Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run snapshot agent as a sidecar with consul servers #1620

Merged
merged 3 commits into from
Oct 26, 2022
Merged

Run snapshot agent as a sidecar with consul servers #1620

merged 3 commits into from
Oct 26, 2022

Conversation

ishustava
Copy link
Contributor

@ishustava ishustava commented Oct 14, 2022
edited
Loading

Changes proposed in this PR:
Now that we don't have client, snapshot agent needs to run against the only agent remaining - the server agent.

  • Change snapshot agent to run as a sidecar with consul servers.

How I've tested this PR:
acceptance tests

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@ishustava ishustava force-pushed the ishustava/snapshot-agent-sidecar branch 10 times, most recently from 14387a1 to e4c31d7 Compare October 26, 2022 00:10
@ishustava ishustava force-pushed the ishustava/snapshot-agent-sidecar branch from e4c31d7 to eccf43b Compare October 26, 2022 00:11
@ishustava ishustava marked this pull request as ready for review October 26, 2022 00:18
curtbushko
curtbushko approved these changes Oct 26, 2022
View reviewed changes
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I have a couple non-blocking questions about things for my learning but this looks good to me.

acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go
vaultCASecret := vault.CASecretName(vaultReleaseName)

consulHelmValues := map[string]string{
"server.extraVolumes[0].type": "secret",
"server.extraVolumes[0].name": vaultCASecret,
"server.extraVolumes[0].load": "false",

"connectInject.enabled": "true",
"connectInject.enabled": "false",
Copy link
Contributor

@curtbushko curtbushko Oct 26, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question. In the past, was connectInject and controller being true just an oversight that had no bearing on the tests/functionality?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. I think it might have been copy-paste from the vault test.

charts/consul/test/unit/server-statefulset.bats
[ "${actual}" = 'true' ]
}

@test "server/StatefulSet: snapshot-agent: sets TLS env vars when global.tls.enabled" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: Do you care about doing the opposite test, without TLS, and verifying that CONSUL_HTTP_ADDR is 'http://127.0.0.1:8500' ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's a good idea

control-plane/subcommand/server-acl-init/command_ent_test.go
@@ -1031,7 +1031,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_PrimaryDatacenter(t *testing.T)
{
ComponentName: "connect-injector",
TokenFlags: []string{"-connect-inject"},
Roles: []string{resourcePrefix + "-connect-injector-acl-role"},
Roles: []string{resourcePrefix + "-connect-inject-acl-role"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious why this changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before we used to derive the role name from the service account of the component. With snapshot agent now being co-located with servers, the service account would be the server's service account. I changed it to instead use the component name that we pass to these functions so that both policy and role are derived the same way and so that the role will still clearly say that it's for the snapshot agent. This resulted in ripple effects for other roles which were not named the same as the component.

@ishustava ishustava force-pushed the ishustava/snapshot-agent-sidecar branch from af781f9 to 0ce7cf1 Compare October 26, 2022 17:30
@ishustava ishustava merged commit 0b0947f into main Oct 26, 2022
@ishustava ishustava deleted the ishustava/snapshot-agent-sidecar branch October 26, 2022 19:48
@ishustava ishustava restored the ishustava/snapshot-agent-sidecar branch October 26, 2022 23:09
t-eckert pushed a commit that referenced this pull request Oct 27, 2022
@ishustava
Run snapshot agent as a sidecar with consul servers (#1620)
f42b927
t-eckert pushed a commit that referenced this pull request Oct 31, 2022
@ishustava
Run snapshot agent as a sidecar with consul servers (#1620)
5e24f4c
@natitomattis natitomattis mentioned this pull request Jun 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@curtbushko curtbushko curtbushko approved these changes

@thisisnotashwin thisisnotashwin Awaiting requested review from thisisnotashwin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ishustava @curtbushko