traefik / mesh Goto Github PK

There seems to be a bunch of duplicated code in the meshcontroller handler.

Look into using interfaces to allow for dedupe.

SMI is implemented via CRD, we need to get a controller for that

This needs to run in a docker container.

We need a dockerfile to make this work.

Based on https://github.com/golang-standards/project-layout,

we have a non-standard layout.

We should improve by moving code into the standardized directories now

Did we want a dashboard for this project? Or did we want to do something like have a deployable prometheus + grafana container sort of thing (like we do with our advocacy demos?)

We should route by not only service name (DNS) but also service IP.

This is for both TCP and HTTP

We need to have load balancing in Traefik v2 before we can leverage it in i3o

We need:

1. A job
2. A new service account
3. New permissions via RBAC for this job

Since services are TCP by default, we should also use TCP routing by default

Currently we use separate controllers for watching each type.

Once we get further along, we may not need separate controllers for each type, or we may be able to consolidate these controllers in a more efficient manner.

How did we want to implement tracing?

Not sure how tracing is implemented in Traefik v2

The following features and integration tests are needed:

• TCP Routing
  • Feature
  • Integration test
• HTTP Routing
  • Feature
  • Integration test
• Metrics - #65
  • Feature
  • Integration test
• Tracing - #63
  • Feature
  • Integration test
• Service load balancing - #64
  • Feature
  • Integration test
• Routing Rules - This one could be combined with TCP and HTTP, since they will both use rules, however this is also possibly done part of the traffic routing part of SMI
  • Feature
  • Integration test
• Retries - #166
  • Feature
  • Integration test
• Failover
  • Feature
  • Integration test
• Access control
  • Feature
  • Integration test
• Rate limit - #168
  • Feature
  • Integration test
• circuit breakers - #167
  • Feature
  • Integration test

We should have an integration test that can handle an end-to-end request

Match and Kind are not optional. They need to be defined.

We want to use helm to deploy i3o

We need a base helm chart to configure the install

Many of the operations in the controller RBAC are due to updates in the mesh namespace

It might be nice to separate out the mesh namespace RBAC into a roleBinding,

and keep a much more minimal ClusterRoleBinding, since we don't need global permissions for everything in the cluster

We should define service labels to assist with defining routing.

This would allow us to start work on implementing features

This means that IP filtering and whitelisting are not options that we have available to us.

I am going to speak with @juliens and @ldez about extending this with our provider in our i3o traefik implementation.

We could look into using reverse IP lookups on the source IP to get the pod reference.

this may allow us to not have to deal with IP whitelisting for source filtering

Instead of using a templated config file, we should move to CRD, which don't require templating files

We need to be able to CRUD the Traefik CE KubernetesCRDs

Do we need to have demo data in the app anymore?

Once metrics are enabled in traefik v2, we need to have them implemented in i3o. This will also be required for SMI

We don't want to use http for these pods.

We need to use TCP

Traffic-split should be fairly easy to accomplish, once we have some weighting etc from Traefik v2.

Until then, we could do a janky workaround where we add the same route x/y times to mathematically make it work, but that is terrible

We should use:

i3o-mesh:internal as the label

We need to have the helm chart install:

• Prometheus
• Grafana
• Jaeger

And allow them to be configured from a default configuration to external sources if desired

Some of the traefik features (such as metrics) are static.

Did we want to manage these by a configmap (toml file)? or did we want to use CLI for everything?

CLI is so much cleaner than having to hunt down configmaps. We also don't have to worry about changes not propagating if we use CLI.

Although verifiyExists is nice,

create is clearer. With a comment that if exists, returns the object.

Related to #57

Eventually we are going to need documentation,

Because people.

We need to have a Readme so that it is obvious how to install and configure i3o in a fresh cluster

Currently each controller has its own queue for processing events. We may want to have a global controller queue to be able to process so that we can move processing to a higher level controller (mesh controller)

We use a high-perms RBAC SA for patching DNS.

We should confirm that it is deleted as part of the controller verification on startup

Since we have been using sources from different codebases, we need to standardize our imports so that we don't duplicate names.

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	appsv1 "k8s.io/api/apps/v1"

We need to be able to create ingressRoutes(tcp) with different ports for each service port

A regression was introduced in #34 that deletes all the core pods in the cluster.

This leads to total DNS outage for the entire cluster (including API).

I think it would be better to add a meta label to force a restart natively instead of deleting the pods.

We have create + delete, but we should handle updating.

Should also be able to have an integration test for this.

There are a few things that this controller needs:

• Dockerization - #4
• CI integration - #11
• Tests - #29
• Helm chart - #16

Functionality requirements missing:

• Has to be able to CRUD Traefik CE KubernetesCRDs - #30
• Has to be able to interact with SMI CRDs - #66

Nice to haves:

• Be able to verify its own RBAC permissions to check if it has sufficient permissions - Not needed, since we do not want to grant access to rbac. Delegating to helm chart to ensure correct permissions
• Be able to run multiple replicas, and handle these CRUD operations atomically.

The kubernetes API service should not be managed by mesh.

We should add it to the list of namespaces to ignore.

We should define a set of features that we want for v1 launch, so that we can ensure we have the features ready, and tests written to ensure correct behavior for these features.

Using:

./i3o patch --kubeconfig ~/.kube/config --master 127.0.0.1:9000 --debug
INFO[0000] Building Kubernetes Client...                
INFO[0000] Building Kubernetes CRD Client...            
INFO[0000] Preparing Cluster...         

Works, but:

./i3o patch --kubeconfig=~/.kube/config --master=127.0.0.1:9000 --debug
FATA[0000] Error building clients: stat ~/.kube/config: no such file or directory 

Breaks

We need a service controller to manage Shadow services for access control.

This will allow SMI implementation of Access Control, and will may allow more features to be implemented in TrafficSplit etc.

Since we are going to use helm, remove this code from controller

Right now we do a string replacement to patch in our coreDNS config.

We should look at having our own server block that we can just append to the data.

This would allow us to be compatible on more systems without risk of breaking things.

And be less janky.

How do we want to do tests?

We need to move the Patch DNS code to a new command, so that we can use separate RBAC permissions + jobify it.

So it appears that traffic control via SMI is done by checking Service Accounts of running pods and tying them to destinations with running service accounts.

This is not difficult to do, but there are a bunch of ways we can accomplish it with traefik.

We can either do an IP whitelist, or we can do some other sort of filtering.

I have a few concerns:

1. If we are running in a large network, we may run into issues with large whitelists/blacklists
2. If we have a large dynamic network, there may be lots of changes that we have to watch for, and that may be a lot of load.

These concerns may not be big in reality, but just something to think about

We need to verify that the RBAC matches the client access requirements

Since we don't have UDP support at this time, we should be logging a warning, and skipping the port