-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agentless: support updating health checks on consul clients during an upgrade to agentless #1690
Conversation
a945604
to
dedcc3f
Compare
@@ -236,24 +236,12 @@ spec: | |||
{{- end }} | |||
{{- end }} | |||
|
|||
{{- if .Values.global.consulSidecarContainer }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These flags are no longer used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The removal of these are actually in the PR I am working on right now as I missed them last week. I will remove them from my commits and we'll leave them in yours.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hopefully the rebase of main onto your PR should automatically clear some of that from your commits.
items: | ||
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} | ||
path: tls.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My IDE decided to format these
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clearly our IDEs disagree on how YAML slices should be indented 😭
d5e5ebd
to
35ea3e0
Compare
dedcc3f
to
da5d6c5
Compare
500aff3
to
d11b712
Compare
… upgrade to agentless
d11b712
to
dd486be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent work, as usual 😄
control-plane/connect-inject/controllers/endpoints/consul_client_health_checks.go
Outdated
Show resolved
Hide resolved
if r.EnableAutoEncrypt { | ||
// Get Connect CA. | ||
caRoots, _, err := serverClient.Agent().ConnectCARoots(nil) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if caRoots == nil { | ||
return nil, fmt.Errorf("ca root list is nil") | ||
} | ||
if caRoots.Roots == nil { | ||
return nil, fmt.Errorf("ca roots is nil") | ||
} | ||
if len(caRoots.Roots) == 0 { | ||
return nil, fmt.Errorf("the list of root CAs is empty") | ||
} | ||
|
||
for _, root := range caRoots.Roots { | ||
if root.Active { | ||
ccCfg.TLSConfig.CAFile = "" | ||
ccCfg.TLSConfig.CAPem = []byte(root.RootCertPEM) | ||
break | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:chefkiss:
} | ||
} | ||
|
||
func TestConsulClientForNodeAgent(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
Changes proposed in this PR:
We will need to handle the case when a user has many applications on the service mesh and needs to take time to re-inject all those applications. If that is the case, there may be situations where the application changes its health status, but because it still hasn’t been re-started (re-injected), its health status needs to be synced into Consul clients rather than servers the way we used to do before. To do this, we will add a new annotation to all pods pointing to the current
consul-k8s version: consul.hashicorp.com/consul-k8s-version: 1.0.0
. If this annotation is not there or if the version is less than the version that supports “agentless”, we will continue to sync health checks to Consul clients for that particular podHow I've tested this PR:
manual upgrade testing in multiple setups (not-secure, tls, tls +acls, tls+auto-encrypt+acls)
How I expect reviewers to test this PR:
👀
Checklist: