Support terminating gateways #503
Conversation
This creates all of the necessary templates to support terminating gateways in the helm chart. Using `terminatingGateways.defaults` and `terminatingGateways.gateways`, it's possible to define multiple gateways. Names must be provided for each and they must be unique. Any gateway-specific values will override the default value with the exception of annotations. Annotations will apply both the defaults and gateway-specific annotations.
With the addition of an id in the service registration, this is necessary to correctly associate the gateway pod with the specific service instance.
There was a problem hiding this comment.
This looks awesome!!! Awesome work on everything 🎉
In my testing, I almost didn't find any issues at all, everything worked great! There was a small issue when running with namespaces and ACLs, which I've reported in hashicorp/consul-k8s#279.
I have also left a couple of comments about some missing test cases and made a couple suggestions for the values docs.
| #-------------------------------------------------------------------- | ||
| # global.tls.enabled | ||
|
|
||
| @test "terminatingGateways/Deployment: sets TLS flags when global.tls.enabled" { |
There was a problem hiding this comment.
| @test "terminatingGateways/Deployment: sets TLS flags when global.tls.enabled" { | |
| @test "terminatingGateways/Deployment: sets TLS env variables when global.tls.enabled" { |
There was a problem hiding this comment.
Updated in all the gateways.
|
|
||
| local actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) | ||
| [ "${actual}" = "/consul/tls/ca/tls.crt" ] | ||
| } |
There was a problem hiding this comment.
Could we also add a test that the correct volumes and volumeMounts are present?
There was a problem hiding this comment.
There are a series of tests under the extraVolumes test heading below (starting L248 before any changes were made to this file).
There was a problem hiding this comment.
Ah, yes those tests are great. I was referring to the TLS volumes for the Consul client, e.g. consul-ca-cert. Sorry, that wasn't clear, but I meant it in the context of global.tls.enabled.
values.yaml
Outdated
| # include both the default annotations and any additional ones defined | ||
| # for a specific gateway. | ||
| # Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using | ||
| # global.acls.manageSystemACLs. |
There was a problem hiding this comment.
For the lifecycle-sidecar command
| # global.acls.manageSystemACLs. | |
| # global.acls.manageSystemACLs and >= 0.10.0 if not using global.acls.manageSystemACLs. |
values.yaml
Outdated
| # Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using | ||
| # global.acls.manageSystemACLs. | ||
| terminatingGateways: | ||
| # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. |
There was a problem hiding this comment.
Should we inlcude client.enabled and client.grpc as a requirement as well?
There was a problem hiding this comment.
Added client.enabled, but client.rpc is enabled by default so leaving it off.
values.yaml
Outdated
|
|
||
| # Defaults sets default values for all gateway fields. With the exception | ||
| # of annotations, defining any of these values in the `gateways` list | ||
| # will override the default values provided here. |
There was a problem hiding this comment.
I thought it's worth repeating the same thing as you said in the comment for terminatingGateways here for clarity.
| # will override the default values provided here. | |
| # will override the default values provided here. Annotations will | |
| # include both the default annotations and any additional ones defined | |
| # for a specific gateway. |
values.yaml
Outdated
|
|
||
| # By default, we set an anti affinity so that two of the same gateway pods | ||
| # won't be on the same node. NOTE: Gateways require that Consul client agents are | ||
| # also running on the nodes alongside each gateway Pod. |
There was a problem hiding this comment.
| # also running on the nodes alongside each gateway Pod. | |
| # also running on the nodes alongside each gateway pod. |
There was a problem hiding this comment.
Fixed on all 3 gateways.
values.yaml
Outdated
| memory: "100Mi" | ||
| cpu: "100m" | ||
|
|
||
| # By default, we set an anti affinity so that two of the same gateway pods |
There was a problem hiding this comment.
| # By default, we set an anti affinity so that two of the same gateway pods | |
| # By default, we set an anti-affinity so that two of the same gateway pods |
There was a problem hiding this comment.
Fixed on all 3 gateways.
ishustava
added
area/gateways
| #-------------------------------------------------------------------- | ||
| # global.tls.enabled | ||
|
|
||
| @test "terminatingGateways/Deployment: sets TLS flags when global.tls.enabled" { |
There was a problem hiding this comment.
Updated in all the gateways.
|
|
||
| local actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) | ||
| [ "${actual}" = "/consul/tls/ca/tls.crt" ] | ||
| } |
There was a problem hiding this comment.
There are a series of tests under the extraVolumes test heading below (starting L248 before any changes were made to this file).
values.yaml
Outdated
| # include both the default annotations and any additional ones defined | ||
| # for a specific gateway. | ||
| # Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using | ||
| # global.acls.manageSystemACLs. |
values.yaml
Outdated
| # Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using | ||
| # global.acls.manageSystemACLs. | ||
| terminatingGateways: | ||
| # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. |
There was a problem hiding this comment.
Added client.enabled, but client.rpc is enabled by default so leaving it off.
values.yaml
Outdated
|
|
||
| # Defaults sets default values for all gateway fields. With the exception | ||
| # of annotations, defining any of these values in the `gateways` list | ||
| # will override the default values provided here. |
values.yaml
Outdated
| memory: "100Mi" | ||
| cpu: "100m" | ||
|
|
||
| # By default, we set an anti affinity so that two of the same gateway pods |
There was a problem hiding this comment.
Fixed on all 3 gateways.
values.yaml
Outdated
|
|
||
| # By default, we set an anti affinity so that two of the same gateway pods | ||
| # won't be on the same node. NOTE: Gateways require that Consul client agents are | ||
| # also running on the nodes alongside each gateway Pod. |
There was a problem hiding this comment.
Fixed on all 3 gateways.
|
|
||
| local actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) | ||
| [ "${actual}" = "/consul/tls/ca/tls.crt" ] | ||
| } |
There was a problem hiding this comment.
Ah, yes those tests are great. I was referring to the TLS volumes for the Consul client, e.g. consul-ca-cert. Sorry, that wasn't clear, but I meant it in the context of global.tls.enabled.
Following up from #491 after a tragic git accident.
This creates all of the necessary templates to support terminating
gateways in the helm chart. Using terminatingGateways.defaults and
terminatingGateways.gateways, it's possible to define multiple
gateways. Names must be provided for each and they must be unique.
Any gateway-specific values will override the default value with the
exception of annotations. Annotations will apply both the defaults
and gateway-specific annotations.
Note: This is ready for a static code review, but has not been tested
yet because of a bug in the gateway implementation. It's also targeting
the ingress gateway branch for now to make it easier for settings and
tests that overlap between gateway implementations.
Replaces and builds on #452