Add build rules and instructions for enabling Istio sidecar injection

[ian-mi]

This requires removing the fluentd sidecar which currently requires connectivity with services outside of the mesh. mdemirhan is looking at adding different fluentd sidecar to replace this.

Please also note that a few extra setup steps are required to enable automatic sidecar injection.

[mdemirhan]

I think we should make this as part of "everything" and not a separate step. Otherwise, once we rip out nginx, without sidecar injection, traffic will not be properly handled.

[ian-mi]

The issue is that this should only happen once for the lifetime of the cluster and not during every everything.apply for example. One solution might be to create a new build rule for initial setup only where we can add this. WDYT?

[mdemirhan]

I like that idea. We will need other things of this nature in the future and we can add all one-time cluster initialization in there.

[mdemirhan]

This will enable injection for all pods in the default namespace, including the autoscale pod. Is there a way to enable injection only for ela generated pods?

[mdemirhan]

Ah never mind. Looking below, seems like you are explicitly disabling injection for autoscale.

[mattmoor]

This will enable injection for builds too. Can we opt pods into this instead?

[ian-mi]

I haven't found any documentation about opt-in behavior. The istio-inject configmap has a policy field which might do what we want but perhaps builds should be explicitly opted-out or run in a separate namespace. WDYT?

[vaikas]

Because we already have some code that injects side cars, what's the benefit for using istio here, instead of injecting the istio sidecar in the controller? Seems odd that we have one way of injecting some sidecars than others.

[ian-mi]

I think the benefit would be that the istio-proxy sidecar spec can be owned by istio and be mostly transparent to us. Right now our build rules tightly couple us to an istio version but ideally elafros could be installed on any cluster with istio + automatic sidecar injection and use the same istio-proxy sidecar that is injected for other services within the cluster.

[vaikas]

My one concern is that I can see there being different capabilities that get lit up based on the type of revision. This seems like something that could be configurable. Right now configuration/revision is something that is a self standing unit and can be used as a building block and while I think it's indeed nice to rely on Istio for this injection I can also see that this might be tuneable for different kinds of workloads. Currently it's very hardcoded what k8s resources revision creates, but this should change. Thoughts?

[ian-mi]

I think that ideally we would push for the capabilities we need to be supported by istio and configurable through CRDs such as RouteRules or DestinationRules rather than by modifying the sidecar spec. Note that we're also not locked into this decision as we can disable automatic injection on a per-revision basis if needed if, for example, we want to transition to something like istio/istio#3816.

[mattmoor]

A few comments inline.

I'm very impressed with your Bazel-fu! :)

[mattmoor]

This should have -c _CLUSTER_NAME where the cluster name is passed through from the workspace.

[ian-mi]

I've copied the command used to extract the user override for the cluster role binding. It might be nice to perform extraction of these variables in another repository rule at some point.

[mattmoor]

Can we name this cluster_ca_bundle for more clarity?

[ian-mi]

Done.

[mattmoor]

You can drop the kind, this is becoming vestigial

[mattmoor]

This will enable injection for builds too. Can we opt pods into this instead?

[mattmoor]

This assumes the current kubectl context is where you want it vs. an explicit cluster argument. You should at least make the docs note this (or how to check that their cluster variable $K8S_CLUSTER_OVERRIDE matches the current context kubectl config current-context)

[mattmoor]

Looking inside of this script, this looks like it would be non-trivial to incorporate into our k8s_object rules, but I think it's doable through some custom logic (and I'd like to keep our setup to :everything.apply). Can you open an issue and assign it to me?

[mattmoor]

FYI, here's an issue describing kind of what I had in mind: bazelbuild/rules_k8s#88

[mattmoor]

Sorry I missed this before, I'd meant: "Can we change the name or the rule to cluster_ca_bundle?"

[ian-mi]

Changed the rule as well.

[mattmoor]

Oh, I see what you meant earlier. I didn't realize _CLUSTER was insufficient. :(

[mattmoor]

nit: -n vs. --cluster

I'd use -c or --namespace :)

[ian-mi]

I ended up using --cluster since kubectl doesn't appear to have a short version for this. I've switched to --namespace to match.

[mattmoor]

I think my only remaining major problem is that this will break Build going in as-is since those Pods are not annotated: knative/build#73

I think we should add the opt-out for Build pods, but is there a more surgical way we should recommend that folks opt into this until we can get an updated Build into Elafros?

[ian-mi]

One option would be to include an istio-inject configmap with policy: disabled. I've confirmed that the sidecar.istio.io/inject annotation will override this policy effectively making all namespaces opt-in vs. opt-out. As long as we always set this annotation elafros should work with the inject-policy enabled or disabled.

[ian-mi]

I've gone ahead an implemented this using an expand_template rule. It is kind of a hack but allows us to use the upstream template.

[ian-mi]

@mattmoor This is ready for another look.

[mattmoor]

Thanks, if you want to TAL at: knative/build#74 I can try to merge Build into the Elafros repo tomorrow.