Istio passthrough migration
General MR
Summary
This MR enables the istioCRDs and istiod packages in BB umbrella. These packages replace
what was being provided by istioCore. A follow-on MR will remove the remaining istioCore
components once appropriate changes are made to the pipeline-templates.
Relevant logs/screenshots
A test evidence MR is available here: !6096 (closed)
A proper smoke test required changes to test-values.yaml, so
the above linked MR was created only for that purpose.
Unfortunately due to changes made to istio-gateway templates, the pipeline keeps enabling it.
Since istio-gateway depends on either istio-core or the new istiod to run, this fails. I
pushed a change that removes istio-gateway from the package-mapping.yaml and got a clean
smoke test run on this branch:
https://repo1.dso.mil/big-bang/bigbang/-/jobs/44398815
I dropped the commit afterwards.
Linked Issue
Closes big-bang/product/packages/istio-core#38
Upgrade Notices
Operatorless Istio Beta
The Big Bang team is happy to announce operatorless Istio has graduated to beta status!
We've gone through great effort to integrate all of Big Bang's core packages as well as many of our supported addons. We've also written some documentation to make this as smooth a migration as possible. You can find that documentation here.
Some Lingering Package Issues
Currently, the following packages require additional network policies to be added for them to work with the new beta implementation of Istio:
- Nexus Repository Manager
- Cluster Auditor
- Any packages using the Wrapper chart (i.e. Jira and Confluence)
We aim to have Nexus Repository Manager and Cluster Auditor fully integrated by the time we make operatorless istio generally available and are exploring how best to flexibly support the wrapper chart.
For non-wrapper packages the following network policies can be added as a work around:
nexusRepositoryManager:
values:
networkPolicies:
additionalPolicies:
- name: allow-istio-ingress-beta
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-gateway
podSelector:
matchLabels:
app: public-ingressgateway
istio: ingressgateway
ports:
- port: 8081
protocol: TCP
podSelector: {}
policyTypes:
- Ingress
- name: allow-istiod-egress-beta
spec:
egress:
- ports:
- port: 15012
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-system
podSelector:
matchLabels:
app: istiod
podSelector: {}
policyTypes:
- EgressFor packages using the wrapper chart, the following can be used:
packages:
jira:
network:
additionalPolicies:
- name: allow-istio-ingress-beta
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-gateway
podSelector:
matchLabels:
app: public-ingressgateway
istio: ingressgateway
ports:
- port: 8080
protocol: TCP
podSelector: {}
policyTypes:
- Ingress
- name: allow-istiod-egress-beta
spec:
egress:
- ports:
- port: 15012
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-system
podSelector:
matchLabels:
app: istiod
podSelector: {}
policyTypes:
- Egress NOTE The above examples are using the default
public-ingressgatewaythat is created by theistioGatewaypackage. If you plan on creating a gateway with a different name, any references to the gateway above will need to be updated. Additionally, the ports in the examples above are the default ports for Nexus Repository Manager and Jira respectively and will need to be updated based on any customizations that may be present in a given environment.