I think something Istio is missing is static validation of configuration objects. It should be possible to validate at least the syntax of resource definitions in a CI toolchain and without access to a live service mesh.
I know there’s no quick fix right now, but I suspect a lot of people have lost a lot of time to debugging indent levels in YAML files and if there was a path to generate OpenAPI or JSON Schema documents for Istio CRDs, that class of problem could be solved with already existing software.
FYI, we did add istioctl validate -x that can perform referential integrity check for Mixer-related CRDs. It performs deep structural and referential validation:
expression parsing and type checking within conditions
references to attributes, instances, and handlers are checked in rules
FYI, Kiali as a goal to help Istio configuration providing additional validation.
Specially those semantic aspects that requires multiple checking with other Istio or k8s resources (i.e. if I define a Gateway, does that Gateway exist?).
There is a proof of concept here, but it has rotted a bit:
With this model, we can run the same set of validation rules against resources in both the command-line, as well as when they are ingested.
Separately, we’re working on stream-lining per-resource validation, which will utilize API Server’s CRD validation schema. It should be possible to use the same model in the command-line as well, in a consistent manner.
That looks like something I should be able to use right now in my CI pipeline. It provides some istio-related advice on standard k8s resource definitions too, which is great.
I’m assuming I’ll need to pull the istioctl binary out of the istio release tarball for whichever
istio release I’m currently running? I don’t see an obvious docker image to run these tests with.
Kiali looks great for online monitoring, and I need to use it more. Thanks for the prompt on that.
I can’t see the Google docs, but that sounds very useful and I look forward to trying it out.