Multiport #1012
Multiport #1012
Conversation
ndhanushkodi
force-pushed
the
multiport
branch
from
3a31667 to
5646627
Compare
| @@ -16,8 +16,6 @@ import ( | |||
| "k8s.io/apimachinery/pkg/util/yaml" | |||
| ) | |||
|
|
|||
There was a problem hiding this comment.
Changed the function signature for CheckStaticServer* to allow passing in an app which is the app you're connecting from, and an expectedSuccessOutput which is the expected message back from the server. I needed to be able to make connections from the multiport app and not just static client, and each of the multiport services had a different success output.
There was a problem hiding this comment.
Could we add this note to a comment for this function(s)🙏
| @@ -19,6 +19,7 @@ import ( | |||
|
|
|||
| const staticClientName = "static-client" | |||
There was a problem hiding this comment.
This file is function signature changes
| @@ -177,9 +177,9 @@ func TestConnectInjectNamespaces(t *testing.T) { | |||
| if c.secure { | |||
| logger.Log(t, "checking that the connection is not successful because there's no intention") | |||
| if cfg.EnableTransparentProxy { | |||
| k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, fmt.Sprintf("http://static-server.%s", staticServerNamespace)) | |||
There was a problem hiding this comment.
function signature changes
| k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), staticClientName, "http://localhost:1234") | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Adds the multiport acceptance test
acceptance/tests/fixtures/Dockerfile
Outdated
| @@ -0,0 +1,2 @@ | |||
| FROM kschoche/http-echo:latest | |||
There was a problem hiding this comment.
This adds curl to the http-echo image, I plan to swap out this for the actual http-echo image, so this can be ignored for now in review-- the only change would be to delete this file and swap the image.
There was a problem hiding this comment.
Swapped and deleted
| @@ -415,11 +415,11 @@ func TestPartitions(t *testing.T) { | |||
| if c.ACLsAndAutoEncryptEnabled { | |||
| logger.Log(t, "checking that the connection is not successful because there's no intention") | |||
| if cfg.EnableTransparentProxy { | |||
There was a problem hiding this comment.
Function signature changes
| @@ -121,7 +121,7 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) { | |||
|
|
|||
There was a problem hiding this comment.
Function signature changes
| @@ -93,7 +93,7 @@ func TestTerminatingGateway(t *testing.T) { | |||
|
|
|||
| // Test that we can make a call to the terminating gateway. | |||
There was a problem hiding this comment.
Function signature changes
| @@ -15,7 +15,8 @@ import ( | |||
| ) | |||
|
|
|||
There was a problem hiding this comment.
Function signature changes
| }) | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Kept this TestReconcileCreateEndpoint_MultiportService test separate from the existing create endpoint test because of the changes to the case structure that wouldn't be needed by the non-multiport tests. Also because this is a workaround, it might be nice to keep the code as separate as possible.
There was a problem hiding this comment.
I really appreciate the comments that you are leaving in the PR!
There was a problem hiding this comment.
+1! Love all the comments!
ndhanushkodi
requested review from
a team,
curtbushko and
ishustava
and removed request for
a team
acceptance/framework/k8s/deploy.go
Outdated
| @@ -90,19 +88,24 @@ func CheckStaticServerConnection(t *testing.T, options *k8s.KubectlOptions, expe | |||
| // If expectSuccess is true, it will expect connection to succeed, | |||
| // otherwise it will expect failure due to intentions. If multiple failureMessages are provided it will assert | |||
| // on the existence of any of them. | |||
| func CheckStaticServerConnectionMultipleFailureMessages(t *testing.T, options *k8s.KubectlOptions, expectSuccess bool, failureMessages []string, curlArgs ...string) { | |||
| func CheckStaticServerConnectionMultipleFailureMessages(t *testing.T, options *k8s.KubectlOptions, app string, expectSuccess bool, failureMessages []string, expectedSuccessOutput string, curlArgs ...string) { | |||
There was a problem hiding this comment.
RE: expectedSuccessOutput. I am not 100% sure if you need to change the function signature here as every call to CheckStaticServerConnectionMultipleFailureMessages is setting "" and using the default. Maybe it is good for future proofing?
There was a problem hiding this comment.
