use friendlier defaults for egress and permissive mode

Signed-off-by: Sean Teeling <[email protected]>

Author: steeling

.env.example

@@ -55,6 +55,10 @@ export BOOKWAREHOUSE_NAMESPACE=bookwarehouse
 # Default: acr-creds
 # export CTR_REGISTRY_CREDS_NAME=acr-creds
 
+# optional: Whether to disable permissive mode, defaults to true.
+# Default: true
+# export PERMISSIVE_MODE=false
+
 # optional: A tag for the containers used to version the container images in the registry
 # Default: latest
 # export CTR_TAG=latest

.github/workflows/main.yml

@@ -300,6 +300,7 @@ jobs:
           BOOKTHIEF_EXPECTED_RESPONSE_CODE: "0"
           ENABLE_EGRESS: "false"
           ENABLE_RECONCILER: "false"
+          PERMISSIVE_MODE: "false"
           DEPLOY_TRAFFIC_SPLIT: "true"
           CTR_TAG: ${{ github.sha }}
           USE_PRIVATE_REGISTRY: "false"

charts/osm/README.md

@@ -77,9 +77,9 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.deployJaeger | bool | `false` | Deploy Jaeger during OSM installation |
 | osm.deployPrometheus | bool | `false` | Deploy Prometheus with OSM installation |
 | osm.enableDebugServer | bool | `false` | Enable the debug HTTP server on OSM controller |
-| osm.enableEgress | bool | `false` | Enable egress in the mesh |
+| osm.enableEgress | bool | `true` | Enable egress in the mesh |
 | osm.enableFluentbit | bool | `false` | Enable Fluent Bit sidecar deployment on OSM controller's pod |
-| osm.enablePermissiveTrafficPolicy | bool | `false` | Enable permissive traffic policy mode |
+| osm.enablePermissiveTrafficPolicy | bool | `true` | Enable permissive traffic policy mode |
 | osm.enablePrivilegedInitContainer | bool | `false` | Run init container in privileged mode |
 | osm.enableReconciler | bool | `false` | Enable reconciler for OSM's CRDs and mutating webhook |
 | osm.enforceSingleMesh | bool | `true` | Enforce only deploying one mesh in the cluster |

charts/osm/values.yaml

@@ -168,10 +168,10 @@ osm:
   enableDebugServer: false
 
   # -- Enable permissive traffic policy mode
-  enablePermissiveTrafficPolicy: false
+  enablePermissiveTrafficPolicy: true
 
   # -- Enable egress in the mesh
-  enableEgress: false
+  enableEgress: true
 
   # -- Enable reconciler for OSM's CRDs and mutating webhook
   enableReconciler: false

demo/run-osm-demo.sh

@@ -21,6 +21,7 @@ BOOKBUYER_NAMESPACE="${BOOKBUYER_NAMESPACE:-bookbuyer}"
 BOOKSTORE_NAMESPACE="${BOOKSTORE_NAMESPACE:-bookstore}"
 BOOKTHIEF_NAMESPACE="${BOOKTHIEF_NAMESPACE:-bookthief}"
 BOOKWAREHOUSE_NAMESPACE="${BOOKWAREHOUSE_NAMESPACE:-bookwarehouse}"
+PERMISSIVE_MODE="${PERMISSIVE_MODE:-true}"
 CERT_MANAGER="${CERT_MANAGER:-tresor}"
 CTR_REGISTRY="${CTR_REGISTRY:-localhost:5000}"
 CTR_REGISTRY_CREDS_NAME="${CTR_REGISTRY_CREDS_NAME:-acr-creds}"
@@ -102,6 +103,7 @@ if [ "$CERT_MANAGER" = "vault" ]; then
       --osm-namespace "$K8S_NAMESPACE" \
       --verbose \
       --mesh-name "$MESH_NAME" \
+      --set=osm.enablePermissiveTrafficPolicy="$PERMISSIVE_MODE" \
       --set=osm.certificateProvider.kind="$CERT_MANAGER" \
       --set=osm.vault.host="$VAULT_HOST" \
       --set=osm.vault.token="$VAULT_TOKEN" \
@@ -130,6 +132,7 @@ else
       --osm-namespace "$K8S_NAMESPACE" \
       --verbose \
       --mesh-name "$MESH_NAME" \
+      --set=osm.enablePermissiveTrafficPolicy="$PERMISSIVE_MODE" \
       --set=osm.certificateProvider.kind="$CERT_MANAGER" \
       --set=osm.image.registry="$CTR_REGISTRY" \
       --set=osm.imagePullSecrets[0].name="$CTR_REGISTRY_CREDS_NAME" \

tests/e2e/e2e_helm_install_test.go

@@ -30,8 +30,8 @@ var _ = OSMDescribe("Test osm control plane installation with Helm",
 
 				// validate osm MeshConfig
 				spec := meshConfig.Spec
-				Expect(spec.Traffic.EnablePermissiveTrafficPolicyMode).To(BeFalse())
-				Expect(spec.Traffic.EnableEgress).To(BeFalse())
+				Expect(spec.Traffic.EnablePermissiveTrafficPolicyMode).To(BeTrue())
+				Expect(spec.Traffic.EnableEgress).To(BeTrue())
 				Expect(spec.Sidecar.LogLevel).To(Equal("error"))
 				Expect(spec.Observability.EnableDebugServer).To(BeFalse())
 				Expect(spec.Observability.Tracing.Enable).To(BeFalse())