diff --git a/.github/workflows/istio-tests.yaml b/.github/workflows/istio-tests.yaml index 0b47bf643..7e8e38183 100644 --- a/.github/workflows/istio-tests.yaml +++ b/.github/workflows/istio-tests.yaml @@ -1,4 +1,4 @@ -# Copyright 2019, 2024, Oracle Corporation and/or its affiliates. All rights reserved. +# Copyright 2019, 2025, Oracle Corporation and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at # http://oss.oracle.com/licenses/upl. @@ -38,8 +38,8 @@ jobs: matrix: istioVersion: - latest - - 1.18.2 - - 1.17.5 + - 1.23.4 + - 1.22.8 steps: - uses: actions/checkout@v4 diff --git a/Makefile b/Makefile index 28ed21756..5fd0d1a00 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,7 @@ KUBERNETES_DOC_VERSION=v1.30 # ---------------------------------------------------------------------------------------------------------------------- # The Coherence version to build against - must be a Java 8 compatible version COHERENCE_VERSION ?= 21.12.5 -COHERENCE_VERSION_LTS ?= 14.1.2-0-0 +COHERENCE_VERSION_LTS ?= 14.1.2-0-1 # The default Coherence image the Operator will run if no image is specified COHERENCE_IMAGE_REGISTRY ?= ghcr.io/oracle COHERENCE_IMAGE_NAME ?= coherence-ce @@ -358,7 +358,24 @@ METALLB_VERSION ?= v0.12.1 # Istio settings # ---------------------------------------------------------------------------------------------------------------------- # The version of Istio to install, leave empty for the latest -ISTIO_VERSION ?= +ISTIO_VERSION ?= +ISTIO_PROFILE ?= demo +ISTIO_USE_CONFIG ?= false +ifeq (,$(ISTIO_VERSION)) + ISTIO_VERSION_USE := $(shell $(SCRIPTS_DIR)/find-istio-version.sh "$(TOOLS_DIRECTORY)/istio-latest.txt") + ISTIO_REVISION := $(subst .,-,$(ISTIO_VERSION_USE)) + ISTIO_HOME := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION_USE) +else +ifeq (latest,$(ISTIO_VERSION)) + ISTIO_VERSION_USE := $(shell $(SCRIPTS_DIR)/find-istio-version.sh "$(TOOLS_DIRECTORY)/istio-latest.txt") + ISTIO_REVISION := $(subst .,-,$(ISTIO_VERSION_USE)) + ISTIO_HOME := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION_USE) +else + ISTIO_VERSION_USE := $(ISTIO_VERSION) + ISTIO_REVISION := $(subst .,-,$(ISTIO_VERSION)) + ISTIO_HOME := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION) +endif +endif # ---------------------------------------------------------------------------------------------------------------------- # Tanzu settings @@ -415,6 +432,9 @@ $(BUILD_PROPS): OPERATOR_IMAGE_NAME=$(OPERATOR_IMAGE_NAME)\n\ OPERATOR_IMAGE=$(OPERATOR_IMAGE)\n\ VERSION=$(VERSION)\n\ + ISTIO_VERSION_USE=$(ISTIO_VERSION_USE)\n\ + ISTIO_REVISION=$(ISTIO_REVISION)\n\ + ISTIO_PROFILE=$(ISTIO_PROFILE)\n\ OPERATOR_PACKAGE_IMAGE=$(OPERATOR_PACKAGE_IMAGE)\n" > $(BUILD_PROPS) # ---------------------------------------------------------------------------------------------------------------------- @@ -1739,6 +1759,7 @@ k3d-create: $(TOOLS_BIN)/k3d ## Create the k3d cluster --registry-use $(K3D_INTERNAL_REGISTRY) --no-lb \ --runtime-ulimit "nofile=64000:64000" --runtime-ulimit "nproc=64000:64000" \ --api-port 127.0.0.1:6550 + $(SCRIPTS_DIR)/k3d-label-node.sh .PHONY: k3d-stop k3d-stop: $(TOOLS_BIN)/k3d ## Stop a default k3d cluster @@ -2273,39 +2294,53 @@ uninstall-metallb: ## Uninstall MetalLB # Install the latest Istio version # ---------------------------------------------------------------------------------------------------------------------- .PHONY: install-istio -install-istio: get-istio ## Install the latest version of Istio into k8s (or override the version using the ISTIO_VERSION env var) - $(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio)) - $(ISTIO_HOME)/bin/istioctl install --set profile=demo -y - kubectl -n istio-system wait --for condition=available deployment.apps/istiod +install-istio: delete-istio-config get-istio ## Install the latest version of Istio into k8s (or override the version using the ISTIO_VERSION env var) + $(ISTIO_HOME)/bin/istioctl install -f $(BUILD_OUTPUT)/istio-config.yaml -y + kubectl -n istio-system wait --for condition=available deployment.apps/istiod-$(ISTIO_REVISION) kubectl -n istio-system wait --for condition=available deployment.apps/istio-ingressgateway kubectl -n istio-system wait --for condition=available deployment.apps/istio-egressgateway - kubectl apply -f ./hack/istio-strict.yaml - kubectl -n $(OPERATOR_NAMESPACE) apply -f ./hack/istio-operator.yaml + kubectl apply -f $(SCRIPTS_DIR)/istio-strict.yaml + kubectl -n $(OPERATOR_NAMESPACE) apply -f $(SCRIPTS_DIR)/istio-operator.yaml kubectl label namespace $(OPERATOR_NAMESPACE) istio-injection=enabled --overwrite=true kubectl label namespace $(OPERATOR_NAMESPACE_CLIENT) istio-injection=enabled --overwrite=true kubectl label namespace $(CLUSTER_NAMESPACE) istio-injection=enabled --overwrite=true kubectl apply -f $(ISTIO_HOME)/samples/addons +# ---------------------------------------------------------------------------------------------------------------------- +# Upgrade Istio +# ---------------------------------------------------------------------------------------------------------------------- +.PHONY: upgrade-istio +upgrade-istio: delete-istio-config $(BUILD_OUTPUT)/istio-config.yaml ## Upgrade an already installed Istio to the Istio version specified by ISTIO_VERSION + $(ISTIO_HOME)/bin/istioctl upgrade -f $(SCRIPTS_DIR)/istio-config.yaml -y + # ---------------------------------------------------------------------------------------------------------------------- # Uninstall Istio # ---------------------------------------------------------------------------------------------------------------------- .PHONY: uninstall-istio -uninstall-istio: get-istio ## Uninstall Istio from k8s - kubectl -n $(OPERATOR_NAMESPACE) delete -f ./hack/istio-operator.yaml || true - kubectl delete -f ./hack/istio-strict.yaml - $(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio)) +uninstall-istio: delete-istio-config get-istio ## Uninstall Istio from k8s + kubectl -n $(OPERATOR_NAMESPACE) delete -f $(SCRIPTS_DIR)/istio-operator.yaml || true + kubectl delete -f ./hack/istio-strict.yaml || true $(ISTIO_HOME)/bin/istioctl uninstall --purge -y +$(BUILD_OUTPUT)/istio-config.yaml: $(BUILD_PROPS) + @echo "Creating Istio config: rev=$(ISTIO_REVISION)" + cp $(SCRIPTS_DIR)/istio-config.yaml $(BUILD_OUTPUT)/istio-config.yaml + $(SED) -e 's/ISTIO_PROFILE/$(ISTIO_PROFILE)/g' $(BUILD_OUTPUT)/istio-config.yaml + $(SED) -e 's/ISTIO_REVISION/$(ISTIO_REVISION)/g' $(BUILD_OUTPUT)/istio-config.yaml + +.PHONY: delete-istio-config +delete-istio-config: + rm $(BUILD_OUTPUT)/istio-config.yaml || true # ---------------------------------------------------------------------------------------------------------------------- # Get the latest Istio version # ---------------------------------------------------------------------------------------------------------------------- .PHONY: get-istio -get-istio: $(BUILD_PROPS) - $(SCRIPTS_DIR)/get-istio-latest.sh "$(ISTIO_VERSION)" "$(TOOLS_DIRECTORY)" - $(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio)) +get-istio: $(BUILD_PROPS) $(BUILD_OUTPUT)/istio-config.yaml ## Download Istio to the build/tools/istio-* directory + $(SCRIPTS_DIR)/get-istio-latest.sh "$(ISTIO_VERSION_USE)" "$(TOOLS_DIRECTORY)" @echo "Istio installed at $(ISTIO_HOME)" + # ---------------------------------------------------------------------------------------------------------------------- # Obtain the golangci-lint binary # ---------------------------------------------------------------------------------------------------------------------- diff --git a/examples/400_Istio/README.adoc b/examples/400_Istio/README.adoc index a4a14cc08..456c1c23e 100644 --- a/examples/400_Istio/README.adoc +++ b/examples/400_Istio/README.adoc @@ -1,6 +1,6 @@ /////////////////////////////////////////////////////////////////////////////// - Copyright (c) 2021, 2024, Oracle and/or its affiliates. + Copyright (c) 2021, 2025, Oracle and/or its affiliates. Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. @@ -25,6 +25,23 @@ Coherence clusters can be manually configured to work with Istio, even if not us See the Istio example in the <> ==== +[IMPORTANT] +==== +*Upgrading Istio* + +The Istio documentations states that the recommended way to upgrade Istio is to use +https://istio.io/latest/docs/setup/upgrade/canary/[Istio revisions and canary upgrades]. +If Istio is upgraded using a simple in-place upgrade option this will cause Coherence Pods to have communication issues +and ultimately make the Coherence cluster unusable. This is because an in-place Istio upgrade will cause the Istio Proxy +in the side-car containers to receive config updates and then to drain all the TCP connections it is managing, hence +causing Coherence containers to disconnect from each other. + +This issue is not just related to Coherence but can impact any long-lived TCP connections, for example connections to a database. + +If you are using Istio in a managed environment where you do not control its life-cycle, you must ensure that the people +that are responsible for managing Istio use the recommended upgrade approach. +==== + === How Does Coherence Work with Istio? Istio is a "Service Mesh" so the clue to how Istio works in Kubernetes is in the name, it relies on the configuration diff --git a/hack/find-istio-version.sh b/hack/find-istio-version.sh new file mode 100755 index 000000000..eb7e6e70b --- /dev/null +++ b/hack/find-istio-version.