agentless: Multi-cluster tproxy #1632
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
force-pushed
the
ishustava/tproxy-single-cluster
branch
from
dc24cc4
to
f092e46
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
6 times, most recently
from
acbe0ef
to
f986784
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
12 times, most recently
from
f990912
to
34ca662
Compare
ishustava
commented
Oct 24, 2022
| @@ -1194,7 +1194,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) { | |||
| reconcileErr: errors.New("this is an error"), | |||
| expStatus: v1alpha1.PeeringAcceptorStatus{ | |||
| Conditions: v1alpha1.Conditions{ | |||
| { | |||
| v1alpha1.Condition{ | |||
There was a problem hiding this comment.
These are from running linter locally
There was a problem hiding this comment.
This is so weird. I remember getting linter failures when they initially existed and had to delete them. 🤔
There was a problem hiding this comment.
Yeah I'm confused as well. Maybe it's a go 1.19 thing?
| @@ -59,16 +57,17 @@ func TestConsulDNS(t *testing.T) { | |||
| serverIPs = append(serverIPs, serverPod.Status.PodIP) | |||
| } | |||
|
|
|||
| dnsPodName := fmt.Sprintf("%s-dns-pod", releaseName) | |||
There was a problem hiding this comment.
This test fails sometimes because a pod with this name already exists, so making the names unique per test.
| @@ -620,9 +620,9 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { | |||
| decodedTokenData, err := base64.StdEncoding.DecodeString(string(createdSecret.Data["data"])) | |||
| require.NoError(t, err) | |||
|
|
|||
| require.Contains(t, string(decodedTokenData), "\"CA\":null") | |||
| require.Contains(t, string(decodedTokenData), "\"CA\":") | |||
There was a problem hiding this comment.
These changes are needed to support consul 1.14 peering changes so that we can use the latest binary in tests.
There was a problem hiding this comment.
Ahh thanks for bumping that!!
ishustava
force-pushed
the
ishustava/tproxy-single-cluster
branch
from
117ebca
to
15b09df
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
from
51475be
to
57eee52
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
3 times, most recently
from
8e8b5ba
to
3cbacec
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
from
3cbacec
to
9437b2c
Compare
thisisnotashwin
approved these changes
Oct 25, 2022
Comment on lines
-151
to
-163
| {{/* | ||
| Sets up a list of recusor flags for Consul agents by iterating over the IPs of every nameserver | ||
| in /etc/resolv.conf and concatenating them into a string of arguments that can be passed directly | ||
| to the consul agent command. | ||
| */}} | ||
| {{- define "consul.recursors" -}} | ||
| recursor_flags="" | ||
| for ip in $(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2) | ||
| do | ||
| recursor_flags="$recursor_flags -recursor=$ip" | ||
| done | ||
| {{- end -}} | ||
|
|
| @@ -1194,7 +1194,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) { | |||
| reconcileErr: errors.New("this is an error"), | |||
| expStatus: v1alpha1.PeeringAcceptorStatus{ | |||
| Conditions: v1alpha1.Conditions{ | |||
| { | |||
| v1alpha1.Condition{ | |||
There was a problem hiding this comment.
This is so weird. I remember getting linter failures when they initially existed and had to delete them. 🤔
control-plane/connect-inject/dns.go
Outdated
|
|
||
| func (w *MeshWebhook) configureDNS(pod *corev1.Pod, k8sNS string) error { | ||
| // First, we need to determine the nameservers configured in this cluster from /etc/resolv.conf. | ||
| etcResolvConf := "/etc/resolv.conf" |
There was a problem hiding this comment.
We should make this a constant. WDYT?
control-plane/connect-inject/dns.go
Outdated
| // configured in our /etc/resolv.conf. It's important to add Consul DNS as the first nameserver because | ||
| // if we put kube DNS first, it will return NXDOMAIN response and a DNS client will not fall back to other nameservers. | ||
| if pod.Spec.DNSConfig == nil { | ||
| consulDPAddress := "127.0.0.1" |
There was a problem hiding this comment.
potentially make this a constant as well
Comment on lines
+63
to
+66
| // Replace release namespace in the searches with the pod namespace. | ||
| // This is so that the searches we generate will be for the pod's namespace | ||
| // instead of the namespace of the connect-injector. E.g. instead of | ||
| // consul.svc.cluster.local it should be <pod ns>.svc.cluster.local. |
There was a problem hiding this comment.
Really appreciate the comments 🙏
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
from
267355b
to
a488a2c
Compare
| c.Datacenter = "acceptor-dc" | ||
| c.Connect["ca_config"] = map[string]interface{}{ | ||
| "cluster_id": "00000000-2222-3333-4444-555555555555", | ||
| } |
| if cfg.EnableTransparentProxy { | ||
| t.Skipf("skipping because no t-proxy support") | ||
| } | ||
|
|
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
from
1f83c02
to
6cff666
Compare
ishustava
force-pushed
the
ishustava/tproxy-multi-cluster
branch
from
6cff666
to
486f1c4
Compare
curtbushko
approved these changes
Oct 26, 2022
t-eckert
pushed a commit
that referenced
this pull request
Oct 31, 2022
* Redirect traffic to the consul-dataplane's DNS proxy when DNS redirection is enabled. This means we no longer need to configure recursors for the clients and servers * To fall back to kube dns when consul cannot resolve names, we define our own DNSConfig on the pod that uses Consul first, but falls back to the config from /etc/resolv.conf in the cluster.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
/etc/resolv.confin the cluster.How I've tested this PR:
acceptance tests
How I expect reviewers to test this PR:
👀
Checklist: