Add support for SMI

[stefanprodan]

This PR adds support for SMI TrafficSplit.

Test procedure with the Istio SMI adapter:

1. Install Istio with Prometheus and Mixer telemetry enabled.
2. Clone this repo and checkout the smi branch
3. Install the SMI Istio adapter with kubectl apply -f ./artifacts/smi/istio-adapter.yaml
4. Install Flagger:

helm upgrade -i flagger ./charts/flagger \
--wait \
--namespace istio-system \
--set image.tag=smi-8fd3e92 \
--set meshProvider=smi:istio

5. Follow the canary tutorial https://docs.flagger.app/usage/progressive-delivery
6. Use the following canary spec:

apiVersion: flagger.app/v1alpha3
kind: Canary
metadata:
  name: podinfo
  namespace: test
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: podinfo
  progressDeadlineSeconds: 60
  autoscalerRef:
    apiVersion: autoscaling/v2beta1
    kind: HorizontalPodAutoscaler
    name: podinfo
  service:
    port: 9898
    gateways:
    - public-gateway.istio-system.svc.cluster.local
    hosts:
    - app.example.com
  canaryAnalysis:
    interval: 15s
    threshold: 15
    maxWeight: 30
    stepWeight: 10
    metrics:
    - name: request-success-rate
      threshold: 99
      interval: 1m
    - name: request-duration
      threshold: 500
      interval: 30s
    webhooks:
      - name: load-test
        url: http://flagger-loadtester.test/
        timeout: 5s
        metadata:
          type: cmd
          cmd: "hey -z 10m -q 10 -c 2 http://podinfo.test:9898/"

[surajssd]

TrafficSplit object was created, and it didn't create any VS object. I think because the operator is deployed in different namespace istio-system, than the application.

[stefanprodan]

Have you installed the operator using kubectl apply -f ./artifacts/smi/istio-adapter.yaml? The e2e tests cover this, the adapter sits in istio-system while the canary is in the test namespace.

[surajssd]

After applying following diff, I redeployed the adapter:

diff --git a/artifacts/smi/istio-adapter.yaml b/artifacts/smi/istio-adapter.yaml
index eaebdcb..66fd04d 100644
--- a/artifacts/smi/istio-adapter.yaml
+++ b/artifacts/smi/istio-adapter.yaml
@@ -27,7 +27,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: smi-adapter-istio
-  namespace: istio-system
+  namespace: test
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -90,7 +90,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: smi-adapter-istio
-    namespace: istio-system
+    namespace: test
 roleRef:
   kind: ClusterRole
   name: smi-adapter-istio
@@ -100,7 +100,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: smi-adapter-istio
-  namespace: istio-system
+  namespace: test
 spec:
   replicas: 1
   selector:
@@ -122,7 +122,7 @@ spec:
           imagePullPolicy: Always
           env:
             - name: WATCH_NAMESPACE
-              value: ""
+              value: "test"
             - name: POD_NAME
               valueFrom:
                 fieldRef:

I see a lot of following errors from the adapter pod:

{"level":"error","ts":1557825936.9886234,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"trafficsplit-controller",
"request":"test/podinfo",
"error":"admission webhook \"pilot.validation.istio.io\" denied the request: configuration is invalid: wildcard host * is not allowed for virtual services bound to the mesh gateway",
"stacktrace":"github.com/deislabs/smi-adapter-istio/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/deislabs/smi-adapter-istio/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/deislabs/smi-adapter-istio/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/Users/aleph/go/src/github.com/deislabs/smi-adapter-istio/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}

Hence it is not creating any VirtualService object.

[surajssd]

Again my bad. Yes you are right there is no need to make any changes to the current config.

I still see same errors, trafficsplit is created successfully but VS is not created. Because of the above error that I have mentioned.

[stefanprodan]

Ah I assume you're using Istio 1.1.5 and the mesh gateway got more restrictive.

Use this Canary that doesn't attach the virtual service to the internal mesh:

apiVersion: flagger.app/v1alpha3
kind: Canary
metadata:
  name: podinfo
  namespace: test
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: podinfo
  progressDeadlineSeconds: 60
  autoscalerRef:
    apiVersion: autoscaling/v2beta1
    kind: HorizontalPodAutoscaler
    name: podinfo
  service:
    port: 9898
    gateways:
    - public-gateway.istio-system.svc.cluster.local
    hosts:
    - app.example.com
  canaryAnalysis:
    interval: 15s
    threshold: 15
    maxWeight: 30
    stepWeight: 10
    metrics:
    - name: request-success-rate
      threshold: 99
      interval: 1m
    - name: request-duration
      threshold: 500
      interval: 30s
    webhooks:
      - name: load-test
        url: http://flagger-loadtester.test/
        timeout: 5s
        metadata:
          type: cmd
          cmd: "hey -z 10m -q 10 -c 2 http://podinfo.test:9898/"

[surajssd]

With that canary object it worked fine for me, I was using following:

apiVersion: flagger.app/v1alpha3
kind: Canary
metadata:
  name: podinfo
  namespace: test
spec:
  # deployment reference
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: podinfo
  # the maximum time in seconds for the canary deployment
  # to make progress before it is rollback (default 600s)
  progressDeadlineSeconds: 60
  # HPA reference (optional)
  autoscalerRef:
    apiVersion: autoscaling/v2beta1
    kind: HorizontalPodAutoscaler
    name: podinfo
  service:
    # container port
    port: 9898
    # Istio gateways (optional)
    gateways:
    - public-gateway.istio-system.svc.cluster.local
    - mesh
    # Istio virtual service host names (optional)
    hosts:
    - '*'
  canaryAnalysis:
    # schedule interval (default 60s)
    interval: 1m
    # max number of failed metric checks before rollback
    threshold: 5
    # max traffic percentage routed to canary
    # percentage (0-100)
    maxWeight: 50
    # canary increment step
    # percentage (0-100)
    stepWeight: 10
    metrics:
    - name: request-success-rate
      # minimum req success rate (non 5xx responses)
      # percentage (0-100)
      threshold: 99
      interval: 1m
    - name: request-duration
      # maximum req duration P99
      # milliseconds
      threshold: 500
      interval: 30s
    # generate traffic during analysis
    webhooks:
      - name: load-test
        url: http://flagger-loadtester.test/
        timeout: 5s
        metadata:
          cmd: "hey -z 1m -q 10 -c 2 http://podinfo.test:9898/"

Thanks it seems to work now :-)

[stefanprodan]

Thanks for testing it 🥇