Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow 'gateway' To Override Default 'mesh' Attachment #140

Closed
SpreetailHurley opened this issue Apr 4, 2019 · 0 comments
Closed

Allow 'gateway' To Override Default 'mesh' Attachment #140

SpreetailHurley opened this issue Apr 4, 2019 · 0 comments

Comments

@SpreetailHurley
Copy link

SpreetailHurley commented Apr 4, 2019
edited by stefanprodan
Loading

Issue:
Flagger always attaches its created VirtualService to the 'mesh' gateway, both as default (configuration specifies no other gateway) and as an additional gateway (configuration does specify other gateway)
Instead, a configured gateway list should be applied explicitly - ie 'mesh' is attached if and only if it explicitly appears in the list of gateways in Flagger 'gateway' spec

Use-Case:
Internet connections traverse a standalone gateway resource and are subject to http match rules but mesh-only connections do not traverse the gateway and should be excluded from match rules.

Suppose that a service will be created by Flagger (my-service) and will be reachable via Internet as https://my-site.com/api/v1/my-service On-the-fly, a VirtualService (also created by Flagger) rewrites the request because my-service listens for connections at the root (/)
If the created VirtualService is applied to the 'mesh' gateway, then both Internet and internal connections will be subject to the rule. More to the point, internal connections that target the service directly will connect to my-service.namespace.svc.cluster.local/ which results in a 404 if the rewrite is being applied.

Example:
In this example, the VirtualService would attach to my-gateway but not to mesh:

---
apiVersion: flagger.app/v1alpha3
kind: Canary
metadata:
  name: {{ .Chart.Name }}
spec:
  targetRef:
    apiVersion: extensions/v1beta1
    kind: Deployment
    name: {{ .Chart.Name }}
  progressDeadlineSeconds: 60
  service:
    port: {{ .Values.service.externalPort }}
    portName: "http-{{ .Values.service.name }}"
    gateways:
    - my-gateway.namespace.svc.cluster.local
    hosts:
    - my-site.com
    match:
    - uri:
        prefix: /api/v1/my-service/
    rewrite:
      uri: /
    headers:
      request:
        add:
          x-envoy-upstream-rq-timeout-ms: "15000"
          x-envoy-max-retries: "10"
          x-envoy-retry-on: "gateway-error,connect-failure,refused-stream"
    corsPolicy:
      allowOrigin:
      - my-site.com
      allowMethods:
      - GET
      - POST
      allowHeaders:
      - content-type
      - auth-token
      - authorization
  canaryAnalysis:
    interval: 1m
    iterations: 5
    threshold: 2
    match:
      - headers:
          cookie:
            regex: "^(.*?;)?(user=test)(;.*)?$"
    metrics:
    - name: istio_requests_total
      threshold: 99
      interval: 1m
    webhooks:
      - name: load-test
        url: http://flagger-loadtester.namespace/
        timeout: 5s
        metadata:
          cmd: "hey -z 1m -q 10 -c 2 -H 'Cookie: user=test' http://my-service.namespace:8080/alive"

To be inline both for Internet and Mesh-internal traversal:

---
apiVersion: flagger.app/v1alpha3
kind: Canary
metadata:
  name: {{ .Chart.Name }}
spec:
...
  service:
    port: {{ .Values.service.externalPort }}
    portName: "http-{{ .Values.service.name }}"
    gateways:
    - my-gateway.namespace.svc.cluster.local
    - mesh
    ....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SpreetailHurley