Skip to content

Latest commit

 

History

History
252 lines (202 loc) · 13.5 KB

ARCHITECTURE.md

File metadata and controls

252 lines (202 loc) · 13.5 KB

Istio operator code overview

Introduction

This document covers primarily the code, with some background on how the design maps to it. See the design doc for a more complete design description. The operator code is divided roughly into five areas:

  1. IstioOperatorSpec API and related infrastructure, which is expressed as a proto and compiled to Go structs. IstioOperatorSpec has pass-through fields to the Helm values.yaml API, but these are additionally validated through a schema.
  2. Controller code. The code comprises the K8s listener, webhook and logic for reconciling the cluster to an IstioOperatorSpec CR.
  3. Manifest creation code. User settings are overlaid on top of the selected profile values and passed to a renderer in the Helm library to create manifests. Further customization on the created manifests can be done through overlays.
  4. CLI code. CLI code shares the IstioOperatorSpec API with the controller, but allows manifests to be generated and optionally applied from the command line without the need to run a privileged controller in the cluster.
  5. Migration tools. The migration tools are intended to automate configuration migration from Helm to the operator.

The operator code uses the new Helm charts in the istio/manifests/charts. It is not compatible with the older charts in istio/istio. See istio/manifests/charts for details about the new charts and why they were created. Briefly, the new charts are intended to support production ready deployments of Istio that follow best practices like canarying for upgrade.

Terminology

Throughout the document, the following terms are used:

  • IstioOperatorSpec: The API directly defined in the IstioOperatorSpec proto, including feature and component groupings, namespaces and enablement, and per-component K8s settings.
  • Helm values.yaml API, implicitly defined through the various values.yaml files in the istio/manifests/charts and schematized in the operator through values_types.proto.

IstioOperatorSpec API

The IstioOperatorSpec API is intended to replace the installation and K8s parts of Helm values.yaml.

Features and components

The operator has a very similar structure to istio/installer: components are grouped into features. IstioOperatorSpec defines functional settings at the feature level. Functional settings are those that performs some function in the Istio control plane without necessarily being tied to any one component that runs in a Deployment. Component settings are those that necessarily refer to a particular Deployment or Service. For example, the number of Pilot replicas is a component setting, because it refers to a component which is a Deployment in the cluster. Most K8s platform settings are necessarily component settings. The available features and the components that comprise each feature are as follows:

Feature Components
Base CRDs
Traffic Management Pilot
Policy Policy
Telemetry Telemetry
Security Citadel
Security Node agent
Security Cert manager
Configuration management Galley
Gateways Ingress gateway
Gateways Egress gateway
AutoInjection Sidecar injector

Features and components are defined in the name package.

Note: Besides the features and the components listed in the table above, some addon features and components are as follows:

Feature Components
Telemetry Prometheus
Telemetry Prometheus Operator
Telemetry Grafana
Telemetry Kiali
Telemetry Tracing
ThirdParty CNI

Namespaces

The IstioOperatorSpec API and underlying new Helm charts offer a lot of flexibility in which namespaces features and components are installed into. Namespace definitions can be defined and specialized at the global, feature and component level, with each lower level overriding the setting of the higher parent level. For example, if the global default namespace is defined as:

defaultNamespace: istio-system

and namespaces are specialized for the security feature and one of the components:

security:
  components:
    namespace: istio-security
    citadel:
policy:
  components:
    policy:

the resulting namespaces will be:

Component Namespace
policy istio-system
citadel istio-security
These rules are expressed in code in the
name package.

Enablement

Features and components can be individually or collectively enabled or disabled. If a feature is disabled, all of its components are disabled, regardless of their component-level enablement. If a feature is enabled, all of its components are enabled, unless they are individually disabled. For example:

security:
  enabled: true
  components:
    citadel:
      enabled: false

will enable all components of the security feature except citadel.

These rules are expressed in code in the name package.

