Page MenuHomePhabricator

Implement POC for istio ingress
Open, MediumPublic


This is the follow up task for T287007.

Already merged changes regarding this:

Those changes, together with a WIP one, made it possible to generally install istio to staging-codfw but there are still some open questions/things to fix:

  • Decide how we want the kube-apiserver to reach webooks running inside of the cluster, see: T290967
  • Create proper NetworkPolicies, ideally automated or global, for Ingress-Gateway to be able to reach services etc.
  • Figure out how to deal with the internal ca that istio manages. It is by default used to secure communication with itsiod as well as establish trust between the Ingress-Gateway and services.
  • Make Ingress-Gateway trust Puppet-CA (e.g. tls-proxy) certificates
  • Make prometheus scrape istiod and Ingress-Gateway
  • Decide on how we want to run the Ingress-Gateway and ultimately how we want PyBal to healthcheck it/the k8s nodes.

I'm keeping some additional, unordered notes at

Event Timeline

JMeybohm triaged this task as Medium priority.Tue, Sep 14, 1:09 PM
JMeybohm created this task.
JMeybohm renamed this task from Implement POC for istio ingess to Implement POC for istio ingress.Tue, Sep 14, 1:10 PM
JMeybohm added subscribers: akosiaris, Joe.

Change 720906 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] WIP: istio additions