Merge pull request #2822 from nojnhuh/my-release

Cut v0.8.0-rc.2

.env.example

@@ -163,6 +163,10 @@ export BOOKWAREHOUSE_NAMESPACE=bookwarehouse
 ### optional: Name of the Vault role dedicated to OSM
 #export VAULT_ROLE=openservicemesh
 
+### optional: Whether to configure the demo to run on an OpenShift cluster
+# Default: false
+#export DEPLOY_ON_OPENSHIFT=false
+
 # See ./demo/deploy-vault.sh script on an example of how to deploy Hashicorp Vault
 # to your Kubernetes cluster.
 #--------------------------------------------------------------------------------

DESIGN.md

@@ -137,8 +137,8 @@ metadata:
     app: bookstore
 spec:
   ports:
-  - port: 80
-    targetPort: 80
+  - port: 14001
+    targetPort: 14001
     name: web-port
   selector:
     app: bookstore

charts/osm/Chart.yaml

@@ -14,8 +14,8 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.8.0-rc.1
+version: 0.8.0-rc.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v0.8.0-rc.1
+appVersion: v0.8.0-rc.2

charts/osm/README.md

@@ -80,7 +80,6 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.fluentBit.enableProxySupport | bool | `false` | Enable proxy support toggle for Fluent Bit |
 | OpenServiceMesh.fluentBit.httpProxy | string | `""` | Optional HTTP proxy endpoint for Fluent Bit |
 | OpenServiceMesh.fluentBit.httpsProxy | string | `""` | Optional HTTPS proxy endpoint for Fluent Bit |
-| OpenServiceMesh.fluentBit.logLevel | string | `"error"` | Log level for Fluent Bit |
 | OpenServiceMesh.fluentBit.name | string | `"fluentbit-logger"` | Fluent Bit sidecar container name |
 | OpenServiceMesh.fluentBit.outputPlugin | string | `"stdout"` | Fluent Bit output plugin |
 | OpenServiceMesh.fluentBit.primaryKey | string | `""` | Primary Key for Fluent Bit output plugin to Log Analytics |
@@ -92,7 +91,7 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.grafana.port | int | `3000` | Grafana port |
 | OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | `osm-controller` pod PullPolicy |
 | OpenServiceMesh.image.registry | string | `"openservicemesh"` | `osm-controller` image registry |
-| OpenServiceMesh.image.tag | string | `"v0.8.0-rc.1"` | `osm-controller` image tag |
+| OpenServiceMesh.image.tag | string | `"v0.8.0-rc.2"` | `osm-controller` image tag |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
 | OpenServiceMesh.injector | object | `{"replicaCount":1,"resource":{"limits":{"cpu":"0.5","memory":"64M"},"requests":{"cpu":"0.3","memory":"64M"}}}` | Sidecar injector configuration |
 | OpenServiceMesh.meshName | string | `"osm"` | Name for the new control plane instance |
@@ -106,8 +105,8 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.prometheus.retention.time | string | `"15d"` | Prometheus retention time |
 | OpenServiceMesh.replicaCount | int | `1` | `osm-controller` replicas |
 | OpenServiceMesh.serviceCertValidityDuration | string | `"24h"` | Sets the service certificatevalidity duration |
-| OpenServiceMesh.sidecarImage | string | `"envoyproxy/envoy-alpine:v1.17.0"` | Envoy sidecar image |
-| OpenServiceMesh.tracing.address | string | `"jaeger.osm-system.svc.cluster.local"` | Tracing destination cluster (must contain the namespace) |
+| OpenServiceMesh.sidecarImage | string | `"envoyproxy/envoy-alpine:v1.17.1"` | Envoy sidecar image |
+| OpenServiceMesh.tracing.address | string | `""` | Tracing destination cluster (must contain the namespace). When left empty, this is computed in helper template to "jaeger.<osm-namespace>.svc.cluster.local". Please override for BYO-tracing as documented in tracing.md |
 | OpenServiceMesh.tracing.enable | bool | `false` | Toggles Envoy's tracing functionality on/off for all sidecar proxies in the cluster |
 | OpenServiceMesh.tracing.endpoint | string | `"/api/v2/spans"` | Destination's API or collector endpoint where the spans will be sent to |
 | OpenServiceMesh.tracing.port | int | `9411` | Destination port for the listener |

charts/osm/crds/access.yaml

@@ -1,3 +1,18 @@
+# Custom Resource Definition (CRD) for SMI's traffic access specification.
+#
+# Copyright SMI SDK for Go authors
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition

charts/osm/crds/specs.yaml

@@ -1,3 +1,18 @@
+# Custom Resource Definition (CRD) for SMI's traffic specs specification.
+#
+# Copyright SMI SDK for Go authors
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition

charts/osm/crds/split.yaml

@@ -1,3 +1,19 @@
+# Custom Resource Definition (CRD) for SMI's traffic split specification.
+#
+# Copyright SMI SDK for Go authors
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:

charts/osm/templates/_helpers.tpl

@@ -2,3 +2,9 @@
 {{- define "osm.namespace" -}} 
 {{ default .Release.Namespace .Values.OpenServiceMesh.osmNamespace}} 
 {{- end -}}
+
+{{/* Default tracing address */}}
+{{- define "osm.tracingAddress" -}}
+{{- $address := printf "jaeger.%s.svc.cluster.local" (include "osm.namespace" .) -}}
+{{ default $address .Values.OpenServiceMesh.tracing.address}} 
+{{- end -}}

charts/osm/templates/fluentbit-configmap.yaml

@@ -17,28 +17,10 @@ data:
       Path    /var/log/containers/osm-controller-*_{{ include "osm.namespace" . }}_osm-controller-*.log
       Parser  cri
       Read_from_Head  on
-    # Helps grep filter identify logs of specified level generated by clusters running on cri-o
+    # Adds controller pod name value to help users query logs in output
     [FILTER]
       Name           modify
       Match          kube.*
-      Condition      Key_value_matches message /"level":"{{ .Values.OpenServiceMesh.fluentBit.logLevel }}"/
-      Set            keep true
-    # Helps grep filter identify logs of specified level generated by clusters running on moby, containerd
-    [FILTER]
-      Name           modify
-      Match          kube.*
-      Condition      Key_value_matches log \\"level\\":\\"{{ .Values.OpenServiceMesh.fluentBit.logLevel }}\\"
-      Set            keep true
-    # Matches logs that have met conditions in any of the above filters
-    [FILTER]
-      Name           grep
-      Match          kube.*
-      Regex          keep true
-    # Removes extra "keep: true" key/value pair once matching is complete; adds controller pod name value to help users query logs in output
-    [FILTER]
-      Name           modify
-      Match          kube.*
-      Remove         keep
       Add            controller_pod_name ${CONTROLLER_POD_NAME}
     [OUTPUT]
       Name    {{ .Values.OpenServiceMesh.fluentBit.outputPlugin }}

charts/osm/templates/osm-configmap.yaml

@@ -13,7 +13,7 @@ data:
 
   tracing_enable: {{ .Values.OpenServiceMesh.tracing.enable | quote }}
 {{- if .Values.OpenServiceMesh.tracing.enable }}
-  tracing_address: {{ .Values.OpenServiceMesh.tracing.address | quote }}
+  tracing_address: {{ include "osm.tracingAddress" . | quote }}
   tracing_port: {{ .Values.OpenServiceMesh.tracing.port | quote }}
   tracing_endpoint: {{ .Values.OpenServiceMesh.tracing.endpoint | quote }}
 {{- end }}

charts/osm/values.schema.json

@@ -173,7 +173,7 @@
                     "title": "The sidecarImage schema",
                     "description": "The proxy side car image to run.",
                     "examples": [
-                        "envoyproxy/envoy-alpine:v1.17.0"
+                        "envoyproxy/envoy-alpine:v1.17.1"
                     ]
                 },
                 "certificateManager": {
@@ -278,7 +278,6 @@
                             "registry": "fluent",
                             "tag": "1.6.4",
                             "pullPolicy": "IfNotPresent",
-                            "logLevel": "error",
                             "outputPlugin": "stdout",
                             "enableProxySupport": "false",
                             "httpProxy": "",
@@ -290,7 +289,6 @@
                         "registry",
                         "tag",
                         "pullPolicy",
-                        "logLevel",
                         "outputPlugin",
                         "enableProxySupport",
                         "httpProxy",
@@ -334,16 +332,6 @@
                                 "IfNotPresent"
                             ]
                         },
-                        "logLevel": {
-                            "$id": "#/properties/OpenServiceMesh/properties/fluentBit/properties/logLevel",
-                            "type": "string",
-                            "title": "The logLevel schema",
-                            "description": "The Fluent Bit log level.",
-                            "pattern": "^(debug|info|warn|error|fatal|panic|disabled|trace)$",
-                            "examples": [
-                                "error"
-                            ]
-                        },
                         "outputPlugin": {
                             "$id": "#/properties/OpenServiceMesh/properties/fluentBit/properties/outputPlugin",
                             "type": "string",
@@ -496,4 +484,4 @@
         }
     },
     "additionalProperties": true
-}
+}

