-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop nginx-ingress
load balancer in favor of Istio
#9038
Drop nginx-ingress
load balancer in favor of Istio
#9038
Conversation
eb5b482
to
cb36a44
Compare
cb36a44
to
e245a3f
Compare
Error in
/test pull-gardener-e2e-kind-migration-ha-single-zone |
Issue in /test pull-gardener-e2e-kind-upgrade |
Will add support for multiple ingress domains to Garden. /hold |
/assign |
d67afba
to
0467441
Compare
a4c208d
to
2b0e8db
Compare
/cla |
Successfully reached out to cla-assistant.io to initialize recheck of PR #9038 |
e623c77
to
7f42bcd
Compare
Rebased and adapted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
LGTM label has been added. Git tree hash: 710fa1c0e3b3dd4d98843ccd24509d3f67b50c62
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@ScheererJ: The following test failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/test pull-gardener-e2e-kind |
…stio. With PR gardener#9038, nginx was moved behind the istio ingress gateway. The same PR also enabled management of multiple ingress domains via the `Garden` resource. Unfortunately, istio is a bit picky about overlapping domains in certain scenarios. This could lead to failing reconciliation of the nginx-ingress managed resource. Therefore, to prevent those situations this change splits the virtual services into separate instances per host so that istio does not complain and simply does the right thing.
…stio. With PR gardener#9038, nginx was moved behind the istio ingress gateway. The same PR also enabled management of multiple ingress domains via the `Garden` resource. Unfortunately, istio is a bit picky about overlapping domains in certain scenarios. This could lead to failing reconciliation of the nginx-ingress managed resource. Therefore, to prevent those situations this change splits the virtual services into separate instances per host so that istio does not complain and simply does the right thing.
…stio. (#9183) With PR #9038, nginx was moved behind the istio ingress gateway. The same PR also enabled management of multiple ingress domains via the `Garden` resource. Unfortunately, istio is a bit picky about overlapping domains in certain scenarios. This could lead to failing reconciliation of the nginx-ingress managed resource. Therefore, to prevent those situations this change splits the virtual services into separate instances per host so that istio does not complain and simply does the right thing.
How to categorize this PR?
/area networking
/kind enhancement
/kind api-change
What this PR does / why we need it:
This change moves
nginx-ingress
behindistio
. The consequence is that the load balancer ofnginx-ingress
becomes an ordinary cluster service without direct exposure.nginx-ingress
is exposed viaistio
resources (Gateway
,VirtualService
&DestinationRule
) similar askube-apiserver
is exposed.TLS is still terminated at
nginx-ingress
. The same holds true for authentication of the observability components.As a side effect of this change, this PR also brings an improvements to the Gardener Operator: It adds a new
ingress.domains
field to replaceingress.domain
. This allows to exposeIngress
resources via multiple domains.Which issue(s) this PR fixes:
Fixes #7232
Special notes for your reviewer:
Please note that the forwarding currently only works for domain names using the wildcard ingress domain of seed/garden. Additional names need to be added to the istio configuration.
Release note: