-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More validation for "istioctl install" before beginning #20730
Comments
I suggest against that, its going to be super slow. We can do static validation inside the operator codebase if feasible, but doubling the calls to api server isn't great. Install is already pretty slow |
@esnible I have started looking into static validation for |
Yesterday I found |
Here are my thoughts on how static validation will work. I want to keep this as simple as possible to identify if the provided values in "imagePullPolicy": []string{"Always", "IfNotPresent", "Never"} Here I think we should perform validation as early as possible, probably just before Keeping all the possible combinations in a simple string map. setValues := map[string]interface{}{
"sds": map[string][]bool{
"enabled": []bool{true, false},
},
"imagePullPolicy": []string{"Always", "IfNotPresent", "Never"},
"k8sIngress": map[string]interface{}{
"enabled": []bool{true, false},
"enableHttps": []bool{true, false},
"gatewayName": []string{"ingressgateway"},
},
"mtls": map[string]interface{}{
"auto": []bool{true, false},
"enabled": []bool{true, false},
},
"controlPlaneSecurityEnabled": []bool{true, false},
"telemetry": map[string]interface{}{
"enabled": []bool{true, false},
},
"security": map[string]interface{}{
"components": map[string]interface{}{
"nodeAgent": map[string]interface{}{
"enabled": []bool{true, false},
},
},
},
}
fmt.Printf("%+v", setValues["k8sIngress"].(map[string]interface{})["enableHttps"]) By using map lookup to identify if the values are present in the map, thorws error if it is not present and stop execution to avoid K8 REST client calls. @howardjohn @esnible Let me know what do you think. |
I think the bool ones we already have validation for? but other ones it makes sense to me |
I did some quick-and-dirty performance measurements, passing the output of Checking for valid values in fields such as imagePullPolicy isn't particularly helpful because these errors will be caught and helpful messages will expose them. I am more concerned about the example in #21048 about conflicting telemetry settings.
Checking should possibly receive as an additional parameter the overlay yaml, because if a user has explicitly specified an override it may need additional checking. (For example, if the user overrides the logging format, but logging isn't turned on, might deserve a warning). |
Interesting, I did try running static validation with initial draft version and it throws error almost instantly within
I'm a big fan of catching bug as early as possible, That is when static validation will come into rescue.
I agree we can only provide simple messages for invalid values. More validation with conflicting settings need to be handled separately with existing validations. |
Related: #21635 |
Adding my 2c to all this...
|
Question. https://preliminary.istio.io/docs/tasks/observability/distributed-tracing/overview/ says Does Pilot have an internal code API for the operator to ask about |
Make sense. We should verify that the user is not trying to set beyond 100. |
Hey @esnible , Following is incorrect,
Also as per the doc, I assume, following are the possible values for both. []string{"SERVICE", "SERVICE_FQDN", "SERVICE_PORT", "SERVICE_PORT_NAME", "SUBSET_NAME"} Let me know if I'm missing something. |
@esnible @howardjohn Is there any example available for using Locality based load balancer settings using I tried but couldn't find any example in istio and istio.io repo. There is validation is written for |
@shamsher31 I see many values in MeshConfig that don't seem to be used during install. Checking. @ostromart MANY of the fields in https://preliminary.istio.io/docs/reference/config/istio.mesh.v1alpha1.html#MeshConfig don't seem to make it into Istio MeshConfig. I searched for ALL of the fields in manifests/istio-control/istio-discovery/templates/configmap.yaml and did spot checks elsewhere in the code. The following documented MeshConfig fields seem unknown to the operator: proxyListenPort, proxyHttpPort, defaultConfig.statsdUdpAddress, defaultConfig.customConfigFile, If these fields are deprecated, please get them marked as DEPRECATED in the docs, similar to how defaultConfig.zipkinAddress is marked. The following fields are present but hard-coded and thus are settable via IstioOperator: connectTimeout AKA defaultConfig.connectTimeout, defaultConfig.configPath, defaultConfig.binaryPath, If these should not be settable perhaps the doc should flag them read-only? |
@shamsher31 I also did not find any examples but I was able to get it working. Tested under prerelease 1.6; it might work in 1.5.1, probably won't in 1.5.0.
and
|
@esnible use You may need to do |
@shamsher31 I checked and @howardjohn is correct. Using pre-1.6.x, I was able to do As John points out, due to another bug not all of the fields work without |
Found the bug, its #22347, being
actively worked on right now
…On Fri, Apr 3, 2020 at 9:48 AM Ed Snible ***@***.***> wrote:
@shamsher31 <https://github.com/shamsher31> I checked and @howardjohn
<https://github.com/howardjohn> is correct.
Using pre-1.6.x, I was able to do istioctl manifest generate --set
meshConfig.inboundClusterStatName=alice and also --set
values.meshConfig.inboundClusterStatName=alice worked the same.
As John points out, due to another bug not all of the fields work without
values..
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#20730 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXOAFEMJPWHFL3UQTC3RKYHOXANCNFSM4KOI3WTA>
.
|
@esnible @howardjohn I have opened PR to get initial feedback. It will be difficult to cover validation for each and every field at this moment. We can always iterate over and cover specific flags in more detail in subsequent PR's. Let me know what you think. |
Today I tried to install using Master with
It failed (and got stuck) with
|
Another validation needed: --imagePullSecrets can be initialised with an empty string |
I think largely we have validation. Its an ever-present issue to add more and better validation, but no need to track this at this point. |
If I do
~/go/src/istio.io/istio/out/darwin_amd64/istioctl manifest apply --set values.global.sds.enabled=false --set values.global.imagePullPolicy=Occassionally
the install proceeds but eventually fails with(etc)
Perhaps the operator should validate Kubernetes settings. Perhaps use
kubectl --dry-run
on everything it intents to install before starting the real install?The text was updated successfully, but these errors were encountered: