Create Admin Partitions when enabled #696
Conversation
thisisnotashwin
requested review from
a team,
lkysow and
sadjamz
and removed request for
a team
- This removes any requirement on a post-install cleanup job.
thisisnotashwin
force-pushed
the
create-partition
branch
from
376d849 to
854c25a
Compare
| enabled: false | ||
| # The name of the Admin Partition. Must be "default" in the server cluster ie the Kubernetes cluster that | ||
| # the Consul server pods are deployed onto. | ||
| name: "default" |
There was a problem hiding this comment.
Do you do any validation that if servers are enabled that this == default?
There was a problem hiding this comment.
Not right now. I wanted to do this in a follow up task as it is not a must have. Have a task for it: https://app.asana.com/0/1200449541311255/1200910791029388/f
thisisnotashwin
force-pushed
the
create-partition
branch
from
9a6854f to
3f95619
Compare
thisisnotashwin
requested review from
ndhanushkodi
and removed request for
sadjamz
There was a problem hiding this comment.
Looking awesome so far! I've just gotten through reviewing the Helm templates and some of the control-plane code and will continue tomorrow! Barely had comments because it's looking really great!
Other qs that popped up:
Do we explicitly require TLS to enable partitions or just highly recommend?
|
Setting up external servers explicitly requires TLS. This is more a safety consideration as compared to Consul not working without it. So in a certain sense, we do not support non-TLS on k8s with externalServers. Are you thinking about adding that as an additional check? |
|
|
||
| // GetResolvedServerAddresses resolves the Consul server address if it has been provided a provider else it returns the server addresses that were input to it. | ||
| func GetResolvedServerAddresses(serverAddresses []string, providers map[string]discover.Provider, logger hclog.Logger) ([]string, error) { | ||
| if len(serverAddresses) != 1 || !strings.Contains(serverAddresses[0], "provider=") { |
There was a problem hiding this comment.
I was a little confused why it checking len != 1 and why serverAddresses could have a string "provider=" in it until I saw the test-- Maybe the comment could describe what the serverAddresses argument and providers argument could look like?
Could there be a case where there is exactly one server address that's not a provider?
There was a problem hiding this comment.
Sure thing :)
There could be a case where we have a single address which is not a provider. For instance, with the Partition service, the single address would be the address of the partition service LB. Ill improve the text here.
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
thisisnotashwin
force-pushed
the
create-partition
branch
from
d2f80b1 to
51c4292
Compare
This is because these tests are quite similar except for the additional assertion in the health checks tests that asserts that traffic is not routed when static-server probe fails. This will save us quite a bit of run-time for both regular and *namespace tests because the bulk of the test time is taken up by the installs. This change essentially optimizes and re-uses existing installs that we already have to do to test connect.
* Create Admin Partitions when enabled
* Create Admin Partitions when enabled
* Create Admin Partitions when enabled
* Create Admin Partitions when enabled
Changes proposed in this PR:
How I've tested this PR:
Things of note are this is a Consul Enterprise image and the license was provided as a secret. Additionally, an explicit nodePort has been assigned to the UI service. This is to expose Consul's https port.
Now, copy the TLS secrets and the Ent License to the workload-cluster.
The name of the partition here is "alpha". The ips specified under
hostsandjoinare internal IPs for the nodes on GKE. the node IPs can be found using thekubectl get nodes -o widecommand. Additionally, the firewalls rules on GKE needed to be updated to ensure that the node network and pod network from the server cluster and workload cluster could communicate all the nodes.The clients logs in the server client state that they are in the
defaultpartition and the logs in the workload cluster state that they are in thealphapartition.Validated the Connect works on the default cluster. Connect needs to make some changes in order for it to be supported on workload clusters and that is being worked on.
How I expect reviewers to test this PR:
Follow the above steps. DM me if you would like to pair on the above. Re-do the above steps and deploy "connect" apps in the default cluster.
Checklist: