Support switching between mesh mode on or off (alibaba#140)

Hinsteny · Jan 19, 2023 · b16d5a4 · b16d5a4
1 parent a58c005
commit b16d5a4
Show file tree

Hide file tree

Showing 10 changed files with 76 additions and 74 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -115,22 +115,18 @@ define create_ns
 endef
 
 install: pre-install
-	helm install istio helm/kind/istio -n istio-system --create-namespace
 	helm install higress helm/kind/higress -n higress-system --create-namespace
 
-ENVOY_LATEST_IMAGE_TAG ?= 0.5.4
-ISTIO_LATEST_IMAGE_TAG ?= 0.5.4
+ENVOY_LATEST_IMAGE_TAG ?= 0.6.0
+ISTIO_LATEST_IMAGE_TAG ?= 0.6.0
 
 install-dev: pre-install
-	helm install istio helm/istio -n istio-system --create-namespace --set-json='pilot.tag="$(ISTIO_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'
 	helm install higress helm/higress -n higress-system --create-namespace --set-json='controller.tag="$(TAG)"' --set-json='gateway.replicas=1' --set-json='gateway.tag="$(ENVOY_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'
 
 uninstall:
-	helm uninstall istio -n istio-system
 	helm uninstall higress -n higress-system
 
 upgrade: pre-install
-	helm upgrade istio helm/kind/istio -n istio-system
 	helm upgrade higress helm/kind/higress -n higress-system
 
 helm-push:
@@ -199,8 +195,6 @@ run-e2e-test:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
 	kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available
-	@echo -e "\n\033[36mWaiting istiod to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n istio-system deployment/istiod --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available
 	go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true --use-unique-ports=true
diff --git a/README.md b/README.md
@@ -151,11 +151,9 @@ kind.exe create cluster --name higress --config=cluster.conf
 kubectl.exe config use-context kind-higress
 ```
 
-#### 第三步、 安装 istio & higress
+#### 第三步、 安装 higress
 
 ```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
 ```
@@ -182,38 +180,21 @@ curl localhost/bar
 ```bash
 kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.5.2/quickstart.yaml
 
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system
 
-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```
 
 ### 生产环境
 
-#### 第一步、 安装 istio
-
-可以选择安装 higress 发行的 istio 版本:
-
-```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio
-```
-
-或者选择安装官方 istio 版本 (将失去部分能力，例如通过 Ingress 注解实现限流的功能):
-
-https://istio.io/latest/docs/setup/install
-
-#### 第二步、 安装 higress
+#### 第一步、 安装 higress
 
 ```bash
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
 ```
 
-#### 第三步、 创建 Ingress 资源并测试
+#### 第二步、 创建 Ingress 资源并测试
 
 假设在 default 命名空间下已经部署了一个 test service，服务端口为 80 ，则创建下面这个 K8s Ingress
 
@@ -245,12 +226,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa
 #### 卸载资源
 
 ```bash
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system
 
-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```
 

diff --git a/README_EN.md b/README_EN.md
@@ -124,10 +124,10 @@ kind.exe create cluster --name higress --config=cluster.conf
 kubectl.exe config use-context kind-higress
 ```
 
-#### step 3. install istio & higress
+#### step 3. install higress
 
 ```bash
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio-local
+kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
 ```
 Note: The helm version needs to be upgraded to **v3.8.0** and above
@@ -151,38 +151,21 @@ curl localhost/bar
 ```bash
 kubectl delete -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml
 
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system
 
-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```
 
 ### Production Environment
 
-#### step 1. install istio
-
-select higress istio:
-
-```bash
-kubectl create ns istio-system
-helm install istio -n istio-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/istio
-```
-
-or select official istio (lose some abilities, such as using annotation to limit request rate):
-
-https://istio.io/latest/docs/setup/install
-
-#### step 2. install higress
+#### step 1. install higress
 
 ```bash
 kubectl create ns higress-system
 helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
 ```
 
-#### step 3. create the ingress and test it
+#### step 2. create the ingress and test it
 
 for example there is a service `test` in default namespace.
 
@@ -212,12 +195,8 @@ curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBa
 #### Clean-Up
 
 ```bash
-helm uninstall istio -n istio-system
-
 helm uninstall higress -n higress-system
 