K8s settings

Rather than defining selective mappings from parameters to fields in K8s resources, the IstioOperatorSpec API contains a consistent K8s block for each Istio component. The available K8s settings are defined in KubernetesResourcesSpec:

Field name K8s API reference
resources resources
readinessProbe readiness probes
replicaCount replica count
hpaSpec HorizontalPodAutoscaler
podDisruptionBudget PodDisruptionBudget
podAnnotations pod annotations
env container environment variables
imagePullPolicy ImagePullPolicy
priorityClassName priority class name
nodeSelector node selector
affinity affinity and anti-affinity
serviceAnnotations service annotations

These K8s setting are available for each component under the k8s field, for example:

trafficManagement:
  components:
    pilot:
      k8s:
        hpaSpec:
          # HPA spec, as defined in K8s API

Translations

API translations are version specific and are expressed as a table of Translators indexed by minor version. This is because mapping rules are only allowed to change between minor (not patch) versions.

The IstioOperatorSpec API fields are translated to the output manifest in two ways:

  1. The IstioOperatorSpec API fields are mapped to the Helm values.yaml schema using the APIMapping field of the Translator struct.
  2. The K8s settings are applied to resources in the output manifest using the KubernetesMapping field in the Translator struct.

Other per-component mappings to Helm values.yaml are expressed in the ComponentMaps struct.

Validations

Both the IstioOperatorSpec and Helm APIs are validated. The IstioOperatorSpec API is validated through a table of validation rules in pkg/validate/validate.go. These rules refer to the Go struct path schema and hence have names with a capitalized first letter. The Helm values.yaml API is validated in validate_values.go and refer to the values.yaml data paths. Hence, these rules have names with a lower case first letter. Apart from validating the correctness of individual fields, the operator ensure that relationships between values in different parts of the configuration tree are correct. For example, it's an error to enable a component while its parent feature is disabled.

K8s controller

TODO(rcernich).

Manifest creation

Manifest rendering is a multi-step process, shown in the figure below. rendering process The example in the figure shows the rendering being triggered by a CLI mesh command with a IstioOperatorSpec CR passed to it from a file; however, the same rendering steps would occur when an in-cluster CR is updated and the controller acts upon it to generate a new manifest to apply to the cluster. Note that both the charts and configuration profiles can come from three different sources: compiled-in, local filesystem, or URL (TODO(mostrowski): describe the remote URL functionality). The source may be selected independently for the charts and profiles. The different steps in creating the manifest are as follows:

  1. The user CR (my_custom.yaml) selects a configuration profile. If no profile is selected, the default profile is used. Each profile is defined as a set of defaults for IstioOperatorSpec, for both the restructured fields (K8s settings, namespaces and enablement) and the Helm values (Istio behavior configuration).

  2. The fields defined in the user CR override any values defined in the configuration profile CR. The resulting CR is converted to Helm values.yaml format and passed to the next step.

  3. Part of the configuration profile contains settings in the Helm values.yaml schema format. User overrides of these fields are applied and merged with the output of this step. The result of this step is a merge of configuration profile defaults and user overlays, all expressed in Helm values.yaml format. This final values.yaml configuration is passed to the Helm rendering library and used to render the charts. The rendered manifests are passed to the next step.

  4. Overlays in the user CR are applied to the rendered manifests. No values are ever defined in configuration profile CRs at this layer, so no merge is performed in this step.

CLI

The CLI mesh command is implemented in the cmd/mesh subdirectory as a Cobra command with the following subcommands:

  • manifest: the manifest subcommand is used to generate, install, diff or migrate Istio manifests, it has the following subcommands:
    • install: the install subcommand is used to generate an Istio install manifest and apply it to a cluster.
    • diff: the diff subcommand is used to compare manifest from two files or directories.
    • generate: the generate subcommand is used to generate an Istio install manifest.
    • migrate: the migrate subcommand is used to migrate a configuration in Helm values format to IstioOperator format.
    • versions: the versions subcommand is used to list the version of Istio recommended for and supported by this version of the operator binary.
  • profile: dumps the default values for a selected profile, it has the following subcommands:
    • diff: the diff subcommand is used to display the difference between two Istio configuration profiles.
    • dump: the dump subcommand is used to dump the values in an Istio configuration profile.
    • list: the list subcommand is used to list available Istio configuration profiles.
  • upgrade: performs an in-place upgrade of the Istio control plane with eligibility checks.

Migration tools

TODO(richardwxn).