The Istio Ingress support in Wikikube has been tested with various services, and it would be nice to move pre-existing services (where possible) to it.
Main benefits:
- The more services we have the better to find/iron-out issues with Istio.
- Bootstrapping a new service would require way less time since there will be no need of an extra LVS IP/config.
- Standardized metrics for the SLO dashboards (istio ones rather than the envoy/mesh ones). We already have Prometheus recording rules for the istio gateway metrics, so it is convenient and more performant (see T389357), but tere is no real need for the switch since we could do it for envoy too. Given the above point it would be nice to have a single standard.
I'd like to move some services to Ingress, improve the documentation and possibly set the standard for new services.
Procedure to move a live service to Ingress:
- Enable the ingress module, and make sure the nodePort is kept. Example for citoid: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1135378\
- Make sure that values.yaml doesn't add a default for gatewayHosts, see follow up fix for the above: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1135396
- Deploy and test on staging. For citoid, the URL was: https://citoid.k8s-staging.discovery.wmnet:30443/mediawiki/10.1038%2Fs41586-021-03470-x -k.
- Please note: we have a CNAME like *.k8s-staging.discovery.wmnet in our DNS config, so once you deployed the ingress config to staging that should work for your service as well without any extra DNS changes.
- Deploy and test in production.
- For citoid: curl https://citoid.discovery.wmnet:30443/mediawiki/10.1038%2Fs41586-021-03470-x -k --resolve citoid.discovery.wmnet:30443:$(dig +short k8s-ingress-wikikube-ro.discovery.wmnet)
- Please note that the ingress module will take care of configuring the Istio Gateway to accept $service.discovery.wmnet as SNI.
- At this point we cannot set a CNAME like citoid.discovery.wmnet => k8s-ingress-wikikube-ro.discovery.wmnet because there is already an A record registered (the one reserved for the LVS service).
- The easiest is to create a CNAME called $service-ingress.discovery.wmnet => k8s-ingress-wikikube-ro.discovery.wmnet and expand the allowed FQDN registered in the ingress module's config.
- See https://gerrit.wikimedia.org/r/c/operations/dns/+/1135433 and https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1135449
- As last you can point the clients using $service.discovery.wmnet to $service-ingress.discovery.wmnet. Very easy to rollback if anything goes wrong too.
After the above procedure there are two roads:
- Keep the $service-ingress.discovery.wmnet service name and clean up service.yaml and LVS from the old one.
- Remove the A records for $service.discovery.wmnet in the DNS repo and create a CNAME to k8s-ingress-wikikube-ro.discovery.wmnet). Then point clients to $service.discovery.wmnet again and remove the $service-ingress CNAME.