-kubectl delete ns istio-system
-
 kubectl delete ns higress-system
 ```
 

diff --git a/helm/higress/templates/configmap.yaml b/helm/higress/templates/configmap.yaml
@@ -15,7 +15,11 @@
     # When processing a leaf namespace Istio will search for declarations in that namespace first
     # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
     # is processed as if it were declared in the leaf namespace.
+    {{- if .Values.global.enableMesh }}
     rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+    {{- else }}
+    rootNamespace: {{ .Release.Namespace }}
+    {{- end }}
 
     configSources:
       - address: "xds://127.0.0.1:15051"
@@ -34,7 +38,7 @@
       {{- else if eq .Values.global.proxy.tracer "zipkin" }}
         zipkin:
           # Address of the Zipkin collector
-          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Release.Namespace ":9411") }}
       {{- else if eq .Values.global.proxy.tracer "datadog" }}
         datadog:
           # Address of the Datadog Agent
@@ -67,11 +71,15 @@
       {{- if not .Values.global.externalIstiod }}
       discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
       {{- else }}
-      discoveryAddress: {{ printf "higress-controller.%s.svc" .Release.Namespace }}:15012
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
       {{- end }}
       {{- else }}
+      {{- if .Values.global.enableMesh }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
+      {{- else }}
       discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
       {{- end }}
+      {{- end }}
       proxyStatsMatcher:
         inclusionRegexps:
         - ".*"

diff --git a/helm/higress/templates/controller-deployment.yaml b/helm/higress/templates/controller-deployment.yaml
@@ -120,6 +120,10 @@ spec:
             value: "{{ .Values.global.istiod.enableAnalysis }}"
           - name: CLUSTER_ID
             value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          {{- if not .Values.global.enableMesh }}
+          - name: CUSTOM_CA_CERT_NAME
+            value: "higress-ca-root-cert"
+          {{- end }}
           {{- if not .Values.global.kind  }}
           resources:
 {{- if .Values.pilot.resources }}

diff --git a/helm/higress/templates/deployment.yaml b/helm/higress/templates/deployment.yaml
@@ -21,12 +21,19 @@ spec:
   strategy:
     rollingUpdate:
       maxSurge: {{ .Values.gateway.rollingMaxSurge }}
+      {{- if .Values.global.kind }}
+      maxUnavailable: 100%
+      {{- else }}
       maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
+      {{- end }}
   template:
     metadata:
-      {{- with .Values.gateway.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
+      {{- if .Values.global.enableMesh }}
+        "enableMesh": "true"
+      {{- end }}
+      {{- if .Values.gateway.podAnnotations }}
+        {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
       {{- end }}
       labels:
         sidecar.istio.io/inject: "false"
@@ -209,7 +216,11 @@ spec:
       {{- end }}
       - name: istio-ca-root-cert
         configMap:
+      {{- if .Values.global.enableMesh }}
           name: istio-ca-root-cert
+      {{- else }}
+          name: higress-ca-root-cert
+      {{- end }}
       - name: config
         configMap:
           name: higress-config

diff --git a/helm/higress/values.yaml b/helm/higress/values.yaml
@@ -5,7 +5,7 @@ global:
   kind: false
   enableMesh: false
   # Used to locate istiod.
-  istioNamespace: higress-system
+  istioNamespace: istio-system
   # enable pod disruption budget for the control plane, which is used to
   # ensure Istio control plane components are gradually upgraded or recovered.
   defaultPodDisruptionBudget:
@@ -30,7 +30,7 @@ global:
   # Dev builds from prow are on gcr.io
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   # Default tag for Istio images.
-  tag: 0.5.4
+  tag: 0.6.0
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -322,7 +322,6 @@ ingressClass: ""
 watchNamespace: ""
 enableStatus: false
 clusterName: ""
-istioNamespace: "higress-system"
 # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
 meshConfig:
@@ -357,7 +356,7 @@ gateway:
   name: "higress-gateway"
   replicas: 2
   image: gateway
-  tag: "0.5.4"
+  tag: "0.6.0"
   # revision declares which revision this gateway is a part of
   revision: ""
 
@@ -449,7 +448,7 @@ controller:
   name: "higress-controller"
   replicas: 1
   image: higress
-  tag: "0.5.4"
+  tag: "0.6.0"
   env: {}
 
   labels: {}
@@ -539,7 +538,7 @@ pilot:
   rollingMaxUnavailable: 25%
 
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 0.5.4
+  tag: 0.6.0
 
   # Can be a full hub/image:tag
   image: pilot

diff --git a/helm/istiod/values.yaml b/helm/istiod/values.yaml
@@ -10,7 +10,7 @@ pilot:
   rollingMaxUnavailable: 25%
 
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 0.5.4
+  tag: 0.6.0
 
   # Can be a full hub/image:tag
   image: pilot
@@ -256,7 +256,7 @@ global:
   # Dev builds from prow are on gcr.io
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   # Default tag for Istio images.
-  tag: 0.5.4
+  tag: 0.6.0
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.

diff --git a/helm/kind/higress/Chart.lock b/helm/kind/higress/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: higress
   repository: file://../../higress
-  version: 0.5.4
-digest: sha256:ea2475e2ba790a07811de045f03ae1a2279a6596bcaa750109f149e8ae2c61bd
-generated: "2023-01-18T10:57:50.379427+08:00"
+  version: 0.6.0
+digest: sha256:d5a9a1a3ee640635a1251ac1535a95db79975b39f6ab6b7c742c3e0d11f33533
+generated: "2023-01-19T10:31:59.206741+08:00"
diff --git a/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch b/istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch
@@ -0,0 +1,30 @@
+diff -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2023-01-19 11:17:16.000000000 +0800
++++ istio_new/pilot/pkg/features/pilot.go	2023-01-19 11:03:37.000000000 +0800
+@@ -562,6 +562,11 @@
+
+ 	PrioritizedLeaderElection = env.RegisterBoolVar("PRIORITIZED_LEADER_ELECTION", true,
+ 		"If enabled, the default revision will steal leader locks from non-default revisions").Get()
++
++	// Added by ingress
++	CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
++		"Defines the configmap's name of  istio's root ca certificate").Get()
++	// End added by ingress
+ )
+
+ // UnsafeFeaturesEnabled returns true if any unsafe features are enabled.
+diff -Naur istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go
+--- istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go	2023-01-19 11:17:19.000000000 +0800
++++ istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go	2023-01-19 11:20:32.000000000 +0800
+@@ -50,6 +50,11 @@
+ 	if features.ClusterName != "" && features.ClusterName != "Kubernetes" {
+ 		dynamicCACertNamespaceConfigMap = fmt.Sprintf("%s-ca-root-cert", features.ClusterName)
+ 	}
++	// Added by ingress
++	if features.CustomCACertConfigMapName != "" {
++		dynamicCACertNamespaceConfigMap = features.CustomCACertConfigMapName
++	}
++	// End added by ingress
+ }
+
+ // NamespaceController manages reconciles a configmap in each namespace with a desired set of data.