Nearly every call is setting "" and using the default, except for CheckStaticServerConnectionSuccessfulWithMessage, which is what we're using in the multiport test
| }) | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I really appreciate the comments that you are leaving in the PR!
| @@ -16,8 +16,6 @@ import ( | |||
| "k8s.io/apimachinery/pkg/util/yaml" | |||
| ) | |||
|
|
|||
There was a problem hiding this comment.
Could we add this note to a comment for this function(s)🙏
| }) | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
+1! Love all the comments!
ndhanushkodi
force-pushed
the
multiport
branch
from
7f7851e to
3bf896e
Compare
|
WANFed tests for vault are failing but it might be due to my image? I'll try rebasing and using a new image for acceptance tests, but since everything else is passing and this doesn't touch vault this is ready for a second round of review cc @ishustava @curtbushko |
| return i | ||
| } | ||
| } | ||
| return -1 |
There was a problem hiding this comment.
nit: I think we could also return an error here (it feels a bit more idiomatic to go) but definitely not a blocker!
There was a problem hiding this comment.
I started making this change, but then I realized that in a case where you may have a non-multiport pod, you need to know to ignore the error (for example, in the processUpstreams function). I like the way it is now, because it implies that it's not an error if you don't find a multiport index in the service list, and rather you should handle the -1 by not following the multiport case.
| @@ -62,7 +68,7 @@ func (h *Handler) envoySidecar(namespace corev1.Namespace, pod corev1.Pod) (core | |||
| // has only injected init containers so all containers defined in pod.Spec.Containers are from the user. | |||
| for _, c := range pod.Spec.Containers { | |||
| // User container and Envoy container cannot have the same UID. | |||
| if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil && *c.SecurityContext.RunAsUser == envoyUserAndGroupID { | |||
| if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil && *c.SecurityContext.RunAsUser == envoyUserAndGroupID && c.Image != h.ImageEnvoy { | |||
There was a problem hiding this comment.
I'm curious why do we need that extra image check at the end?
There was a problem hiding this comment.
When we're running multiple sidecars in the pod, they clash with the same uid/gid so this check allows using the same uid/gid for 2 envoy sidecars. Since tproxy isn't supported it seems ok to let them run with the same uid/gid.
wip: need a test for getServiceName
with multiport10 image - any acceptance test that uses CheckStaticServerConnectionMultipleFailureMessages probably need signature updated - add a retrier so it doesn't keep checking for tokens before they are reconciled
signature for CheckStaticServerConnectionMultipleFailureMessages
This is used in multiport12 image
passes acc tests
…r type apps, fix linter
…nfigured in the proxy service registration
ndhanushkodi
force-pushed
the
multiport
branch
from
656f4e2 to
eb31efd
Compare
Based off of research and POC by @lkysow #754 Thank you!
Note to reviewers:
I recommend reading the acceptance test first, then looking at the implementation. In the acceptance tests, I've changed the signature for
CheckStaticServerConnection*functions, so there's a lot of 1 line changes all over the acceptance tests due to that.Changes proposed in this PR:
Support a workaround for multi port pods by registering a Consul service per port, and by injecting init containers and envoy sidecars per port.
Acceptance test for multiport
static-clientandmultiport, with static-client havingmultiportandmultiport-adminas upstreams. It checks thatstatic-clientcan make connections to each service--multiport, andmultiport-admin. This is to test inbound connections for a multiport app.static-server, and checks thatmultiportcan make a connection tostatic-server. This is to test outbound connections from a multiport app. Note that there is only 1 intention because all upstream connections are configured and go through the 1st service's envoy proxy.Implementation for multiport
handler-bearer-token-filecontainer_init-- update the template to pass in arguments specific to the multiport serviceenvoy_sidecar-- allow the bootstrap file path to have the service name in it for multiport services, and add--base-idsince there could be multiple envoy sidecarsendpoints_controller: the listener port should be 20000 for the first service, 20001 for the second, etc.connect_initcommand: when its a multiport app, add a filter to poll by service name, use the service specific bearertoken, acl-token-sink, and proxyid filesHow I've tested this PR:
acceptance tests and unit tests
How I expect reviewers to test this PR:
see note above, and code review.
Checklist: