Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2221

Gateway injection does not work in control plane namespace

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Release Notes
    • Hide
      Previously, gateway injection in the control plane namespace was not possible, as we labeled the SMCP namespace with ignore-namespace by default.

      As we migrate to gateway injection, customers that already have custom gateways that they deploy to the control plane namespace were blocked by this.

      Now, with the 2.4 version of the operator, the control plane namespace is no longer labeled with ignore-namespace for injection when creating a v2.4 control plane, so gateway injection is possible in the control plane namespace.

      If users with an existing deployment wish to allow for injection in their control plane namespace, they can do this by removing the label manually like so (where istio-system is the name of the SMCP namespace):

      `oc label namespace istio-system maistra.io/ignore-namespace-`
      Show
      Previously, gateway injection in the control plane namespace was not possible, as we labeled the SMCP namespace with ignore-namespace by default. As we migrate to gateway injection, customers that already have custom gateways that they deploy to the control plane namespace were blocked by this. Now, with the 2.4 version of the operator, the control plane namespace is no longer labeled with ignore-namespace for injection when creating a v2.4 control plane, so gateway injection is possible in the control plane namespace. If users with an existing deployment wish to allow for injection in their control plane namespace, they can do this by removing the label manually like so (where istio-system is the name of the SMCP namespace): `oc label namespace istio-system maistra.io/ignore-namespace-`
    • Known Issue
    • Done
    • 3
    • Sprint 60, Sprint 61, Sprint 62

    Description

      When enabling the Gateway API deployment controller in an SMCP like this:

      spec: 
        runtime: 
          components: 
            pilot: 
              container: 
                env: 
                  PILOT_ENABLE_GATEWAY_API: "true"
                  PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: "true"
                  PILOT_ENABLE_GATEWAY_API_STATUS: "true"
      

      and subsequently creating a Gateway resource called example in the control plane namespace, you'll see that a Deployment is created but the pod fails to start:

      example-6f56d4cbd6-nzdl9                0/1     ImagePullBackOff   0          94s
      

      The error seen is:

        Warning  Failed          10s   kubelet, ocp-wide-vh8fd-worker-vhqm9  Failed to pull image "auto": rpc error: code = Unknown desc = reading manifest latest in docker.io/library/auto: errors:
      

      This is because we will by default ignore the injection annotation/label in the control plane namespace. We do this by adding the maistra.io/ignore-namespace label, which we added to the injection webhook as an opt-out mechanism. I'm not sure this is still required; we shouldn't stop users from injecting in the control plane namespace, at least not gateways.

      Note that the reproduction steps above use the Gateway API controller, but this affects Gateway injection in general.

      This should be marked as a known issue in the release notes

      Attachments

        Activity

          People

            rh-ee-cgarriso Cameron Garrison
            dgrimm@redhat.com Daniel Grimm
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: