-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove tight coupling to ISTIO and api-gateway module (e.g. switch to Warning
state when Istio module is missing)
#160
Comments
This is complicated topic, and we intentionally decided to go such way to reuse such kyma-gateway certificate in application-connector Istio gateway in order to enable MTL. And this approach was agreed by Goats and PB as far as I remember. If they want us to do stop using that that might have a lot of consequences, and would require us to migrate ALL Kyma clusters to new certificates, and ALL connected application might also be affected. It is a big risk and I don't want to start working on this task without some research. Possible solutions:
|
@pbochynski : any objections to establish the API-Gateway module as mandatory pre-requisite for the Application-Connector module? Cleaner approach is to use a dedicated certificate, but the effort for the migration is quite high and we have to verify how it collaborates with the Compass Directory. This will require additional analysis. |
A diagram is required showing the different scenarios:
|
Fix will require to modularise the Compass Runtime Agent (move to ACM). Currently, the issue is not solvable in a meaningful way. This incident is blocked by #114 |
See also #90 - could be related to this change! |
We agreed to split this task in two phases: Phase 1:
Phase 2:
|
Warning
state when Istio module is missing
Warning
state when Istio module is missingWarning
state when Istio module is missing)
Identified solution COULD be related to kyma-project/compass-manager#188 (has to be checked if Compass Runtime Agent is really using API-gateway module, respectively the |
Description
The application connector is currently reusing the certificate from the default gateway which leads to a tight coupling between the application connector and the api-gateway module.
As we have no mandatory modules in Kyma anymore, such coupling is not allowed and can lead to operational incidents if customers are not using the ISTIO / api-gateway modules from Kyma.
This is a high risk in regards to our operational robustness and we have to remove this dependency asap.
See example manifest from
application-connector
gateway and the used certificate secret:We have to agree on a different mechanism and avoid to use the default-gateway certificate in the
application-connector
module:application-connector-gateway-certificate
) and no longer use the one from theapi-gateway
Options for solving this requirement is:
cert-manager
for creating our own certificate (this option needs to be verified and feasibility confirmed)AC:
Reason
No dependencies to other modules as it's colliding with the technical agreements we made for Kyma modules.
The text was updated successfully, but these errors were encountered: