Migrate to Istio v1alpha3 Gateway / VirtualService

cmd/controller/main.go

@@ -145,7 +145,6 @@ func main() {
 	deploymentInformer := kubeInformerFactory.Apps().V1().Deployments()
 	endpointsInformer := kubeInformerFactory.Core().V1().Endpoints()
 	coreServiceInformer := kubeInformerFactory.Core().V1().Services()
-	ingressInformer := kubeInformerFactory.Extensions().V1beta1().Ingresses()
 	vpaInformer := vpaInformerFactory.Poc().V1alpha1().VerticalPodAutoscalers()
 
 	// Build all of our controllers, with the clients constructed above.
@@ -171,7 +170,6 @@ func main() {
 			opt,
 			routeInformer,
 			configurationInformer,
-			ingressInformer,
 			autoscaleEnableScaleToZero,
 		),
 		service.NewController(
@@ -203,7 +201,6 @@ func main() {
 		deploymentInformer.Informer().HasSynced,
 		coreServiceInformer.Informer().HasSynced,
 		endpointsInformer.Informer().HasSynced,
-		ingressInformer.Informer().HasSynced,
 	} {
 		if ok := cache.WaitForCacheSync(stopCh, synced); !ok {
 			logger.Fatalf("failed to wait for cache at index %v to sync", i)

config/200-clusterrole.yaml

@@ -23,11 +23,11 @@ rules:
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["build.dev"]
     resources: ["builds"]
-    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
-  - apiGroups: ["config.istio.io"]
-    resources: ["routerules"]
-    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
----    
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    resources: ["virtualservices"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -53,7 +53,7 @@ rules:
     verbs: ["get", "list", "update", "patch", "watch"]
   - apiGroups: ["build.dev"]
     resources: ["builds"]
-    verbs: ["get", "list", "update", "patch", "watch"]    
-  - apiGroups: ["config.istio.io"]
-    resources: ["routerules"]
-    verbs: ["get", "list", "update", "patch", "watch"]    
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    resources: ["virtualservices"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

config/202-gateway.yaml

@@ -0,0 +1,221 @@
+# We stand up a new Gateway service to receive all external traffic
+# for Knative pods.  These pods are basically standalone Envoy proxy
+# pods to convert all external traffic into cluster traffic.
+#
+#
+# The reason for standing up these pods are because Istio Gateway
+# cannot not share these ingress pods.  Istio provide a default, but
+# we don't want to use it and causing unwanted sharing with users'
+# Gateways if they have some.
+#
+# The YAML is cloned from Istio's.  However, in the future we may want
+# to incorporate more of our logic to tailor to our users' specific
+# needs.
+
+# This is the shared Gateway for all Knative routes to use.
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: knative-shared-gateway
+  namespace: knative-serving
+spec:
+  selector:
+    knative: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*"
+---
+# This is the Service definition for the ingress pods serving
+# Knative's shared Gateway.
+#
+# Source: istio/charts/ingressgateway/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: knative-ingressgateway
+  namespace: istio-system
+  labels:
+    chart: ingressgateway-0.8.0
+    release: RELEASE-NAME
+    heritage: Tiller
+    knative: ingressgateway
+spec:
+  type: LoadBalancer
+  selector:
+    knative: ingressgateway
+  ports:
+    -
+      name: http
+      nodePort: 32380
+      port: 80
+    -
+      name: https
+      nodePort: 32390
+      port: 443
+    -
+      name: tcp
+      nodePort: 32400
+      port: 32400
+---
+# This is the corresponding Deployment to backed the aforementioned Service.
+#
+# Source: istio/charts/ingressgateway/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: knative-ingressgateway
+  namespace: istio-system
+  labels:
+    app: knative-ingressgateway
+    chart: ingressgateway-0.8.0
+    release: RELEASE-NAME
+    heritage: Tiller
+    knative: ingressgateway
+spec:
+  replicas:
+  template:
+    metadata:
+      labels:
+        knative: ingressgateway
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      serviceAccountName: istio-ingressgateway-service-account
+      containers:
+        - name: ingressgateway
+          image: "docker.io/istio/proxyv2:0.8.0"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+            - containerPort: 443
+            - containerPort: 32400
+          args:
+          - proxy
+          - router
+          - -v
+          - "2"
+          - --discoveryRefreshDelay
+          - '1s' #discoveryRefreshDelay
+          - --drainDuration
+          - '45s' #drainDuration
+          - --parentShutdownDuration
+          - '1m0s' #parentShutdownDuration
+          - --connectTimeout
+          - '10s' #connectTimeout
+          - --serviceCluster
+          - knative-ingressgateway
+          - --zipkinAddress
+          - zipkin:9411
+          - --statsdUdpAddress
+          - istio-statsd-prom-bridge:9125
+          - --proxyAdminPort
+          - "15000"
+          - --controlPlaneAuthPolicy
+          - NONE
+          - --discoveryAddress
+          - istio-pilot:8080
+          resources:
+            {}
+
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: INSTANCE_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          - name: ISTIO_META_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          volumeMounts:
+          - name: istio-certs
+            mountPath: /etc/certs
+            readOnly: true
+          - name: ingressgateway-certs
+            mountPath: "/etc/istio/ingressgateway-certs"
+            readOnly: true
+      volumes:
+      - name: istio-certs
+        secret:
+          secretName: "istio.default"
+          optional: true
+      - name: ingressgateway-certs
+        secret:
+          secretName: "istio-ingressgateway-certs"
+          optional: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+                - ppc64le
+                - s390x
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - ppc64le
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - s390x
+---
+# This is the horizontal pod autoscaler to make sure the ingress Pods
+# scale up to meet traffic demand.
+#
+# Source: istio/charts/ingressgateway/templates/autoscale.yaml
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+    name: knative-ingressgateway
+    namespace: istio-system
+spec:
+    minReplicas: 1
+    # TODO(1411): Document/fix this.  We are choosing an arbitrary 10 here.
+    maxReplicas: 10
+    scaleTargetRef:
+      apiVersion: apps/v1beta1
+      kind: Deployment
+      name: knative-ingressgateway
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          targetAverageUtilization: 60

