traefik / mesh Goto Github PK
View Code? Open in Web Editor NEWTraefik Mesh - Simpler Service Mesh
Home Page: https://traefik.io/traefik-mesh
License: Apache License 2.0
Traefik Mesh - Simpler Service Mesh
Home Page: https://traefik.io/traefik-mesh
License: Apache License 2.0
We want to use helm to deploy i3o
We need a base helm chart to configure the install
We need to be able to CRUD the Traefik CE KubernetesCRDs
We should define a set of features that we want for v1 launch, so that we can ensure we have the features ready, and tests written to ensure correct behavior for these features.
Many of the operations in the controller RBAC are due to updates in the mesh namespace
It might be nice to separate out the mesh namespace RBAC into a roleBinding,
and keep a much more minimal ClusterRoleBinding, since we don't need global permissions for everything in the cluster
Since we don't have UDP support at this time, we should be logging a warning, and skipping the port
We need to be able to create ingressRoutes(tcp) with different ports for each service port
We need to have a Readme so that it is obvious how to install and configure i3o in a fresh cluster
We need to have the helm chart install:
And allow them to be configured from a default configuration to external sources if desired
Match and Kind are not optional. They need to be defined.
Based on https://github.com/golang-standards/project-layout,
we have a non-standard layout.
We should improve by moving code into the standardized directories now
We should route by not only service name (DNS) but also service IP.
This is for both TCP and HTTP
There are a few things that this controller needs:
Functionality requirements missing:
Nice to haves:
How do we want to do tests?
Using:
./i3o patch --kubeconfig ~/.kube/config --master 127.0.0.1:9000 --debug
INFO[0000] Building Kubernetes Client...
INFO[0000] Building Kubernetes CRD Client...
INFO[0000] Preparing Cluster...
Works, but:
./i3o patch --kubeconfig=~/.kube/config --master=127.0.0.1:9000 --debug
FATA[0000] Error building clients: stat ~/.kube/config: no such file or directory
Breaks
We should define service labels to assist with defining routing.
This would allow us to start work on implementing features
We need to move the Patch DNS code to a new command, so that we can use separate RBAC permissions + jobify it.
A regression was introduced in #34 that deletes all the core pods in the cluster.
This leads to total DNS outage for the entire cluster (including API).
I think it would be better to add a meta label to force a restart natively instead of deleting the pods.
We need to have load balancing in Traefik v2 before we can leverage it in i3o
Currently each controller has its own queue for processing events. We may want to have a global controller queue to be able to process so that we can move processing to a higher level controller (mesh controller)
We need to verify that the RBAC matches the client access requirements
Right now we do a string replacement to patch in our coreDNS config.
We should look at having our own server block that we can just append to the data.
This would allow us to be compatible on more systems without risk of breaking things.
And be less janky.
There seems to be a bunch of duplicated code in the meshcontroller handler.
Look into using interfaces to allow for dedupe.
Since we are going to use helm, remove this code from controller
Do we need to have demo data in the app anymore?
So it appears that traffic control via SMI is done by checking Service Accounts of running pods and tying them to destinations with running service accounts.
This is not difficult to do, but there are a bunch of ways we can accomplish it with traefik.
We can either do an IP whitelist, or we can do some other sort of filtering.
I have a few concerns:
These concerns may not be big in reality, but just something to think about
Since we have been using sources from different codebases, we need to standardize our imports so that we don't duplicate names.
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
appsv1 "k8s.io/api/apps/v1"
Although verifiyExists
is nice,
create
is clearer. With a comment that if exists, returns the object.
Related to #57
Some of the traefik features (such as metrics) are static.
Did we want to manage these by a configmap (toml file)? or did we want to use CLI for everything?
CLI is so much cleaner than having to hunt down configmaps. We also don't have to worry about changes not propagating if we use CLI.
We have create + delete, but we should handle updating.
Should also be able to have an integration test for this.
The kubernetes API service should not be managed by mesh.
We should add it to the list of namespaces to ignore.
We should use:
i3o-mesh:internal
as the label
Instead of using a templated config file, we should move to CRD, which don't require templating files
How did we want to implement tracing?
Not sure how tracing is implemented in Traefik v2
Once metrics are enabled in traefik v2, we need to have them implemented in i3o. This will also be required for SMI
We could look into using reverse IP lookups on the source IP to get the pod reference.
this may allow us to not have to deal with IP whitelisting for source filtering
We need:
We need a service controller to manage Shadow services for access control.
This will allow SMI implementation of Access Control, and will may allow more features to be implemented in TrafficSplit etc.
We don't want to use http for these pods.
We need to use TCP
The following features and integration tests are needed:
Traffic-split should be fairly easy to accomplish, once we have some weighting etc from Traefik v2.
Until then, we could do a janky workaround where we add the same route x/y times to mathematically make it work, but that is terrible
Currently we use separate controllers for watching each type.
Once we get further along, we may not need separate controllers for each type, or we may be able to consolidate these controllers in a more efficient manner.
This needs to run in a docker container.
We need a dockerfile to make this work.
We should have an integration test that can handle an end-to-end request
SMI is implemented via CRD, we need to get a controller for that
We use a high-perms RBAC SA for patching DNS.
We should confirm that it is deleted as part of the controller verification on startup
Since services are TCP by default, we should also use TCP routing by default
Eventually we are going to need documentation,
Because people.
Did we want a dashboard for this project? Or did we want to do something like have a deployable prometheus + grafana container sort of thing (like we do with our advocacy demos?)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.