-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server-acl-init: Add -server-address and -server-port #238
Conversation
689c7db
to
497214b
Compare
497214b
to
c6b03fe
Compare
* Require -server-address to be provided instead of discovering the server IPs from Kubernetes pods. This allows us to eventually to run this command against external servers or servers deployed on Kube in the same way. On Kubernetes, instead of discovering Pod IPs, we can use server's stateful set DNS names. * [Breaking change] Remove -expected-replicas, -release-name, and -server-label-selector flags because we no longer need them.
c6b03fe
to
c2581c5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still need to actually run the code but here's the code review. I love how much this has reduced LOC.
I've tested this now and it works like a charm. I tried to mess it up by deleting pods and starting upgrades but it always worked!
No, I think you're good.
I don't know the best word for IP or hostname but not port. I think |
But then you're using it as a possible join url in the next pr. Also join and join-wan use the term "address":
|
Agree. I left it as I've made updates based on your suggestions (thank you so much for this careful review!). |
This PR proposes to change the server-acl-init command to use user-provided server-address and server-port instead of discovering servers' Pod IPs and ports via Kubernetes API.
Why
Currently, the
server-acl-init
command knows a lot about how the servers are deployed. It makes some assumptions about the resource names of the stateful set and uses Kubernetes API as its discovery mechanism for server addresses. This creates a fair amount of extra logic to correctly discover the server IPs and ports. In addition, we have some logic that checks if the stateful set rollout is currently in progress and waits until it's complete. The Statefulset logic was added specifically to prevent a situation when we would discover the IPs of the servers right before Kubernetes would kill and restart the container, causing its IP to change and theserver-acl-init
job to run forever trying to talk to the pod IP that no longer exists.This PR was motivated by the idea that we don't really need to use Kube API to discover the IPs of the servers. Kubernetes already has a built-in mechanism for discovering IPs of the stateful set because each pod in a stateful set has a "well-known" DNS name. Using these DNS names would allow us to not only simplify the logic of this command but also avoid potential edge cases where the pod IP we've discovered has changed while the job is running. Additionally, this would allow us to eventually run this command against external servers.
Summary of the Changes
Command Flags
-server-address
command flag-server-port
command flag and default it to8500
.-expected-replicas
,-release-name
(already deprecated), and-server-label-selector
flags because we no longer need them.Other changes
Testing
All testing was done on AKS with the
ishustava/consul-k8s-dev:04-07-2020-497214b
image (or equivalent).Cases tested:
Feedback
I'm looking for feedback in the following areas: