Automate DNS redirection to Consul DNS #833
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ndhanushkodi
commented
Nov 3, 2021
ndhanushkodi
commented
Nov 3, 2021
ndhanushkodi
commented
Nov 3, 2021
ndhanushkodi
commented
Nov 3, 2021
ndhanushkodi
commented
Nov 3, 2021
demo.yaml
Outdated
| app: frontend | ||
| annotations: | ||
| "consul.hashicorp.com/connect-inject": "true" | ||
| "consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs": "151.101.2.133,151.101.66.133,151.101.130.133,151.101.194.133" |
There was a problem hiding this comment.
will let us apk update && apk add stuff
ottaviohartman
pushed a commit
to ottaviohartman/consul-k8s
that referenced
this pull request
Nov 3, 2021
Force delete pods that are still running after `helm uninstall` so the next installation can begin immediately.
thisisnotashwin
force-pushed
the
automate-dns
branch
4 times, most recently
from
5475539 to
462098b
Compare
thisisnotashwin
requested review from
ishustava,
a team and
lkysow
and removed request for
a team
ishustava
reviewed
Nov 9, 2021
thisisnotashwin
force-pushed
the
automate-dns
branch
from
bf6b45a to
f29938f
Compare
lkysow
reviewed
Nov 9, 2021
ishustava
approved these changes
Nov 9, 2021
lkysow
reviewed
Nov 9, 2021
|
|
||
| var consulDNSIP string | ||
| if dnsEnabled { | ||
| for _, e := range os.Environ() { |
There was a problem hiding this comment.
I found this kinda confusing. I think it could use a comment.
thisisnotashwin
requested review from
lkysow and
thisisnotashwin
and removed request for
thisisnotashwin
@lkysow Acceptance tests are a great question. The approach I was considering for acceptance testing this change was indirectly using the changes the will be added for transparent proxy for x-partition communication. I will update the fixtures to support transparent proxying the upstream which should test the usage of Consul DNS we ultimately care about. |
lkysow
reviewed
Nov 10, 2021
| @@ -138,6 +138,10 @@ type Handler struct { | |||
| // from mesh services. | |||
| EnableConsulDNS bool | |||
|
|
|||
| // ReleasePrefix is the prefix used for the installation which is used to determine the Service | |||
| // name of the Consul DNS service. | |||
| ReleasePrefix string | |||
There was a problem hiding this comment.
Can you use ResourcePrefix to match server-acl-init, create-federation-job and others
thisisnotashwin
force-pushed
the
automate-dns
branch
from
258eb41 to
ac6faa4
Compare
lkysow
approved these changes
Nov 10, 2021
Comment on lines
546
to
554
| @test "connectInject/Deployment: -release-prefix unset by default" { | ||
| cd `chart_dir` | ||
| local actual=$(helm template \ | ||
| -s templates/connect-inject-deployment.yaml \ | ||
| --set 'connectInject.enabled=true' \ | ||
| . | tee /dev/stderr | | ||
| yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("-release-prefix=RELEASE-NAME-consul")' | tee /dev/stderr) | ||
| [ "${actual}" = "false" ] | ||
| } | ||
|
|
||
| @test "connectInject/Deployment: -release-prefix is true if dns.enabled=true and dns.enableRedirection=true" { | ||
| cd `chart_dir` | ||
| local actual=$(helm template \ | ||
| -s templates/connect-inject-deployment.yaml \ | ||
| --set 'connectInject.enabled=true' \ | ||
| --set 'dns.enableRedirection=true' \ | ||
| . | tee /dev/stderr | | ||
| yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("-release-prefix=RELEASE-NAME-consul")' | tee /dev/stderr) | ||
| [ "${actual}" = "true" ] | ||
| } |
| // If Consul DNS is enabled, we find the environment variable that has the value | ||
| // of the ClusterIP of the Consul DNS Service. constructDNSServiceHostName returns | ||
| // the name of the env variable whose value is the ClusterIP of the Consul DNS Service. | ||
| consulDNSClusterIP = os.Getenv(h.constructDNSServiceHostName()) |
There was a problem hiding this comment.
this should error out if the env var is not found
thisisnotashwin
force-pushed
the
automate-dns
branch
4 times, most recently
from
705b8b9 to
7a4ab00
Compare
lkysow
reviewed
Nov 10, 2021
lkysow
approved these changes
Nov 10, 2021
thisisnotashwin
force-pushed
the
automate-dns
branch
from
f5dc220 to
71b60f1
Compare
Tested with this branch and consul branch `dns-redirect-to-consul`.
Co-authored-by: Luke Kysow <[email protected]>
thisisnotashwin
force-pushed
the
automate-dns
branch
from
afaf55f to
ff61a47
Compare
thisisnotashwin
force-pushed
the
automate-dns
branch
from
ff61a47 to
521fb79
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
Corresponding consul PR: hashicorp/consul#11480
How I've tested this PR:
k apply -f demo.yaml #included in this PR for testing, remove before mergingThen, exec onto the frontend pod, and
and verify it returns a pod ip for backend. We can't curl
backend.service.consulbecause envoy only knows to direct traffic based on VIPs not pod ipsHow I expect reviewers to test this PR:
Checklist: