-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agentless: Multi-cluster tproxy #1632
Conversation
dc24cc4
to
f092e46
Compare
acbe0ef
to
f986784
Compare
f990912
to
34ca662
Compare
@@ -1194,7 +1194,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) { | |||
reconcileErr: errors.New("this is an error"), | |||
expStatus: v1alpha1.PeeringAcceptorStatus{ | |||
Conditions: v1alpha1.Conditions{ | |||
{ | |||
v1alpha1.Condition{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are from running linter locally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is so weird. I remember getting linter failures when they initially existed and had to delete them. 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'm confused as well. Maybe it's a go 1.19 thing?
@@ -59,16 +57,17 @@ func TestConsulDNS(t *testing.T) { | |||
serverIPs = append(serverIPs, serverPod.Status.PodIP) | |||
} | |||
|
|||
dnsPodName := fmt.Sprintf("%s-dns-pod", releaseName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test fails sometimes because a pod with this name already exists, so making the names unique per test.
@@ -620,9 +620,9 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { | |||
decodedTokenData, err := base64.StdEncoding.DecodeString(string(createdSecret.Data["data"])) | |||
require.NoError(t, err) | |||
|
|||
require.Contains(t, string(decodedTokenData), "\"CA\":null") | |||
require.Contains(t, string(decodedTokenData), "\"CA\":") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes are needed to support consul 1.14 peering changes so that we can use the latest binary in tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh thanks for bumping that!!
117ebca
to
15b09df
Compare
51475be
to
57eee52
Compare
8e8b5ba
to
3cbacec
Compare
3cbacec
to
9437b2c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have a few aesthetic comments but this is excellent!! Your comments made reviewing and understanding what was happening super easy! Great job!
{{/* | ||
Sets up a list of recusor flags for Consul agents by iterating over the IPs of every nameserver | ||
in /etc/resolv.conf and concatenating them into a string of arguments that can be passed directly | ||
to the consul agent command. | ||
*/}} | ||
{{- define "consul.recursors" -}} | ||
recursor_flags="" | ||
for ip in $(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2) | ||
do | ||
recursor_flags="$recursor_flags -recursor=$ip" | ||
done | ||
{{- end -}} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
YAYYYYY!!!!
@@ -1194,7 +1194,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) { | |||
reconcileErr: errors.New("this is an error"), | |||
expStatus: v1alpha1.PeeringAcceptorStatus{ | |||
Conditions: v1alpha1.Conditions{ | |||
{ | |||
v1alpha1.Condition{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is so weird. I remember getting linter failures when they initially existed and had to delete them. 🤔
control-plane/connect-inject/dns.go
Outdated
|
||
func (w *MeshWebhook) configureDNS(pod *corev1.Pod, k8sNS string) error { | ||
// First, we need to determine the nameservers configured in this cluster from /etc/resolv.conf. | ||
etcResolvConf := "/etc/resolv.conf" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should make this a constant. WDYT?
control-plane/connect-inject/dns.go
Outdated
// configured in our /etc/resolv.conf. It's important to add Consul DNS as the first nameserver because | ||
// if we put kube DNS first, it will return NXDOMAIN response and a DNS client will not fall back to other nameservers. | ||
if pod.Spec.DNSConfig == nil { | ||
consulDPAddress := "127.0.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
potentially make this a constant as well
// Replace release namespace in the searches with the pod namespace. | ||
// This is so that the searches we generate will be for the pod's namespace | ||
// instead of the namespace of the connect-injector. E.g. instead of | ||
// consul.svc.cluster.local it should be <pod ns>.svc.cluster.local. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really appreciate the comments 🙏
267355b
to
a488a2c
Compare
c.Datacenter = "acceptor-dc" | ||
c.Connect["ca_config"] = map[string]interface{}{ | ||
"cluster_id": "00000000-2222-3333-4444-555555555555", | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
if cfg.EnableTransparentProxy { | ||
t.Skipf("skipping because no t-proxy support") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
omg so this works???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup! it works! 🎉
1f83c02
to
6cff666
Compare
6cff666
to
486f1c4
Compare
* Redirect traffic to the consul-dataplane's DNS proxy when DNS redirection is enabled. This means we no longer need to configure recursors for the clients and servers * To fall back to kube dns when consul cannot resolve names, we define our own DNSConfig on the pod that uses Consul first, but falls back to the config from /etc/resolv.conf in the cluster.
Changes proposed in this PR:
/etc/resolv.conf
in the cluster.How I've tested this PR:
acceptance tests
How I expect reviewers to test this PR:
👀
Checklist: