Add enable-gateways config option to support mesh-only mode#1520
Add enable-gateways config option to support mesh-only mode#1520prashanthjos wants to merge 5 commits into
enable-gateways config option to support mesh-only mode#1520Conversation
Add a new `enable-gateways` key to the `config-istio` ConfigMap that allows disabling Istio Gateway creation and reconciliation. When set to "false", the ingress reconciler takes a simplified mesh-only path: - Only mesh VirtualServices are created (no ingress VS, no Gateways) - TLS secret copying and gateway server management are skipped - Readiness probing targets destination service pods directly - LoadBalancer status reports MeshOnly for both public and private - FinalizeKind skips gateway server cleanup This enables using net-istio purely for service-to-service mesh communication without requiring Istio ingress gateway infrastructure. The option defaults to "true" for full backward compatibility.
|
Welcome @prashanthjos! It looks like this is your first PR to knative-extensions/net-istio 🎉 |
knative-prow
Bot
added
size/XL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: prashanthjos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @prashanthjos. Thanks for your PR. I'm waiting for a knative-extensions member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Rather than a new option we setup the configuration changes in net-istio to allow for empty gateways. Though we didn't implement it eg. net-istio/config/400-config-istio.yaml Line 49 in 2bcb827 external-gateways: "[]"Explicitly stating an empty list of gateways (via an yaml string of an empty array) should indicate that we do not want any external gateways. We can do the same with the local gateways. |
|
Empty string should remain the default value |
|
@dprotaso I tried to address your comments, can you please take a look, if possible can you add |
dprotaso
left a comment
dprotaso
left a comment
There was a problem hiding this comment.
did a quick pass - here's an initial review
| # ingress gateways), set both gateway lists to empty: | ||
| # external-gateways: "[]" | ||
| # local-gateways: "[]" | ||
| # This disables gateway creation and probes destination service pods directly. |
There was a problem hiding this comment.
I don't think we need this in the testdata config
It would make sense to add these examples to the main config
net-istio/config/400-config-istio.yaml
Line 45 in ee32f9d
and the local gateway
net-istio/config/400-config-istio.yaml
Line 92 in ee32f9d
There was a problem hiding this comment.
It's also probably important that we say that we don't support adding/removing gateways after Knative Services have been created
|
|
||
| // IstioNamespace is the namespace containing Istio | ||
| IstioNamespace = "istio-system" | ||
|
|
There was a problem hiding this comment.
remove these extra new lines in various places. Just makes the more 'busy' than it needs to be
| // listMeshProbeTargets builds probe targets from the Ingress spec's destination | ||
| // services when no gateways are available (mesh-only mode). It resolves each | ||
| // backend service to its Endpoints and probes the pods directly. | ||
| func (l *gatewayPodTargetLister) listMeshProbeTargets(ing *v1alpha1.Ingress) ([]status.ProbeTarget, error) { |
There was a problem hiding this comment.
It resolves each backend service to its Endpoints and probes the pods directly.
The intent of probing is to make sure that the routing rules have been propagated. I'm not sure we can do this in mesh because we don't want to probe a pod because it's IP won't be accessible in a sidecar mode. It will probably work in ambient since pod IPs are addressable.
There was a problem hiding this comment.
hmm I think you are right, I've reworked the implementation with the assumption that the controller has a istio sidecar( we have enabled the isio side cars for net-istio controllers). listMeshProbeTargets now uses the rule host from the Ingress spec as the probe target directly. The controller's sidecar intercepts the outbound traffic, matches the authority against the mesh VirtualService, and routes to the correct revision service. This verifies the actual mesh routing path end-to-end.
The function is now much simpler, no service lookups and endpoint resolution. I am using the hostname and port from the KIngress spec.
There was a problem hiding this comment.
I also used the health check to see if istio-proxy side car exists and then only proceed with probing.
There was a problem hiding this comment.
I've reworked the implementation with the assumption that the controller has a istio sidecar( we have enabled the isio side cars for net-istio controllers).
For testing we should assume we the net-istio controller doesn't have a sidecar.
We specifically opt out of it so it can probe the public and internal gateway
net-istio/config/500-controller.yaml
Lines 32 to 35 in baa9bb9
I don't think we can reliably probe the gateways while in the mesh
There was a problem hiding this comment.
ok may be I dint phrase it correctly, In Gateway mode (default) ,sidecar.istio.io/inject: "false" stays as the default in 500-controller.yaml. Gateway probing works exactly as before, no mesh involvement and in Mesh-only mode (external-gateways: "[]", local-gateways: "[]"), the controller checks for a sidecar at runtime by hitting localhost:15021/healthz/ready. If no sidecar is detected (default deployment), Mesh probing is skipped entirely. The ingress is marked ready immediately after VirtualService reconciliation. A warning log is emitted telling operators how to enable mesh probing. However if a sidecar is detected (operator explicitly set sidecar.istio.io/inject: "true" while installing net-istio), probes route through the mesh VirtualService for a more thorough readiness check.
So we never assume a sidecar exists. The detection is a one-time check (sync.Once), and the fallback (skip probing) is safe, the mesh VS is the only networking config needed in mesh-only mode, and its creation is verified by the reconciler before marking ready. The two modes are mutually exclusive in their sidecar requirements, we can't probe gateway pods AND route through the mesh simultaneously.
Also I added a clear comment on 202-gateway.yaml and 203-local-gateway.yaml saying that these are not used when we enable mesh mode on the controller although they are statically created. I also added a better comment on 500-controller.yaml about what the sidecar annotation would do.
One important point that I want to make clear is whoever is trying to use net-istio in mesh mode should clone the repo and update the sidecar.istio.io/inject annotation to true and then proceed with kubectl apply.
There was a problem hiding this comment.
Also, the intent here is, some teams already have existing gateways and may not want to use them for Knative services or they don't want to create the new ones at all, in such cases we don't want to force the traffic through knative gateway for probing scenarios for various reasons like gateways might already be experiencing high traffic and don't want the probe traffic to go through them. My intent here is net-istio already has so many things we already need and I am trying to fit in the usecases without breaking the existing functionality.
There was a problem hiding this comment.
the controller checks for a sidecar at runtime by hitting localhost:15021/healthz/ready
But this won't work in ambient mode I'm assuming?
|
/ok-to-test |
knative-prow
Bot
added
ok-to-test
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1520 +/- ##
==========================================
- Coverage 81.96% 81.47% -0.49%
==========================================
Files 23 23
Lines 1519 1614 +95
==========================================
+ Hits 1245 1315 +70
- Misses 180 201 +21
- Partials 94 98 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/retest |
|
Part of this was pulled into #1524 /hold until that merges and this PR gets revisited |
knative-prow
Bot
added
the
do-not-merge/hold
knative-prow-robot
added
the
needs-rebase
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
3 participants
Add a new
enable-gatewayskey to theconfig-istioConfigMap that allows disabling Istio Gateway creation and reconciliation. When set to "false", the ingress reconciler takes a simplified mesh-only path:This enables using net-istio purely for service-to-service mesh communication without requiring Istio ingress gateway infrastructure.
The option defaults to "true" for full backward compatibility.
Changes
EnableGatewaysbool field to Istio config struct, parsed fromenable-gatewaysConfigMap key (defaults totrue)reconcileMeshOnlyIngresspath that creates only mesh VirtualServices when gateways are disabledListProbeTargetsthat targets destination service pods directly when gateways are disabledEnableGatewayscheck/kind enhancement
Fixes #
Release Note
TBD - will open a docs PR to document the new
enable-gatewaysconfig option.