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (c) 2025, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at +# http://oss.oracle.com/licenses/upl. +# + +ISTIO_VERSION_FILE=$1 +ISTIO_VERSION="" + +if [ -e $1 ] +then + ISTIO_VERSION=$(cat $1) +else +if [ "${ISTIO_VERSION}" = "" -o "${ISTIO_VERSION}" = "latest" ] +then + ISTIO_VERSION="$(curl -sL https://github.com/istio/istio/releases | \ + grep -o 'releases/[0-9]*.[0-9]*.[0-9]*/' | sort --version-sort | \ + tail -1 | awk -F'/' '{ print $2}')" + ISTIO_VERSION="${ISTIO_VERSION##*/}" + echo ${ISTIO_VERSION} > $1 +fi +fi + +echo ${ISTIO_VERSION} diff --git a/hack/get-istio-latest.sh b/hack/get-istio-latest.sh index 3855f5afa..f920fa12f 100755 --- a/hack/get-istio-latest.sh +++ b/hack/get-istio-latest.sh @@ -24,7 +24,6 @@ ISTIO_HOME=${TOOLS_DIRECTORY}/istio-${ISTIO_VERSION} if [ ! -d "${ISTIO_HOME}" ]; then echo "Istio will be installed into ${ISTIO_HOME}" - rm -rf "${TOOLS_DIRECTORY}"/istio-* mkdir -p "${ISTIO_HOME}" || true curl -sL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - fi diff --git a/hack/istio-config.yaml b/hack/istio-config.yaml new file mode 100644 index 000000000..b9df15c50 --- /dev/null +++ b/hack/istio-config.yaml @@ -0,0 +1,36 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + profile: ISTIO_PROFILE + revision: ISTIO_REVISION + # Turn on default components: base, pilot, and ingress gateway + components: + base: + enabled: true + pilot: + enabled: true + k8s: + podDisruptionBudget: + minAvailable: 1 + hpaSpec: + minReplicas: 2 + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: true + + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + gateways: + istio-ingressgateway: {} + istio-egressgateway: {} diff --git a/hack/k3d-label-node.sh b/hack/k3d-label-node.sh new file mode 100755 index 000000000..2889a9f27 --- /dev/null +++ b/hack/k3d-label-node.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +kubectl label node k3d-operator-agent-0 topology.kubernetes.io/zone=zone-one --overwrite +kubectl label node k3d-operator-agent-0 topology.kubernetes.io/region=one --overwrite +kubectl label node k3d-operator-agent-0 oci.oraclecloud.com/fault-domain=fd-one --overwrite +kubectl label node k3d-operator-agent-0 coherence.oracle.com/test=test-one --overwrite + +kubectl label node k3d-operator-agent-1 topology.kubernetes.io/zone=zone-one --overwrite +kubectl label node k3d-operator-agent-1 topology.kubernetes.io/region=one --overwrite +kubectl label node k3d-operator-agent-1 oci.oraclecloud.com/fault-domain=fd-one --overwrite +kubectl label node k3d-operator-agent-1 coherence.oracle.com/test=test-one --overwrite + +kubectl label node k3d-operator-agent-2 topology.kubernetes.io/zone=zone-two --overwrite || true +kubectl label node k3d-operator-agent-2 topology.kubernetes.io/region=two --overwrite || true +kubectl label node k3d-operator-agent-2 oci.oraclecloud.com/fault-domain=fd-two --overwrite || true +kubectl label node k3d-operator-agent-2 coherence.oracle.com/test=test-two --overwrite || true + +kubectl label node k3d-operator-agent-3 topology.kubernetes.io/zone=zone-two --overwrite || true +kubectl label node k3d-operator-agent-3 topology.kubernetes.io/region=two --overwrite || true +kubectl label node k3d-operator-agent-3 oci.oraclecloud.com/fault-domain=fd-two --overwrite || true +kubectl label node k3d-operator-agent-3 coherence.oracle.com/test=test-two --overwrite || true + +kubectl label node k3d-operator-agent-4 topology.kubernetes.io/zone=zone-three --overwrite || true +kubectl label node k3d-operator-agent-4 topology.kubernetes.io/region=three --overwrite || true +kubectl label node k3d-operator-agent-4 oci.oraclecloud.com/fault-domain=fd-three --overwrite || true +kubectl label node k3d-operator-agent-4 coherence.oracle.com/test=test-three --overwrite || true + +kubectl label node k3d-operator-server-0 topology.kubernetes.io/zone=zone-three --overwrite || true +kubectl label node k3d-operator-server-0 topology.kubernetes.io/region=three --overwrite || true +kubectl label node k3d-operator-server-0 oci.oraclecloud.com/fault-domain=fd-three --overwrite || true +kubectl label node k3d-operator-server-0 coherence.oracle.com/test=test-three --overwrite || true +