Ambassador: Ingress to Mapping "best effort" conversion tooling

Created on 21 Oct 2020  路  9Comments  路  Source: datawire/ambassador

Please describe your use case / problem.

I have several large clusters and dozens of applications (deployed with Helm) where Ingress is heavily used and Traefik is the default ingress controller.

I would like to convert these clusters and their applications to Ambassador as the default to leverage the speed improvements of Envoy and utilize the Mapping API for its robustness.

I need to minimize the upfront time it takes to migrate my apps and clusters and automate as much of the process as possible so that I can easily do this for my existing apps and any future apps I inherit.

Describe the solution you'd like

Right now I'm considering that a ingress to mapping conversion tool in the form of a Go library and accompanying CLI could be a good fit.

Since Mapping is very different from Ingress and exists _because Ingress doesn't have the same features_ it's understood that inherently not all Ingress resources will actually convert cleanly to Mapping. It is understood that this tool would be "best effort" and may either need to be flagged to allow for imperfect conversions and/or error out when the conversion can't be done cleanly.

This would be helpful for automating the procedure and adding tests to cover converted apps.

Describe alternatives you've considered

I've considered doing the conversion by hand which wouldn't be a big deal except that I expect to receive more apps and have to repeat this process continually over the coming years.

Additional context

At the time of writing this originally I'm not sure this is the best approach, I'm _very_ open to alternative suggestions.

stale

Most helpful comment

@shaneutt Since you mention Traefik, one challenge that you might have to face is converting those annotations to proper mapping configuration

All 9 comments

FWIW I think that this would be a great addition to the Ambassador toolkit, and I'm fine with doing it in Go. cmd/ingress2mapping maybe?

I'd cast a vote for the tool at least having a mode where you could run it offline:

kubectl get ingress -o yaml | ingress2mapping > mappings.yaml

so that the user could look at the Mappings before applying them...

FWIW I think that this would be a great addition to the Ambassador toolkit, and I'm fine with doing it in Go. cmd/ingress2mapping maybe?

I'd cast a vote for the tool at least having a mode where you could run it offline:

kubectl get ingress -o yaml | ingress2mapping > mappings.yaml

so that the user could look at the Mappings before applying them...

That makes sense to me :+1: that's essentially what I had in mind with the accompanying CLI portion of the idea, and I can see that being very generally useful.

@kflynn do you have any general guidance to provide on how this should be implemented, maybe in particular any rough edges you would anticipate?

@shaneutt, One thing I've discovered with Ingresses is that they are very namespace-restrictive. I think any kind of conversion tool should make sure that all generated config remains in and references the same namespace that the Ingress is set to be part of to make sure the resulting config exactly mimics the behavior of the Ingress.

Another thing is that I believe Ambassador already translates Ingress to Mapping+Host internally, so I think that type of code exists somewhere, @kflynn will probably be able to give you better guidance on where that code lives though.

@shaneutt I think that @cakuros' commentary above is spot on. Namespaces matter: in particular, an Ingress in namespace foo _must_ interpret an unqualified service as service.foo, not service.default (can't tell you how many times that bug has slipped into the first rev of a PR here 馃槀 ), and keeping things in the same namespace is definitely critical too.

ambassador_id might trip you. You'll likely need to allow that to be set for the tool.

The existing Ingress translation code happens in python/ambassador/fetch/fetcher.py -- look for the handle_k8s_ingress method. (This is _very_ early in processing -- we actually translate the Ingress resource at the point of reading it from K8s, rather than later. That mostly has to do with the initial implementor finding it convenient. 馃檪 )

Yell if anything is confusing!

Thank you @cakuros and @kflynn for the prep!

@shaneutt Since you mention Traefik, one challenge that you might have to face is converting those annotations to proper mapping configuration

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Due to changes in my work I no longer require this so I think it's fair to close it and if someone else wants it they can re-open it.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

riker09 picture riker09  路  4Comments

psychonetic picture psychonetic  路  6Comments

ngrigoriev picture ngrigoriev  路  3Comments

josephglanville picture josephglanville  路  3Comments

klarose picture klarose  路  5Comments