Server wan ports (hashicorp#839)

* Refactor yaml to make port names obvious * Split out server serfwan ports by udp/tcp This is needed because in some cases Kubernetes will refuse udp traffic. * Expose server serf WAN as hostPort When `server.exposeGossipAndRPCPorts` is true, expose server's serf WAN port as a host port on 8302. This is needed for specific cases where serf attempts to use the WAN network because the advertise IP is the host IP and so it will attempt to use hostIP and 8302. This port does not need to be configurable (unlike serf LAN) because clients don't expose a serf WAN port, only servers and so it won't collide with client ports.
duckhan · Feb 23, 2021 · ae54c22 · ae54c22
1 parent b09de16
commit ae54c22
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,12 @@ IMPROVEMENTS:
 BUG FIXES:
 * Increase Consul client daemonset's memory from `25Mi` to `50Mi` for its `client-tls-init`
   init container that runs when TLS is enabled and auto-encrypt is disabled. [[GH-832](https://github.com/hashicorp/consul-helm/pull/832)]
+* Add UDP port specification for server's serf WAN. Previously there was only one
+  port specification that defaulted to TCP. However in some cases (like when exposing as a host port)
+  UDP traffic would not be routed properly.
+
+  In addition, if `server.exposeGossipAndRPCPorts` is true, expose the WAN port
+  (`8302`) as a host port. [[GH-839](https://github.com/hashicorp/consul-helm/pull/839)]
 
 ## 0.30.0 (Feb 16, 2021)
 

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
@@ -228,37 +228,47 @@ spec:
             {{- end }}
           ports:
             {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }}
-            - containerPort: 8500
-              name: http
+            - name: http
+              containerPort: 8500
             {{- end }}
             {{- if .Values.global.tls.enabled }}
-            - containerPort: 8501
-              name: https
+            - name: https
+              containerPort: 8501
             {{- end }}
-            - containerPort: {{ .Values.server.ports.serflan.port }}
+            - name: serflan-tcp
+              containerPort: {{ .Values.server.ports.serflan.port }}
               {{- if .Values.server.exposeGossipAndRPCPorts }}
               hostPort: {{ .Values.server.ports.serflan.port }}
               {{- end }}
               protocol: "TCP"
-              name: serflan-tcp
-            - containerPort: {{ .Values.server.ports.serflan.port }}
+            - name: serflan-udp
+              containerPort: {{ .Values.server.ports.serflan.port }}
               {{- if .Values.server.exposeGossipAndRPCPorts }}
               hostPort: {{ .Values.server.ports.serflan.port }}
               {{- end }}
               protocol: "UDP"
-              name: serflan-udp
-            - containerPort: 8302
-              name: serfwan
-            - containerPort: 8300
+            - name: serfwan-tcp
+              containerPort: 8302
+              {{- if .Values.server.exposeGossipAndRPCPorts }}
+              hostPort: 8302
+              {{- end }}
+              protocol: "TCP"
+            - name: serfwan-udp
+              containerPort: 8302
+              {{- if .Values.server.exposeGossipAndRPCPorts }}
+              hostPort: 8302
+              {{- end }}
+              protocol: "UDP"
+            - name: server
+              containerPort: 8300
               {{- if .Values.server.exposeGossipAndRPCPorts }}
               hostPort: 8300
               {{- end }}
-              name: server
-            - containerPort: 8600
-              name: dns-tcp
+            - name: dns-tcp
+              containerPort: 8600
               protocol: "TCP"
-            - containerPort: 8600
-              name: dns-udp
+            - name: dns-udp
+              containerPort: 8600
               protocol: "UDP"
           readinessProbe:
             # NOTE(mitchellh): when our HTTP status endpoints support the

diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
@@ -178,6 +178,14 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serflan-udp")' | yq -r '.hostPort' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
+  local actual=$(echo "$object" |
+      yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serfwan-tcp")' | yq -r '.hostPort' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+
+  local actual=$(echo "$object" |
+      yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serfwan-udp")' | yq -r '.hostPort' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+
   # Test that hostPort is not set for rpc ports
   local actual=$(echo "$object" |
       yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "server")' | yq -r '.hostPort' | tee /dev/stderr)
@@ -205,6 +213,14 @@ load _helpers
       yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serflan-udp")' | yq -r '.hostPort' | tee /dev/stderr)
   [ "${actual}" = "8301" ]
 
+  local actual=$(echo "$object" |
+      yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serfwan-tcp")' | yq -r '.hostPort' | tee /dev/stderr)
+  [ "${actual}" = "8302" ]
+
+  local actual=$(echo "$object" |
+      yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "serfwan-udp")' | yq -r '.hostPort' | tee /dev/stderr)
+  [ "${actual}" = "8302" ]
+
   # Test that hostPort is set for rpc ports
   local actual=$(echo "$object" |
       yq -r '.spec.template.spec.containers[0].ports[] | select(.name == "server")' | yq -r '.hostPort' | tee /dev/stderr)