charts/osm/values.yaml

@@ -11,11 +11,11 @@ OpenServiceMesh:
     # -- `osm-controller` pod PullPolicy
     pullPolicy: IfNotPresent
     # -- `osm-controller` image tag
-    tag: v0.8.0-rc.1
+    tag: v0.8.0-rc.2
   # -- `osm-controller` image pull secret
   imagePullSecrets: []
   # -- Envoy sidecar image
-  sidecarImage: envoyproxy/envoy-alpine:v1.17.0
+  sidecarImage: envoyproxy/envoy-alpine:v1.17.1
   osmcontroller:
     resource:
       limits:
@@ -80,8 +80,6 @@ OpenServiceMesh:
     tag: 1.6.4
     # -- PullPolicy for Fluent Bit sidecar container
     pullPolicy: IfNotPresent
-    # -- Log level for Fluent Bit
-    logLevel: error
     # -- Fluent Bit output plugin
     outputPlugin: stdout
     # -- WorkspaceId for Fluent Bit output plugin to Log Analytics
@@ -123,8 +121,8 @@ OpenServiceMesh:
     # -- Toggles Envoy's tracing functionality on/off for all sidecar proxies in the cluster
     enable: false
 
-    # -- Tracing destination cluster (must contain the namespace)
-    address: "jaeger.osm-system.svc.cluster.local"
+    # -- Tracing destination cluster (must contain the namespace). When left empty, this is computed in helper template to "jaeger.<osm-namespace>.svc.cluster.local". Please override for BYO-tracing as documented in tracing.md
+    address: ""
 
     # -- Destination port for the listener
     port: 9411
@@ -146,6 +144,6 @@ OpenServiceMesh:
       requests:
         cpu: "0.3"
         memory: "64M"
-  
+
   # -- Run init container in privileged mode
   enablePrivilegedInitContainer: false

cmd/cli/dashboard.go

@@ -105,12 +105,16 @@ func (d *dashboardCmd) run() error {
 		return errors.Errorf("No running Grafana pod available")
 	}
 
-	portForwarder, err := k8s.NewPortForwarder(conf, clientSet, grafanaPod.Name, grafanaPod.Namespace, d.localPort, d.remotePort)
+	dialer, err := k8s.DialerToPod(conf, clientSet, grafanaPod.Name, grafanaPod.Namespace)
+	if err != nil {
+		return err
+	}
+	portForwarder, err := k8s.NewPortForwarder(dialer, fmt.Sprintf("%d:%d", d.localPort, d.remotePort))
 	if err != nil {
 		return errors.Errorf("Error setting up port forwarding: %s", err)
 	}
 
-	err = portForwarder.Start(func(pf *k8s.PortForwarder) error {
+	err = portForwarder.Start(func(*k8s.PortForwarder) error {
 		if d.openBrowser {
 			url := fmt.Sprintf("http://localhost:%d", d.localPort)
 			fmt.Fprintf(d.out, "[+] Issuing open browser %s\n", url)
@@ -129,5 +133,9 @@ func (d *dashboardCmd) run() error {
 	signal.Notify(sigChan, os.Interrupt)
 	<-sigChan
 
+	// portforwarder.Stop() triggered implicitly by SIGINT. Ensure it completes
+	// before exiting.
+	<-portForwarder.Done()
+
 	return nil
 }

cmd/cli/install.go

@@ -63,7 +63,7 @@ const (
 	defaultContainerRegistrySecret       = ""
 	defaultMeshName                      = "osm"
 	defaultOsmImagePullPolicy            = "IfNotPresent"
-	defaultOsmImageTag                   = "v0.8.0-rc.1"
+	defaultOsmImageTag                   = "v0.8.0-rc.2"
 	defaultPrometheusRetentionTime       = constants.PrometheusDefaultRetentionTime
 	defaultVaultHost                     = ""
 	defaultVaultProtocol                 = "http"
@@ -112,6 +112,7 @@ type installCmd struct {
 	clientSet                     kubernetes.Interface
 	chartRequested                *chart.Chart
 	setOptions                    []string
+	atomic                        bool
 