docs/spec/errors.md

@@ -424,31 +424,6 @@ status:
     message: "Configuration 'abc' referenced in traffic not found"
 ```
 
-### Unable to create Ingress
-
-If the Route is unable to create an Ingress resource to route its
-traffic to Revisions, the `IngressReady` condition will be marked
-as `False` with a reason of `NoIngress`.
-
-```http
-GET /apis/serving.knative.dev/v1alpha1/namespaces/default/routes/my-service
-```
-
-```yaml
-...
-status:
-  traffic: []
-  conditions:
-  - type: Ready
-    status: False
-    reason: NoIngress
-    message: "Unable to create Ingress 'my-service-ingress'"
-  - type: IngressReady
-    status: False
-    reason: NoIngress
-    message: "Unable to create Ingress 'my-service-ingress'"
-```
-
 ### Latest Revision of a Configuration deleted
 
 If the most recent Revision is deleted, the Configuration will set

docs/spec/motivation.md

@@ -10,13 +10,12 @@ We define serverless workloads as computing workloads that are:
 * Primarily driven by application level (L7 -- HTTP, for example)
   request traffic
 
-While Kubernetes provides basic primitives like Deployment, Service,
-and Ingress in support of this model, our experience suggests that a
-more compact and richer opinionated model has substantial benefit for
-developers. In particular, by standardizing on higher-level primitives
-which perform substantial amounts of automation of common
-infrastructure, it should be possible to build consistent toolkits
-that provide a richer experience than updating yaml files with
+While Kubernetes provides basic primitives like Deployment, and Service in
+support of this model, our experience suggests that a more compact and richer
+opinionated model has substantial benefit for developers. In particular, by
+standardizing on higher-level primitives which perform substantial amounts of
+automation of common infrastructure, it should be possible to build consistent
+toolkits that provide a richer experience than updating yaml files with
 `kubectl`.
 
 The Knative Serving APIs consist of Compute API (these documents),

hack/update-codegen.sh

@@ -27,8 +27,11 @@ CODEGEN_PKG=${CODEGEN_PKG:-$(cd ${SERVING_ROOT}; ls -d -1 ./vendor/k8s.io/code-g
 #                  instead of the $GOPATH directly. For normal projects this can be dropped.
 ${CODEGEN_PKG}/generate-groups.sh "deepcopy,client,informer,lister" \
   github.com/knative/serving/pkg/client github.com/knative/serving/pkg/apis \
-  "serving:v1alpha1 istio:v1alpha2" \
+  "serving:v1alpha1 istio:v1alpha3" \
   --go-header-file ${SERVING_ROOT}/hack/boilerplate/boilerplate.go.txt
 
+# Update code to change Gatewaies -> Gateways to workaround cleverness of codegen pluralizer.
+find -name '*.go' -exec grep -l atewaies {} \; | xargs sed 's/atewaies/ateways/g' -i
+
 # Make sure our dependencies are up-to-date
 ${SERVING_ROOT}/hack/update-deps.sh

pkg/apis/istio/register.go

@@ -17,5 +17,5 @@ limitations under the License.
 package istio
 
 const (
-	GroupName = "config.istio.io"
+	GroupName = "networking.istio.io"
 )