Don't write service-defaults during connect-inject unless protocol set explicitly #168

lkysow · 2019-11-29T19:28:50Z

Background

The init container we inject for Consul connect writes a service-defaults config for the service if central config is enabled (the default in the helm chart):

consul-k8s/connect-inject/container_init.go

Lines 263 to 270 in 8a2c7cb

    
           {{- if .CentralConfig }} 
        
           # Create the central config's service registration 
        
           cat <<EOF >/consul/connect-inject/central-config.hcl 
        
           kind = "service-defaults" 
        
           name = "{{ .ServiceName }}" 
        
           protocol = "{{ .ServiceProtocol }}" 
        
           EOF 
        
           {{- end }}

The protocol can be set passing the -default-protocol flag which is controlled by the Helm chart's connectInject.centralConfig.defaultProtocol value. This protocol can be overridden by an annotation on the pod (consul.hashicorp.com/connect-service-protocol). If there is no annotation or Helm value, it will be set to an empty string which Consul will treat as TCP.

Problem

By default we write TCP - When the Pod starts, the service-defaults config will be written. By default, this will set the protocol to TCP. If the protocol is TCP, none of the L7 routing rules will work. A user isn't expecting this config to be written because they haven't configured it anywhere. If they had written a global proxy-defaults config and set the protocol to http so their L7 rules work, the service-defaults config will override the protocol to tcp. This is unexpected. If a user hasn't explicitly configured a protocol, we should not write a service-defaults config.

Proposal

Only write service-defaults if the protocol is explicitly configured, i.e. in connectInject.centralConfig.defaultProtocol or the annotation.

The text was updated successfully, but these errors were encountered:

Previously, we would write a service-defaults config regardless of the value of the -default-protocol flag or the Pod's protocol annotation. If neither of these were set, we would write a config with protocol set to the empty string. This is the same as setting it to tcp. So for every service, we were by default setting its protocol to tcp. If a user explicitly created a global proxy-defaults config and set the protocol to, say, http. Then our service-defaults config would override that protocol. This behaviour was unexpected because users had never explicitly told us to write a service-defaults config and it wasn't helping them. This change will cause us to only write a service-defaults config if the protocol is explicitly set–either via the -default-protocol flag or via the Pod annotation. I've also renamed the CentralConfig field to WriteServiceDefaults because there are many types of central config now so it's best to be explicit. Fixes #168

lkysow closed this as completed Nov 29, 2019

lkysow reopened this Nov 30, 2019

lkysow changed the title ~~Don't write service-defaults during connect-inject unless pod is annotated~~ Don't write service-defaults during connect-inject unless protocol set explicitly Nov 30, 2019

lkysow mentioned this issue Nov 30, 2019

Only write service-defaults if protocol set #169

Merged

lkysow added the area/connect Related to Connect service mesh, e.g. injection label Nov 30, 2019

lkysow closed this as completed in #169 Dec 4, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't write service-defaults during connect-inject unless protocol set explicitly #168

Don't write service-defaults during connect-inject unless protocol set explicitly #168

lkysow commented Nov 29, 2019 •

edited

Loading

Don't write service-defaults during connect-inject unless protocol set explicitly #168

Don't write service-defaults during connect-inject unless protocol set explicitly #168

Comments

lkysow commented Nov 29, 2019 • edited Loading

Background

Problem

Proposal

lkysow commented Nov 29, 2019 •

edited

Loading