You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by "pierDipi (via GitHub)" <gi...@apache.org> on 2023/05/09 08:26:43 UTC
[GitHub] [camel-k] pierDipi opened a new issue, #4347: Support for Istio sidecar injection for Kamelets data plane
pierDipi opened a new issue, #4347:
URL: https://github.com/apache/camel-k/issues/4347
I have a use case where I want to use Istio to enforce mTLS communication between Kamelets and other workloads (Knative Eventing components, etc) in an OpenShift cluster and I've not found a way to add istio injection annotations to a given Kamelet data plane (ie `sidecar.istio.io/inject: true`).
In Istio, there is an option to inject sidecars into every pods in a given namespace (see https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy), however:
- [that's not supported by OpenShift Service Mesh](https://docs.openshift.com/container-platform/4.11/service_mesh/v2x/ossm-vs-community.html#ossm-automatic-injection_ossm-vs-istio)
- namespace-level injection is sometimes not desirable since that impacts other workloads of a given namespace
Therefore I need a way to add the `sidecar.istio.io/inject: true` to a given Kamelet Source and Sink data plane.
Is there any existing way to achieve this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] lburgazzoli commented on issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "lburgazzoli (via GitHub)" <gi...@apache.org>.
lburgazzoli commented on issue #4347:
URL: https://github.com/apache/camel-k/issues/4347#issuecomment-1539775521
It should be possible to add annotation with something like that:
```yaml
apiVersion: camel.apache.org/v1alpha1
kind: KameletBinding
metadata:
name: telegram-text-source-to-channel
annotations:
# istio
sidecar.istio.io/inject: true
# instruct camel-k to propagate the annotation to children
trait.camel.apache.org/owner.target-annotations: '[ "sidecar.istio.io/inject" ]'
spec:
source:
ref:
kind: Kamelet
apiVersion: camel.apache.org/v1alpha1
name: telegram-text-source
properties:
botToken: the-token-here
sink:
ref:
kind: InMemoryChannel
apiVersion: messaging.knative.dev/v1
name: messages
```
However, camel-k would leverage i.e. knative sink binding to get the actual endpoint to invoke so, this would only work if the injected url is "sidecar" aware.
We could also think to add some native support for istio/service-mesh in camel-k
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] lburgazzoli commented on issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "lburgazzoli (via GitHub)" <gi...@apache.org>.
lburgazzoli commented on issue #4347:
URL: https://github.com/apache/camel-k/issues/4347#issuecomment-1539775917
/cc @christophd
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] github-actions[bot] commented on issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #4347:
URL: https://github.com/apache/camel-k/issues/4347#issuecomment-1672351928
This issue has been automatically marked as stale due to 90 days of inactivity.
It will be closed if no further activity occurs within 15 days.
If you think that’s incorrect or the issue should never stale, please simply write any comment.
Thanks for your contributions!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] pierDipi commented on issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "pierDipi (via GitHub)" <gi...@apache.org>.
pierDipi commented on issue #4347:
URL: https://github.com/apache/camel-k/issues/4347#issuecomment-1541564607
Hi @christophd, the way Istio proxy works is that when the application, in this case the Kamelet data plane, connects to external systems or gets new requests from external systems, it intercept the traffic and applies some logic based on how it is configured.
For example, when the Kamelet data plane, will try to send events to the injected `K_SINK` URL using HTTP (as you're currently doing), depending on how Istio is configured, it will automatically establish an mTLS connection to the `K_SINK` URL pod.
In practice this means that most Kamelets will continue to have injected the same `K_SINK` env variable they are using today and istio will automatically handle the rest, which means that the `K_SINK` URL _won't_ point to the localhost of the sidecar but it will point to the actual sink URL (just like currently).
---
Given the above, the challenge is when connecting to systems that are not part of the mesh, for example, using the example above for telegram (https://github.com/apache/camel-k/issues/4347#issuecomment-1539775521), the Kamelet data plane might need to be configured in a way that Istio knows how to:
- connect to telegram
- connect to the sink
In our case, Istio knows how to connect to the sink because it's part of the service mesh, but it doesn't (always) know how to connect to telegram so it might need to be configured in a way that allows the Kamelet data plane to connect to telegram, for example using https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
While this second problem exists and the solution really depends on the specific Kamelet, given the Kamelet nature of connecting different systems, I see the proxy injection as the first problem to solve.
This second problem also a highlight the level of effort for implementing the @lburgazzoli point:
> We could also think to add some native support for istio/service-mesh in camel-k
since an ideal native integration would require not only the proxy injection but also creating additional Istio resources based on the specific Kamelet.
Hope this helps!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] christophd commented on issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "christophd (via GitHub)" <gi...@apache.org>.
christophd commented on issue #4347:
URL: https://github.com/apache/camel-k/issues/4347#issuecomment-1540068067
Sorry, I need some more details so please bare with me asking some questions on this.
Is this supposed to be working only in combination with SinkBinding and is K_SINK also being injected when the communication goes through the injected sidecar? If so is K_SINK then pointing to the pod local URL of the sidecar?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-k] github-actions[bot] closed issue #4347: Support for Istio sidecar injection for Kamelets data plane
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #4347: Support for Istio sidecar injection for Kamelets data plane
URL: https://github.com/apache/camel-k/issues/4347
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org