-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add appProtocol to agent service to allow agent to work with istio #5240
Add appProtocol to agent service to allow agent to work with istio #5240
Conversation
I think you just need to run the local tools to update the generated files and such:
|
@@ -40,6 +40,7 @@ spec: | |||
- name: agent-grpc | |||
port: 8000 | |||
protocol: TCP | |||
appProtocol: TCP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙌
14660e5
to
bbcefcd
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5240 +/- ##
=======================================
Coverage 60.99% 60.99%
=======================================
Files 794 794
Lines 51475 51475
=======================================
Hits 31398 31398
Misses 17185 17185
Partials 2892 2892
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@noahjax could you run |
I'll take this one over too and try to update tomorrow. Thanks! |
@ddl-ebrown could you run |
bbcefcd
to
70dc772
Compare
* flyteadmin http port * flyteadmin grpc port * flyteconsole grpc port This is necessary because the ingress may be configured in a way that it sends TLS traffic to internal Flyte services. Istio will use port names to determine traffic - and may therefore assume the appProtocol of http, even though traffic from ingress -> flyteadmin is actually https. This misconfiguration prevents any traffic from flowing through the ingress to the service. Flyteadmin http and grcp ports *are* accessible using `http` and `grpc` values for appProtocol respectively within the cluster, but as soon as traffic travels between the ingress and the service those settings will not work. The most "compatible" setting is `tcp` which works for any network stream. - Adds the nginx.ingress.kubernetes.io/service-upstream: "true" Nginx Controller using endpoints instead of Services kubernetes/ingress-nginx#257 kubernetes/ingress-nginx@main/docs/user-guide/nginx-configuration/annotations.md#service-upstream Signed-off-by: noahjax <[email protected]> Signed-off-by: ddl-ebrown <[email protected]>
70dc772
to
8590993
Compare
Thank you @noahjax @ddl-ebrown |
Signed-off-by: noahjax <[email protected]> Signed-off-by: ddl-ebrown <[email protected]>
Signed-off-by: noahjax <[email protected]> Signed-off-by: ddl-ebrown <[email protected]> Signed-off-by: Vladyslav Libov <[email protected]>
@noahjax I have a question about this change in
Could you please explain why the When upgrading flyte-core from Could you please share which istio version you use and how your virtual service for flyteadmin looks like? Thank you 🙏 |
@fg91 Apologies in advance for the unsatisfying answer. I submitted these changes as part of my work to get Flyte + Istio running at my previous employer, but I have since left the company and as a result I no longer have access to any of the specific configuration details. Maybe @ddl-ebrown would be able to share some additional information here |
Thank you @noahjax 🙏 @ddl-ebrown could you please take a look at my questions here? 🙇 |
Hi @fg91 - sorry for the late reply. These are my notes regarding why
We're currently running on Istio 1.23.0, but this configuration also worked for us with Istio 1.21.2. I did try to get
|
Why are the changes needed?
If you try to use an agent on a cluster with istio, flytepropeller is unable to connect to the agent. You will either need to remove the agent from flytepropeller's configmap or flytepropeller will fail on startup.
Connecting to flyteconsole is also broken in istio because missing appProtocol prevents some http ports from working correctly.
What changes were proposed in this pull request?
Specify an
appProtocol
that istio can use to determine how to proxy requests (see here for more details on how this works).Update: I also modified the flyteadmin and flyteconsole services so that they will work with istio as well. More extensive changes are necessary to get everything working, but I will split those into a separate PR as they are likely more controversial
How was this patch tested?
Tested on my flyte deployment with istio enabled for the whole cluster.
Setup process
Screenshots
Check all the applicable boxes
Related PRs
Docs link