Backport of testing/deployer: support tproxy in v2 for dataplane into release/1.17.x #19494
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hc-github-team-consul-core
requested review from
shore
and removed request for
a team
hc-github-team-consul-core
force-pushed
the
backport/rboyer/deployer-tproxy-v2/needlessly-simple-mole
branch
2 times, most recently
from
ec42015 to
259930e
Compare
github-team-consul-core-pr-approver
approved these changes
Nov 2, 2023
github-actions
bot
added
type/docs
This updates the testing/deployer (aka "topology test") framework to allow for a v2-oriented topology to opt services into enabling TransparentProxy. The restrictions are similar to that of #19046 The multiport Ports map that was added in #19046 was changed to allow for the protocol to be specified at this time, but for now the only supported protocol is TCP as only L4 functions currently on main. As part of making transparent proxy work, the DNS server needed a new zonefile for responding to virtual.consul requests, since there is no Kubernetes DNS and the Consul DNS work for v2 has not happened yet. Once Consul DNS supports v2 we should switch over. For now the format of queries is: <service>--<namespace>--<partition>.virtual.consul Additionally: - All transparent proxy enabled services are assigned a virtual ip in the 10.244.0/24 range. This is something Consul will do in v2 at a later date, likely during 1.18. - All services with exposed ports (non-mesh) are assigned a virtual port number for use with tproxy - The consul-dataplane image has been made un-distroless, and gotten the necessary tools to execute consul connect redirect-traffic before running dataplane, thus simulating a kubernetes init container in plain docker.
rboyer
force-pushed
the
backport/rboyer/deployer-tproxy-v2/needlessly-simple-mole
branch
from
2e454b2 to
4537d53
Compare
hc-github-team-consul-core
deleted the
backport/rboyer/deployer-tproxy-v2/needlessly-simple-mole
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #19094 to be assessed for backporting due to the inclusion of the label backport/1.17.
The below text is copied from the body of the original PR.
Description
This is dependent upon #19046.
This updates the testing/deployer (aka "topology test") framework to allow for a v2-oriented topology to opt services into enabling TransparentProxy. The restrictions are similar to that of #19046
The multiport
Portsmap that was added in #19046 was changed to allow for the protocol to be specified at this time, but for now the only supported protocol is TCP as only L4 functions currently on main.As part of making transparent proxy work, the DNS server needed a new zonefile for responding to
virtual.consulrequests, since there is no Kubernetes DNS and the Consul DNS work for v2 has not happened yet. Once Consul DNS supports v2 we should switch over. For now the format of queries is:Additionally:
10.244.0/24range. This is something Consul will do in v2 at a later date, likely during 1.18.consul-dataplaneimage has been made un-distroless, and gotten the necessary tools to executeconsul connect redirect-trafficbefore running dataplane, thus simulating a kubernetes init container in plain docker.There is an example test added.
NET-5735
Overview of commits