRule(t *testing.T) {
 	//Do setup here
-	mTLS := &v1alpha3.TrafficPolicy{Tls: &v1alpha3.TLSSettings{Mode: v1alpha3.TLSSettings_ISTIO_MUTUAL}}
+	outlierDetection := &v1alpha3.OutlierDetection{
+		BaseEjectionTime:  &types.Duration{Seconds: 120},
+		Consecutive_5XxErrors: &types.UInt32Value{Value:10},
+		Interval:          &types.Duration{Seconds: 5}}
+	mTLS := &v1alpha3.TrafficPolicy{Tls: &v1alpha3.TLSSettings{Mode: v1alpha3.TLSSettings_ISTIO_MUTUAL}, OutlierDetection: outlierDetection,}
 
 	noGtpDr := v1alpha3.DestinationRule{
 		Host:          "qa.myservice.global",
@@ -75,11 +79,7 @@ func TestGetDestinationRule(t *testing.T) {
 				LbPolicy: &v1alpha3.LoadBalancerSettings_Simple{Simple: v1alpha3.LoadBalancerSettings_ROUND_ROBIN},
 				LocalityLbSetting: &v1alpha3.LocalityLoadBalancerSetting{},
 			},
-			OutlierDetection: &v1alpha3.OutlierDetection{
-				BaseEjectionTime:  &types.Duration{Seconds: 120},
-				ConsecutiveErrors: 10,
-				Interval:          &types.Duration{Seconds: 60},
-			},
+			OutlierDetection: outlierDetection,
 		},
 	}
 
@@ -98,11 +98,7 @@ func TestGetDestinationRule(t *testing.T) {
 					},
 				},
 			},
-			OutlierDetection: &v1alpha3.OutlierDetection{
-				BaseEjectionTime:  &types.Duration{Seconds: 120},
-				ConsecutiveErrors: 10,
-				Interval:          &types.Duration{Seconds: 60},
-			},
+			OutlierDetection: outlierDetection,
 		},
 	}
 

docs/Compatibility.md

@@ -5,16 +5,16 @@ The below information is based on the testing done, please submit a PR if you ha
 
 | Admiral Version   | Min. Istio Version    | Max. Istio Version    | Min. K8s Version  |  Max. K8s Version
 |:-----------------:|:---------------------:|:---------------------:|:-----------------:|:-----------------:
-v0.1-beta           | 1.2.3                 | 1.4.6                 | 1.13              | 1.14
-v0.9                | 1.2.3                 | 1.5.1                 | 1.13              | 1.16
+v0.1-beta           | 1.2.3                 | 1.4.6                 | 1.13              | 1.14.2
+v0.9                | 1.2.3                 | 1.5.1                 | 1.13              | 1.18.0
 
 
 ## Admiral feature support by Istio Version
 
 | Admiral Version   | Syncing   | Dependency    | Global Traffic Policy
 |:-----------------:|:---------:|:-------------:|:--------------------:
 v0.1-beta           | Yes       | Yes           | No
-v0.9                | Yes       | Yes           | Yes
+v0.9                | Yes       | Yes           | Yes (requires Istio 1.5.1 or higher)
 
