Remove legacy stuff in 1.18

kubeflow · Jul 26, 2023 · bbd3c70 · bbd3c70
1 parent a6ddca7
commit bbd3c70
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 35 deletions.
diff --git a/common/istio-1-18/README.md b/common/istio-1-18/README.md
@@ -27,13 +27,12 @@ old version is `X1.Y1.Z1`:
     CustomResource used to describe the Istio Control Plane:
 
         $ cd $ISTIO_NEW
-        $ istioctl profile dump demo > profile.yaml
+        $ istioctl profile dump default > profile.yaml
 
     ---
     **NOTE**
 
-    `istioctl` comes with a bunch of [predefined
-    profiles](https://istio.io/v1.9/docs/setup/additional-setup/config-profiles/)
+    `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
     (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.
 
     ---
@@ -62,43 +61,24 @@ old version is `X1.Y1.Z1`:
     detect default settings. Ensure you have a target cluster ready before running the above commands. 
     We set this flag because `istioctl manifest generate` generates manifest files with resources that are no 
     longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220
-
+    
     ---
 
-5. Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. 
-   See https://github.com/istio/istio/issues/12602 and https://github.com/istio/istio/issues/24000
-
-   Until now we have used two patches:
-   - `common/istio-1-16/istio-install/base/patches/remove-pdb.yaml`
-   - `common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml`
-
-   The above patches do not work with kustomize v3.2.0 as it doesn't have the appropriate 
-   openapi schemas for the policy/v1 API version resources. This is fixed in kustomize v4+. 
-   See https://github.com/kubernetes-sigs/kustomize/issues/3694#issuecomment-799700607 and
-   https://github.com/kubernetes-sigs/kustomize/issues/4495
-
-   A temporary workaround is to use the following instructions to manually delete the PodDisruptionBudget resources with `yq`: 
-
-        $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "cluster-local-gateway") | not)' common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml
-        $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istio-ingressgateway") | not)' common/istio-1-16/istio-install/base/install.yaml
-        $ yq eval -i 'select((.kind == "PodDisruptionBudget" and .metadata.name == "istiod") | not)' common/istio-1-16/istio-install/base/install.yaml
-
    ---
    **NOTE**
 
-   NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-16/istio-install/base/install.yaml` and `common/istio-1-16/cluster-local-gateway/base/cluster-local-gateway.yaml` files.
+   NOTE: Make sure to remove a redundant {} at the end of the `common/istio-1-18/istio-install/base/install.yaml` and `common/istio-1-18/cluster-local-gateway/base/cluster-local-gateway.yaml` files.
 
    ---
 
 ## Changes to Istio's upstream manifests
 
 ### Changes to the upstream IstioOperator profile
 
-Changes to Istio's upstream profile `demo` are the following:
+Changes to Istio's upstream profile `default` are the following:
 
--   Add a `cluster-local-gateway` component for KFServing.
--   Disable the EgressGateway component. We don\'t use it and it adds
-    unnecessary complexity.
+-   Add a `cluster-local-gateway` component for Kserve.
+-   Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
 
 Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
 file.
@@ -118,3 +98,4 @@ The Istio kustomizations make the following changes:
 - Configure TCP KeepAlives.
 - Disable tracing as it causes DNS breakdown. See:
   https://github.com/istio/istio/issues/29898
+- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane
diff --git a/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-18/cluster-local-gateway/base/kustomization.yaml
@@ -12,7 +12,5 @@ resources:
 - gateway-authorizationpolicy.yaml
 - gateway.yaml
 
-# Disable this patch until we upgrade to kustomize to v4+ 
-# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056
-# patchesStrategicMerge:
-# - patches/remove-pdb.yaml
+patchesStrategicMerge:
+- patches/remove-pdb.yaml
diff --git a/common/istio-1-18/istio-install/base/kustomization.yaml b/common/istio-1-18/istio-install/base/kustomization.yaml
@@ -14,7 +14,5 @@ patchesStrategicMerge:
 - patches/service.yaml
 - patches/istio-configmap-disable-tracing.yaml
 - patches/disable-debugging.yaml
-# Disable this patch until we upgrade to kustomize to v4+ 
-# see https://github.com/kubeflow/manifests/issues/2325#issuecomment-1323909056
-# - patches/remove-pdb.yaml
+- patches/remove-pdb.yaml
 
diff --git a/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-18/istio-install/base/patches/disable-debugging.yaml
@@ -15,3 +15,4 @@ spec:
       - name: discovery
         env:
         - name: ENABLE_DEBUG_ON_HTTP
+          value: false
diff --git a/common/istio-1-18/profile-overlay.yaml b/common/istio-1-18/profile-overlay.yaml
@@ -8,7 +8,7 @@ spec:
       probes: 3
   components:
     ingressGateways:
-      # Cluster-local gateway for KFServing
+      # Cluster-local gateway for KServe
       - enabled: true
         name: cluster-local-gateway
         # https://github.com/istio/istio/issues/19263#issuecomment-615833092