Documentation for custom control plane installation is poor

[ghost]

Describe the bug
{{ Documentation for custom control plane installation is really poor.

Eg.

1. How to change Istio ingress gateway controller service type to LoadBalancer is not described

2. How to enable SDS (Secret Discovery Service) not provided

3. No mention of istioctl support

4. How to disable 3Scald not described

5. Can u provide a full options YAML with comments on each option?

}}

Expected behavior
{{ Less trial and error installation experience }}

Steps to reproduce the bug
{{ Creating a ELB loadbalancer based ingress gateway. Creating SDS based TLS configuration for ingress gateway }}

Version
{{ 4.2.7 OpenShift on AWS IPI, Maistra v 1.0.3 }}

Installation
{{ operator based installation of Redhat OpenShift service mesh control plane }}

Environment
{{ sandbox on AWS? }}

Cluster state
{{ If you're running on Kubernetes, consider following the
instructions
to generate "istio-dump.tar.gz", then attach it here by dragging and dropping
the file onto this issue. }}

[brian-avery]

Thanks for this issue. To answer these:

How to change Istio ingress gateway controller service type to LoadBalancer is not described
I'm not sure if we support this as we use route instead of ingress gateway. Let me look into it.

How to enable SDS (Secret Discovery Service) not provided
We do not support SDS with Maistra/ServiceMesh.

No mention of istioctl support
We do not support istioctl with Maistra/Servicemesh although it should be compatible.

How to disable 3Scald not described
This is described in the 3scale section under enabled.

Can u provide a full options YAML with comments on each option?
We can look into doing this. I've created https://issues.redhat.com/browse/MAISTRA-1467 to track this.

Thanks for the issue. Overall, I think that we can better clarify when we decide not to support an Istio feature.

[oleksandrsemak]

Hey @brian-avery so if you use multiple domain with multiple TLS certs I have to create multiple service mesh control plane? as SDS not supported in current version do you have plan enable it by default like in istio 1.5?

[brian-avery]

Hi @alexandrsemak

We plan to enable SDS by default for Maistra 2.0.

[oleksandrsemak]

@brian-avery cool, Do you have ETA when it would be available for openshift-operator ?

[nicop311]

Hi everyone,
I think in both Istio, Maistra and Red Hat Service Mesh, there is a lack of information about how to Expose your microservices over TLS to the external world thanks to service mesh.

Secret Discovery Service for Maistra/RHSM

On the topic of Secret Discovery Service SDS, TLS and Service Mesh, I saw that OpenShift 4.6 and the Maistra/Red Hat Service Mesh Operator v2.0 will introduce this feature of managing TLS certificates through SDS instead relying only on Kubernetes Secrets.

Sources :

1. Video at 44min [What's New] OpenShift 4.6 [Oct-2020].
2. Slide n°41,43, 44, 46.

Improving the doc by improving the examples?

However, I agree with the title of this issue "Documentation for custom control plane installation is poor".

I try to share my personal experience in the following gist an issue while exposing with HTTPS TLS the Bookinfo example: I do not know how to find the recipe to make this working. It might be an issue with pure Istio as well.

I look forward to see example with SDS as soon as it is released :-).

Here are some other issues related to the Maistra documentation:

• Bookinfo mutual TLS destination rules example #165
• Minimum resources for control plane #164: maybe improve the ServiceMechControlPlane in the Maistra Doc. It could be simply a reference or a copy paste of the OpenShift Doc on service mesh

[oleksandrsemak]

@nicop311 You can do TLS termination on Route side and after sending request to istio-ingressgeteway :

spec:
  host: HOST
  path: /
  port:
    targetPort: http2
  tls:
    certificate: |-
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
    key: |-
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----
    termination: edge
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100

anyway with SDS make it works especially with multiple TLS much easier

[brian-avery]

@rcernich or @knrc might be able to respond as far as timing for the 2.0 release.

[knrc]

@alexandrsemak We don't publish specific dates for product releases, however it should be released within the next month or sooner.

For 1.1 there are a few possible configurations which can currently be used, you should not need to create multiple control planes

• termination at the haproxy using the routes (as you described)
• using one ingressgateway for each certificate with the ingressgateway terminating the TLS connection.
• creating a passthrough route to the ingressgateway and passthrough to the application, with the application deployment then terminating the TLS connection

SDS should enable a single ingressgateway to support multiple certificates.

[dgn]

Closing this as we don't use GitHub issues. If you encounter a bug, please file an issue on our Red Hat JIRA