Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-10763 - Allow DNS Proxy to configured with an ACL token when manageSystemACLs is false #4300

Merged
merged 10 commits into from
Sep 4, 2024
Merged

NET-10763 - Allow DNS Proxy to configured with an ACL token when manageSystemACLs is false #4300

merged 10 commits into from
Sep 4, 2024

Conversation

jmurret
Copy link
Member

@jmurret jmurret commented Sep 3, 2024
edited
Loading

Changes proposed in this PR

  • add the ability for users to set the ACL token on dns-proxy similiar to how catalog sync exposes the ability to set the ACL token in a secret

How I've tested this PR

CI & unit tests

How I expect reviewers to test this PR

👀

Checklist

@jmurret jmurret added the pr/no-backport signals that a PR will not contain a backport label label Sep 3, 2024
jmurret
jmurret commented Sep 3, 2024
View reviewed changes
charts/consul/templates/dns-proxy-deployment.yaml
@@ -1,5 +1,4 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not have been a requirement.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have the opposite requirement? Is dns-proxy safe to use with connect-inject enabled?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't think of any reason why it would be unsafe. I think ultimately services would use the local dataplane or agent, but I can't think of a reason why it would be unsafe and require us to prevent it being configured.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only scenario I can think of where I'm not sure is with tproxy on. I'm not sure how we handle DNS in that case and if it's even allowed to resolve DNS at all because all traffic will be handled through envoy and virtual ips but yes probably not a big deal.

dhiaayachi
dhiaayachi requested changes Sep 3, 2024
View reviewed changes
Copy link
Collaborator

@dhiaayachi dhiaayachi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmurret Thank you for adding this. I had a question about the deployment requirement and a suggestion to document the type of permission the token needed.

charts/consul/templates/dns-proxy-deployment.yaml
@@ -1,5 +1,4 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have the opposite requirement? Is dns-proxy safe to use with connect-inject enabled?

charts/consul/values.yaml Outdated
Comment on lines 1928 to 1930
# Refers to a Kubernetes secret that you have created that contains
# an ACL token for your Consul cluster which allows the dns proxy the correct
# permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can add what are the correct permissions that dns-proxy needs in that case?

@jmurret jmurret marked this pull request as ready for review September 3, 2024 20:34
@jmurret jmurret requested a review from a team as a code owner September 3, 2024 20:34
dhiaayachi
dhiaayachi approved these changes Sep 3, 2024
View reviewed changes
Copy link
Collaborator

@dhiaayachi dhiaayachi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

boruszak
boruszak reviewed Sep 3, 2024
View reviewed changes
charts/consul/values.yaml Outdated Show resolved Hide resolved
boruszak
boruszak approved these changes Sep 3, 2024
View reviewed changes
Copy link
Contributor

@boruszak boruszak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestions to align the description in the Helm chart that is used for the documentation.

Approving so you're not blocked. Please let me know if you have any questions or need any additional review.

@jmurret @boruszak
Update charts/consul/values.yaml
bc4e1fc 
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
@jmurret jmurret enabled auto-merge (squash) September 4, 2024 01:11
@jmurret jmurret merged commit fad1df0 into main Sep 4, 2024
50 checks passed
@jmurret jmurret deleted the jm/NET-10763 branch September 4, 2024 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhiaayachi dhiaayachi dhiaayachi approved these changes

@boruszak boruszak boruszak approved these changes

Assignees
No one assigned
Labels
pr/no-backport signals that a PR will not contain a backport label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmurret @dhiaayachi @boruszak