关于 Istio K8sObjectOverlay.PathValue 用于 Pod Spec Labels 的建议:

huangapple
go评论79阅读模式
英文:

Advice on Istio K8sObjectOverlay.PathValue for Pod Spec Labels

问题

我在 Istio 论坛上也提出了这个问题,但想在这里的话可能会更幸运。我们目前在 AKS 集群上使用 Istio,使用 Pod Identity 绑定在我们的入口网关上,我们正在考虑将其迁移到使用 Azure Workload Identity。

在 Pod Identity 设置中,overlays > patches > path 用于如下所示将标签添加到网关部署的 Pod 规范中:

  1. overlays:
  2. - apiVersion: apps/v1
  3.   kind: Deployment
  4.   name: istio-ingressgateway
  5.   patches:
  6.   - path: spec.template.metadata.labels.aadpodidbinding
  7.     value: managed_identity_name_here
  8.   MORE_VALUES_BELOW

这按预期工作,并且我们得到了一个标签应用于部署的一部分的 Pods,标签为 aadpodidbinding=managed_identity_name_here

为了迁移到 Workload Identity,我们希望将其设置为 azure.workload.identity/use=true,因此编辑了如下配置:

  1. overlays:
  2. - apiVersion: apps/v1
  3.   kind: Deployment
  4.   name: istio-ingressgateway
  5.   patches:
  6.   - path: spec.template.metadata.labels.azure.workload.identity/use
  7.     value: true
  8.   MORE_VALUES_BELOW

当尝试使用 Helm 应用更改到集群时,这似乎根本不起作用。我们可以在 Helm Chart 中看到更新的值,但它实际上从未达到部署/ Pod。

然而,如果我们使用以下方式,它确实会更新部署/ Pod:

  1. - path: spec.template.metadata.labels.azure
  2.   value: true

似乎它不喜欢标签前缀的第一个点之后的部分?所以可以添加类似于以下的标签:

  1. - path: spec.template.metadata.labels.rubbish
  2.   value: someValue

但是不能添加类似于以下的标签:

  1. - path: spec.template.metadata.labels.rubbish.extended
  2.   value: someValue

我一直在查看 Istio 文档(Ref 1Ref 2),我猜我可能没有理解如何格式化所需的新标签的路径。我还看到了类似的帖子,但是看了之后我还是不太明白(Post 1Post 2)。

如果有人有任何建议,将不胜感激!

感谢您抽出时间查看这个问题。

英文:

I popped this on the Istio forums too but thought might have better luck here. We’re currently using Istio on our AKS Cluster with a Pod Identity binding on our ingress gateways and we’re looking to move this across to using Azure Workload Identity instead.

In the Pod Identity setup, the overlays>patches>path is used as below to add a label to the Pod spec of the gateway Deployment:

  1. overlays:
  2. - apiVersion: apps/v1
  3.   kind: Deployment
  4.   name: istio-ingressgateway
  5.   patches:
  6.   - path: spec.template.metadata.labels.aadpodidbinding
  7.     value: managed_identity_name_here
  8.   MORE_VALUES_BELOW

This works as expected and we get a label applied to the Pods that are part of the Deployment as aadpodidbinding=managed_identity_name_here.

In order to move to Workload Identity we’re wanting to set this as azure.workload.identity/use=true and therefore edited the config as below:

  1. overlays:
  2. - apiVersion: apps/v1
  3.   kind: Deployment
  4.   name: istio-ingressgateway
  5.   patches:
  6.   - path: spec.template.metadata.labels.azure.workload.identity/use
  7.     value: true
  8.   MORE_VALUES_BELOW

This doesn’t appear to work at all when then trying to apply the change to the Cluster using Helm. We can see the updated value in the Helm Chart but it never actually reaches the Deployment/Pod.

However, if we use the below it does update the Deployment/Pod:

  1. - path: spec.template.metadata.labels.azure
  2.   value: true

It seems that it doesn't like going beyond the first dot for the label prefix? So it's possible to add a label like:

  1. - path: spec.template.metadata.labels.rubbish
  2.   value: someValue

but not:

  1. - path: spec.template.metadata.labels.rubbish.extended
  2.   value: someValue

I’ve been looking at the Istio documentation (Ref 1, Ref 2) and I’m guessing I’m just not wrapping my head around something as to how to format the path for the new label that’s required. I've also seen the posts on here that are similar but it's not clicked for me looking at those (Post 1, Post 2).

If anyone has any advice it’d be greatly appreciated!

Thanks for taking the time to look at this.

答案1

得分: 1

  • 经过进一步的试验和错误,并查看 Istio Operator 的日志,我现在已经找到了答案,如下所示:
  1. - path: spec.template.metadata.labels.azure\.workload\.identity/use
  2.   value: "true"

第一个值后面的任何点都需要转义,以便 Istio Operator 的正则表达式接受该值,并且现在已成功通过 Deployment Pod 规范为入口网关 Pod 打上了标签:

  1. Labels:           app=istio-ingressgateway
  2.                   azure.workload.identity/use=true

这绝对按预期工作,因为现在 Pod 中已注入了 Azure 工作负载标识变量(AZURE_CLIENT_IDAZURE_TENANT_IDAZURE_FEDERATED_TOKEN_FILEAZURE_AUTHORITY_HOST)。

希望这能帮助其他人,如果他们遇到类似的问题!

英文:

Through some further trial and error and looking at the Istio Operator logs I've found the answer to this now as below:

  1. - path: spec.template.metadata.labels.azure\.workload\.identity/use
  2.   value: "true"

Any dots after the first value need escaping for the Istio Operator's RegEx to accept the value and has now successfully labelled the ingress gateway Pod via the Deployment Pod spec:

  1. Labels:           app=istio-ingressgateway
  2.                   azure.workload.identity/use=true

Which is definitely working as expected as the Pods now have the Azure Workload Identity variables injected (AZURE_CLIENT_ID, AZURE_TENANT_ID,AZURE_FEDERATED_TOKEN_FILE,AZURE_AUTHORITY_HOST).

Hope this helps someone else if they encounter similar!

huangapple
  • 本文由 发表于 2023年6月22日 16:07:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76529778.html
  • istio
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定