 
 ## Tested cloud vendors

docs/Examples.md

@@ -1,90 +1,16 @@
 
 ## Install
 
-### Prerequisite
+### Prerequisites
 
-One or more k8s clusters will need the following steps executed
-
-#### Install the below utilities
-
-`Note`: If running in windows, a bash shell is required (cygwin)
-
-* Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-* Install [minikube](https://istio.io/docs/setup/platform-setup/minikube/) to bring up a k8s cluster locally (Make sure your `$KUBECONFIG` points to `minikube` before proceeding)
-* Install [helm](https://helm.sh/docs/intro/install/)
-* Install [wget](https://www.gnu.org/software/wget/)
-
-#### Install Istio
-
-```
-#Download
-
-wget https://github.com/istio/istio/releases/download/1.4.3/istio-1.4.3-osx.tar.gz
-OR
-wget https://github.com/istio/istio/releases/download/1.4.3/istio-1.4.3-linux.tar.gz
-OR
-wget https://github.com/istio/istio/releases/download/1.4.3/istio-1.4.3-win.tar.gz
-
-#Extract
-
-tar -xf istio-1.4.3-osx.tar.gz
-OR
-tar -xf istio-1.4.3-linux.tar.gz
-OR
-tar -xf istio-1.4.3-win.tar.gz
-```
-
-```
-#Create istio-system namespace
-
-kubectl create ns istio-system
-```
-```
-#Create k8s secret to be used by Citadel for mTLS cert generation
-
-kubectl create secret generic cacerts -n istio-system \
-    --from-file=istio-1.4.3/samples/certs/ca-cert.pem \
-    --from-file=istio-1.4.3/samples/certs/ca-key.pem \
-    --from-file=istio-1.4.3/samples/certs/root-cert.pem \
-    --from-file=istio-1.4.3/samples/certs/cert-chain.pem
-```
-```
-#Generate, install and verify Istio CRDs
-
-helm template istio-1.4.3/install/kubernetes/helm/istio-init --namespace istio-system | kubectl apply -f -
-
-#Make sure Istio crds are installed
-
-kubectl get crds | grep 'istio.io' | wc -l
-```
-```
-#Generate & Install Istio
-
-helm template istio-1.4.3/install/kubernetes/helm/istio --namespace istio-system \
-    -f istio-1.4.3/install/kubernetes/helm/istio/example-values/values-istio-multicluster-gateways.yaml | kubectl apply -f -
-
-#Verify that istio pods are up
-
-kubectl get pods -n istio-system
-```
-
-#### DNS setup
-In a k8s cluster, you will have a DNS component that would resolve names. Admiral generates names ending in global (Ex: `stage.greeting.global`) which can be resolved by istiocoredns (as its watching Istio ServiceEntries created by Admiral with those names) installed as part of Istio.
-So you have to point DNS resolution for names ending in `global` to point to `ClusterIp` of istiocoredns service. The below step is to point coredns in a k8s cluster to istiocoredns. If you are using kube-dns, you can tweak this script.
-
-```Note: The below script wipes out existing codedns config map, please manually edit it if you want to try this in a cluster with real services/traffic```
-
-```
-#Run the below script for having coredns point to istiocoredns for dns lookups of names ending in global
-
-$ADMIRAL_HOME/scripts/redirect-dns.sh
-```
-
-#### Remove envoy cluster rewrite filter
+* One or more k8s clusters with version 1.13 or above
+* [Install istio control plane](https://istio.io/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster) on each of these k8s clusters
+* [Configure DNS redirect](https://istio.io/docs/setup/install/multicluster/gateways/#setup-dns) for entries ending in `global`
+* Remove envoy cluster rewrite filter
 Delete Istio's envoy filter for translating `global` to `svc.cluster.local` at istio-ingressgateway because we don't need that as Admiral generates Service Entries for cross cluster communication to just work!
 ```
-# Delete envoy filter for translating `global` to `svc.cluster.local`
-kubectl delete envoyfilter istio-multicluster-ingressgateway -n istio-system
+    # Delete envoy filter for translating `global` to `svc.cluster.local`
+    kubectl delete envoyfilter istio-multicluster-ingressgateway -n istio-system
 ```
 
 `Reference:` [K8s cluster installed with Istio_replicated control planes](https://istio.io/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster)
@@ -99,21 +25,16 @@ kubectl delete envoyfilter istio-multicluster-ingressgateway -n istio-system
 ```
 #Download and extract admiral
 
-wget https://github.com/istio-ecosystem/admiral/releases/download/v0.1-beta/admiral-install-v0.1-beta.tar.gz
-tar xvf admiral-install-v0.1-beta.tar.gz
+wget https://github.com/istio-ecosystem/admiral/releases/download/v0.9/admiral-install-v0.9.tar.gz
+tar xvf admiral-install-v0.9.tar.gz
 
-export ADMIRAL_HOME=./admiral-install-v0.1-beta
+export ADMIRAL_HOME=./admiral-install-v0.9
 ```
 
 ```
 #Install admiral
+$ADMIRAL_HOME/scripts/install_admiral.sh $ADMIRAL_HOME
 
-kubectl apply -f $ADMIRAL_HOME/yaml/remotecluster.yaml
-kubectl apply -f $ADMIRAL_HOME/yaml/demosinglecluster.yaml
-
-#Verify admiral is running
-
-kubectl get pods -n admiral
 ```
 
 ```
@@ -130,18 +51,9 @@ kubectl get secrets -n admiral
 #### Deploy Sample Services
 
 ```
-#Install test services
-
-kubectl apply -f $ADMIRAL_HOME/yaml/sample.yaml
-```
-```
-#Install the dependency CR (this is optional)
-
-kubectl apply -f $ADMIRAL_HOME/yaml/sample_dep.yaml
+#Install test services & verify admiral did it's magic
 
-#Verify that admiral created service names for 'greeting' service
-
-kubectl get serviceentry -n admiral-sync
+$ADMIRAL_HOME/scripts/install_sample_services.sh $ADMIRAL_HOME
 
 ```
 
@@ -268,14 +180,17 @@ kubectl exec --namespace=sample -it $(kubectl get pod -l "app=webapp" --namespac
 
 ### Global traffic policy
 
-You can add a global traffic policy for the Greeting service to tie all requests to one of the clusters. 
+Multicluster example is a prerequisite for the below example with Cluster 2 hosted in us-east-2 region.
+
+You can add a global traffic policy for the Greeting service to distribute traffic between clusters in a certain ratio. 
 
 ```bash
 kubectl apply -f $ADMIRAL_HOME/yaml/gtp.yaml
 ```
 
-Now, when you re-run demo requests, you should see them all being served from the us-west-2 cluster (cluster 1).
+Now, when you re-run demo requests, you should see 80% of them being served from the us-west-2 cluster (Cluster 1) and 20% of them being served from us-east-2 (Cluster 2).
 
+`Note`: You can add locality to your pods in Cluster 2 by using K8s standard region labels if your cluster if not running on a cloud provider like AWS. See these [requirements](https://istio.io/docs/ops/configuration/traffic-management/locality-load-balancing/#requirements)
 ### Cleanup
 
 Run the following script to cleanup admiral and its associated resources

docs/ReleaseNotes.md

@@ -0,0 +1,33 @@
+# Release notes
+
+## v0.9 
+We are excited to announce the release of Admiral version `v0.9` with lots of cool functionality added. This version is ready for production usage and addresses some of the biggest requests from our users.
+
+`We would like to thank all the contributors and everyone who played a role in testing the alpha and beta releases of Admiral.`
+
+
+### [Global Traffic Policies](./Architecture.md#Global%20Traffic%20Policy)
+Global traffic policies allow defining custom traffic routing behaviour for a Admiral generated CNAME, for example routing all traffic for a service to a specific region or AZ. This feature relies on Istio's [locality load balancing](https://istio.io/docs/ops/configuration/traffic-management/locality-load-balancing/)
+
+Try out this [example](./Examples.md#Global%20traffic%20policy)
+### Lots of improvements to usability 
+* Only istio resources with `exportTo: *` or `exportTo` field missing are synced across clusters to obey the spec.
+* Added a feature to update [Istio Sidecar](https://istio.io/docs/reference/config/networking/sidecar/) resource in the client's namespace. This allows for Admiral based automation to filter what endpoint configuration to be loaded by a istio-proxy and keeping the footprint minimal and still manageable.
+* Annotation (`admiral.io/ignore`) to exempt k8s Deployments/Namespaces from Admiral processing. This would be useful for migration k8s Deployments into other clusters.
+### Simplified installing the examples and organized them by use case   
+* We now have examples for [Single cluster](./Examples.md#Single%20cluster), [Multi-cluster](./Examples.md#Multicluster) and [Global traffic policies](./Examples.md#Global%20traffic%20policy)
+* Installation commands have been turned into bash scripts to reduce the number of steps.
+### Bug fixes 
+* Handle Admiral crashes in special scenarios like below:
+    -   for resource deletions
+    -   missing resource permissions
+    -   missing k8s Service for a k8s Deployment
+
+### Summary
+Complete [list of issues](https://github.com/istio-ecosystem/admiral/milestone/1?closed=1) fixed in `v0.9`
+
+Report issues and/or post your questions via:
+* [Admiral slack channel](https://istio.slack.com/archives/CT3F18T08)
+* [Github issues](https://github.com/istio-ecosystem/admiral/issues)
+
+Stay tuned for [`v1.0`](https://github.com/istio-ecosystem/admiral/milestone/2) release!!

install/admiral/base/deployments.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:

install/admiral/overlays/demosinglecluster/envconfig_values.yaml

@@ -1,6 +1,6 @@
 ---
 
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: admiral

install/sample/base/greeting.yaml

@@ -34,11 +34,14 @@ data:
       }
     }
 ---
-apiVersion: apps/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: greeting
 spec:
+  selector:
+    matchLabels:
+      app: greeting
   replicas: 1
   template:
     metadata:

install/sample/base/webapp.yaml

@@ -4,14 +4,17 @@ kind: ServiceAccount
 metadata:
   name: webapp
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: webapp
   annotations:
     #admiral.io/ignore: "true" #Uncommenting this line will cause admiral to ignore this deployment despite the fact that it's in the mesh
 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      app: webapp
   template:
     metadata:
       annotations:

install/sample/gtp.yaml

@@ -11,6 +11,6 @@ spec:
       lbType: 1 #0 represents TOPOLOGY, 1 represents FAILOVER
       target:
         - region: us-west-2
-          weight: 100
+          weight: 80
         - region: us-east-2
-          weight: 0
+          weight: 20

install/scripts/cleanup.sh

@@ -3,12 +3,12 @@
 while true; do
     clustername=$(kubectl config current-context)
     printf "k8s cluster: %s\n" "$clustername"
-    printf "Namespaces ['admiral','admiral-sync'] will be deleted.\nDo you wish to proceed?\n"
+    printf "Namespaces ['admiral','admiral-sync','sample'] will be deleted.\nDo you wish to proceed?\n"
     options="Please enter yes/Y/y or no/N/n"
     echo $options
     read -p "" yn
     case $yn in
-        [Yy]* ) kubectl delete namespace admiral; kubectl delete namespace admiral-sync; break;;
+        [Yy]* ) kubectl delete namespace admiral; kubectl delete namespace admiral-sync; kubectl delete namespace sample; break;;
         [Nn]* ) exit;;
         * ) echo $options;;
     esac

install/scripts/cluster-secret.sh

@@ -27,12 +27,10 @@ SERVICE_ACCOUNT=admiral
 SECRET_NAME=$(kubectl get sa ${SERVICE_ACCOUNT} -n ${NAMESPACE_SYNC} -o jsonpath='{.secrets[].name}')
 CA_DATA=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE_SYNC} -o "jsonpath={.data['ca\.crt']}")
 RAW_TOKEN=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE_SYNC} -o "jsonpath={.data['token']}")
-echo 'RAW_TOKEN'
-echo $RAW_TOKEN
 TOKEN=$(kubectl get secret ${SECRET_NAME} -n ${NAMESPACE_SYNC} -o "jsonpath={.data['token']}" | base64 --decode)
 
-echo 'TOKEN'
-echo $TOKEN
+#echo 'TOKEN'
+#echo $TOKEN
 
 #create kubeconfig for remote cluster
 cat <<EOF > ${KUBECFG_FILE}