Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying an IP:port for istiod address. #35000

Merged
merged 5 commits into from
Sep 2, 2021
Merged

Allow specifying an IP:port for istiod address. #35000

merged 5 commits into from
Sep 2, 2021

Conversation

costinm
Copy link
Contributor

@costinm costinm commented Sep 2, 2021
edited
Loading

For VM and other non-k8s environments, allow specifying an IP:port address without changing /etc/hosts

The DiscoveryAddress was also used to set the ServerName, for cert validation - typically istiod-REV.istio-system.svc - and gets
resolved in k8s to the cluster IP, and on VMs was using /etc/hosts.

After this change, the DiscoveryAddress can be an IP:port - either the pilot endpoint if it is stable, or the east/west gateway IP -
without having to touch /etc/hosts. The Istiod cert will be validated with the custom SAN.

For VMs and similar environments it is the IP of the east-west gateway or a similar load balancer. Current instructions
modify /etc/hosts to map the name to IP, but sometimes it is not possible or convenient to change /etc/hosts.

This is for internal use, for tools that setup/launch Istiod.

Change-Id: Ibcc1f5a6bd4235d21f4e278d1197749ed6463922

Please provide a description of this PR:

@costinm
For VM and other non-k8s environments, allow specifying an IP:port ad…
18f22c4 
…dress without changing /etc/hosts

Change-Id: Ibcc1f5a6bd4235d21f4e278d1197749ed6463922
@costinm
Merge branch 'master' of github.com:istio/istio into addr_override
da534c8 
Change-Id: I5b237d207545a89da871da647b3322ab9fe9bd12
@costinm costinm requested review from a team as code owners September 2, 2021 00:03
@google-cla google-cla bot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Sep 2, 2021
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 2, 2021
yangminzhu
yangminzhu reviewed Sep 2, 2021
View reviewed changes
pkg/istio-agent/xds_proxy.go Outdated Show resolved Hide resolved
pkg/istio-agent/xds_proxy.go Outdated Show resolved Hide resolved
@stevenctl
Copy link
Contributor

Why can't we just use proxy config?

I suppose we should also document that this is an option if you can access pilot directly and don't need to go through a gateway.

Do we run into any TLS issue due to using the IP instead of a valid name?

@costinm
Copy link
Contributor Author

costinm commented Sep 2, 2021

Re ProxyConfig - it's not supposed to be user-configurable. Some launcher or installer will get the endpoint IP ( or the LB address ), and set it before launching the agent. We currently configure it in /etc/hosts.

I think there is a better way to achieve the same result, will rewrite the PR - we need both IP:port and the 'SAN' to validate, I started with keeping DiscoveryAddress be the URL and overriding the actual IP, but it seems better to go the other way, make the DiscoveryAddress be IP:port and overriding the SAN.

It seems I also need to update Citadel client ( I initially tested with MeshCA, but if citadel is used it needs similar override ).

Sorry for the false start, hold on for few days...

@costinm
Instead of overriding the IP, customize the SAN
31557f4 
Change-Id: Id522facec98fbaf8479f5d70c96b91bfa1ffa4df
@costinm costinm requested a review from a team as a code owner September 2, 2021 14:57
@costinm
Copy link
Contributor Author

costinm commented Sep 2, 2021

PTAL - switched to overriding the SAN, and added citadel client too. This is far more useful - and may allow more flexibility and consistency if we want to allow Istiod to also support workload identity (again). I don't remember how we lost it, but older releases did support using spiffee identity for pilot.

howardjohn
howardjohn reviewed Sep 2, 2021
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, will leave approval to others as they had comments

pilot/cmd/pilot-agent/options/options.go Outdated Show resolved Hide resolved
@costinm costinm added the release-notes-none Indicates a PR that does not require release notes. label Sep 2, 2021
@costinm
Lint
d8169d1 
Change-Id: I204c2d6d6457ad0951fa71b7df7a748dde867665
@costinm
make gen
ddaa414 
Change-Id: Ib5a3ae7153e65004ae134a3758d80b4e3131eae3
@istio-testing istio-testing merged commit 925e6e6 into istio:master Sep 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn left review comments

@yangminzhu yangminzhu yangminzhu approved these changes

@stevenctl stevenctl stevenctl approved these changes

Assignees
No one assigned
Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. release-notes-none Indicates a PR that does not require release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@costinm @stevenctl @howardjohn @yangminzhu @istio-testing