 	// Toggle to enable/disable Prometheus installation
 	deployPrometheus bool
@@ -185,6 +186,7 @@ func newInstallCmd(config *helm.Configuration, out io.Writer) *cobra.Command {
 	f.BoolVar(&inst.enforceSingleMesh, "enforce-single-mesh", defaultEnforceSingleMesh, "Enforce only deploying one mesh in the cluster")
 	f.DurationVar(&inst.timeout, "timeout", 5*time.Minute, "Time to wait for installation and resources in a ready state, zero means no timeout")
 	f.StringArrayVar(&inst.setOptions, "set", nil, "Set arbitrary chart values not settable by another flag (can specify multiple or separate values with commas: key1=val1,key2=val2)")
+	f.BoolVar(&inst.atomic, "atomic", false, "Automatically clean up resources if installation fails")
 
 	return cmd
 }
@@ -204,7 +206,8 @@ func (i *installCmd) run(config *helm.Configuration) error {
 	installClient.ReleaseName = i.meshName
 	installClient.Namespace = settings.Namespace()
 	installClient.CreateNamespace = true
-	installClient.Atomic = true
+	installClient.Wait = true
+	installClient.Atomic = i.atomic
 	installClient.Timeout = i.timeout
 	if _, err = installClient.Run(i.chartRequested, values); err != nil {
 		return err

cmd/cli/mesh_upgrade.go

@@ -15,8 +15,9 @@ import (
 )
 
 const (
-	defaultUseHTTPSIngress = false
-	defaultEnableTracing   = true
+	defaultUseHTTPSIngress         = false
+	defaultEnableTracing           = true
+	defaultPrivilegedInitContainer = false
 )
 
 const upgradeDesc = `
@@ -68,6 +69,8 @@ type meshUpgradeCmd struct {
 	tracingAddress                string
 	tracingPort                   uint16
 	tracingEndpoint               string
+	outboundIPRangeExclusionList  []string
+	enablePrivilegedInitContainer *bool
 }
 
 func newMeshUpgradeCmd(config *helm.Configuration, out io.Writer) *cobra.Command {
@@ -82,6 +85,7 @@ func newMeshUpgradeCmd(config *helm.Configuration, out io.Writer) *cobra.Command
 		enablePrometheusScraping:      new(bool),
 		useHTTPSIngress:               new(bool),
 		enableTracing:                 new(bool),
+		enablePrivilegedInitContainer: new(bool),
 	}
 	var chartPath string
 
@@ -111,6 +115,9 @@ func newMeshUpgradeCmd(config *helm.Configuration, out io.Writer) *cobra.Command
 			if !f.Changed("enable-tracing") {
 				upg.enableTracing = nil
 			}
+			if !f.Changed("enable-privileged-init-container") {
+				upg.enablePrivilegedInitContainer = nil
+			}
 
 			if chartPath != "" {
 				var err error
@@ -142,6 +149,8 @@ func newMeshUpgradeCmd(config *helm.Configuration, out io.Writer) *cobra.Command
 	f.StringVar(&upg.tracingAddress, "tracing-address", "", "Tracing server hostname")
 	f.Uint16Var(&upg.tracingPort, "tracing-port", 0, "Tracing server port")
 	f.StringVar(&upg.tracingEndpoint, "tracing-endpoint", "", "Tracing server endpoint")
+	f.StringSliceVar(&upg.outboundIPRangeExclusionList, "outbound-ip-range-exclusion-list", nil, "A global list of IP ranges to exclude from outbound traffic interception by the sidecar proxy. Pass once per IP range or a single comma separated list of IP ranges of the form a.b.c.d/x")
+	f.BoolVar(upg.enablePrivilegedInitContainer, "enable-privileged-init-container", defaultPrivilegedInitContainer, "Run init container in privileged mode")
 
 	return cmd
 }
@@ -221,6 +230,12 @@ func (u *meshUpgradeCmd) resolveValues(config *helm.Configuration) (map[string]i
 	if len(u.tracingEndpoint) > 0 {
 		setTracing("endpoint", u.tracingEndpoint)
 	}
+	if len(u.outboundIPRangeExclusionList) > 0 {
+		vals["outboundIPRangeExclusionList"] = u.outboundIPRangeExclusionList
+	}
+	if u.enablePrivilegedInitContainer != nil {
+		vals["enablePrivilegedInitContainer"] = *u.enablePrivilegedInitContainer
+	}
 
 	vals = map[string]interface{}{
 		"OpenServiceMesh": vals,