nomad namespace apply -region=otherregion mynamespace does not propagate to federated region #20128
Comments
|
Hi @benvanstaveren! Applying a namespace to a single region when regions are federated doesn't work the way you might expect. When two regions are federated, the If that's not what you're seeing, it'd be good to know more about the cluster topology involved here. |
|
Hey @tgross, that's a little confusing... I don't see any replication taking place. On the authoritative region for instance: but then if you do this: Which would seem to suggest the other-region has only the default namespace. I tested it with a job, and indeed the other-region doesn't seem to have anything other than default. Topology wise, we have the authoritative region, with 3 other clusters joined to that. TLS is enabled, but ACL is not enabled. |
Oh, well that's the problem then! I think there's probably a documentation gap around this. Namespaces are access control objects, and only access control objects like ACLs, auth methods, etc. are replicated between regions, and that only happens if ACLs are enabled. (See So when you federated your regions, all you're doing is allowing RPC forwarding between them (which can be useful, no doubt) but there's no "authoritative region" because ACLs are disabled. So when you're writing an ACL-related object like a namespace, it's trying to forward it to an authoritative region (ref I just took a quick look through a bunch of documentation and I don't see this relationship between federation and namespaces explicitly called out anywhere in the federation tutorial, the We should probably also have a validation step in the I've marked this issue for roadmapping. |
tgross
added
stage/accepted
Hah! I know all about that, I fall into the same trap with my own projects way too often 😅 Anyway, at least if it's in the docs that'll be nice. I guess I can cheat the system by just creating the namespace on the cluster directly. Cheers! |
Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128
Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128
Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128
Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128
… into release/1.5.x (#20201) Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128 Co-authored-by: Tim Gross <[email protected]>
… into release/1.6.x (#20202) Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128 Co-authored-by: Tim Gross <[email protected]>
Although it's not recommended, it's possible to federate regions without ACLs enabled. In this case, ACL-related objects such as namespaces and node pools can be written independently in each region and won't be replicated. If you use commands like `namespace apply` or `node pool delete`, the RPC is supposed to be forwarded to the authoritative region. But when ACLs are disabled, there is no authoritative region and so the RPC will always be applied to the local region even if the `-region` flag is passed. Remove the change to the RPC region for the namespace and node pool write RPC whenver ACLs are disabled, so that forwarding works. Fixes: #20197 Ref: #20128
…#20220) Although it's not recommended, it's possible to federate regions without ACLs enabled. In this case, ACL-related objects such as namespaces and node pools can be written independently in each region and won't be replicated. If you use commands like `namespace apply` or `node pool delete`, the RPC is supposed to be forwarded to the authoritative region. But when ACLs are disabled, there is no authoritative region and so the RPC will always be applied to the local region even if the `-region` flag is passed. Remove the change to the RPC region for the namespace and node pool write RPC whenver ACLs are disabled, so that forwarding works. Fixes: #20197 Ref: #20128
Our documentation has a hidden assumption that users know that federation replication requires ACLs to be enabled and bootstrapped. Add notes at some of the places users are likely to look for it. A separate follow-up PR to the federation tutorial should point to the ACL multi-region tutorial as well. Fixes: #20128
…#20220) Although it's not recommended, it's possible to federate regions without ACLs enabled. In this case, ACL-related objects such as namespaces and node pools can be written independently in each region and won't be replicated. If you use commands like `namespace apply` or `node pool delete`, the RPC is supposed to be forwarded to the authoritative region. But when ACLs are disabled, there is no authoritative region and so the RPC will always be applied to the local region even if the `-region` flag is passed. Remove the change to the RPC region for the namespace and node pool write RPC whenver ACLs are disabled, so that forwarding works. Fixes: #20197 Ref: #20128
Nomad version
1.6.2
Issue
Running
nomad namespace apply -region=otherregion mynamespaceresults in "mynamespace" showing up in the region of the server the command was run against, instead of the otherregion specified in the command.Reproduction steps
Federate 2 clusters together, create a namespace in the "other" region.
Expected Result
Namespace to show up in the region specified using the -region flag
Actual Result
Namespace shows up on the region of the nomad server the command was run against
The text was updated successfully, but these errors were encountered: