search

DoD-Platform-One / bigbang

BigBang the product
https://repo1.dso.mil/big-bang/bigbang
Apache License 2.0
163 stars 66 forks source link

Istiod does not deploy on latest release when using TID (enterprise) #30

Closed p1-repo-sync-bot[bot] closed 8 months ago

p1-repo-sync-bot[bot] commented 8 months ago

See MR where this is shown happening in CI: https://repo1.dso.mil/big-bang/bigbang/-/merge_requests/3749

Locally it seemed like the issue was istiod getting blocked by kyverno policies for non-root group and this is captured in the events as well - https://repo1.dso.mil/big-bang/bigbang/-/jobs/30819829/artifacts/file/events.txt

I haven't identified the exact issue, but it looks like TID is one minor version ahead of the upstream/default istio (1.20 v 1.19). I couldn't find any release notes indicating a change in this minor version but it's a bit hard to identify changes in the operator since its less supported now.

Maybe this is a separate issue but I don't believe that TID/enterprise is tested in any of the pipelines, which seems problematic?

p1-repo-sync-bot[bot] commented 8 months ago

montgomery.marcus commented:

It looks like for some reason when enterprise is enabled, the pilot pod no longer runs as UID and GID 1337, as it should. We're looking into it.

p1-repo-sync-bot[bot] commented 8 months ago

stas commented:

Upstream Istio explicitly sets the user to 1337 in the Dockerfile.

created a MR to make the fips image consistent with upstream https://repo1.dso.mil/dsop/tetrate/istio/1.20/pilot/-/merge_requests/28

p1-repo-sync-bot[bot] commented 8 months ago

michaelmartin commented:

In addition to the Docker fix from @stas , we can enforce the user/group with the changes done here: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane/-/merge_requests/203 . These changes don't require the Docker image to change, but changing the values in the Docker images is fine too--and a good practice to have the uid/gid values align.

p1-repo-sync-bot[bot] commented 8 months ago

Issue 'Istiod does not deploy on latest release when using TID (enterprise)' closed from GitLab side

p1-repo-sync-bot[bot] commented 8 months ago

michaelmartin commented:

I think we can close this out. With the docker fix and bb fixes, we should be good.

Issue https://repo1.dso.mil/big-bang/bigbang/-/issues/1927 was created, so we can work to get some testing with Tetrate enterprise enabled