client: don't use Status RPC for Consul discovery (#16490)
#16490
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
added
type/bug
theme/discovery
theme/auth
backport/1.5.x
tgross
force-pushed
the
client-access-to-status-members
branch
from
ba31797 to
fe2098f
Compare
|
Moved back to draft, as this is still failing in E2E testing. I'm realizing the problem is a little more complex that I thought at first glance -- the |
tgross
force-pushed
the
client-access-to-status-members
branch
from
fe2098f to
7dddac8
Compare
tgross
changed the title
Status.Members RPCStatus.RPCServers RPC for Consul discovery
tgross
force-pushed
the
client-access-to-status-members
branch
from
7dddac8 to
487d00d
Compare
tgross
force-pushed
the
client-access-to-status-members
branch
2 times, most recently
from
ec611f9 to
f8d1dc1
Compare
|
I've reworked this PR heavily based on the results of a discussion I had with @shoenig and @gulducat in order to get this working in the pre-registration phase. Because the new RPC handler is substantially the same as ee3e952 which we closed unmerged, I've added Ruslan as a co-author on this commit. I need to do one more round of testing with this on E2E with the advertise addresses set correctly, and then I'll be ready for review. |
In #16217 we switched clients using Consul discovery to the `Status.Members` endpoint for getting the list of servers so that we're using the correct address. This endpoint has an authorization gate, so this fails if the anonymous policy doesn't have `node:read`. We also can't check the `AuthToken` for the request for the client secret, because the client hasn't yet registered so the server doesn't have anything to compare against. Create a new `Status.RPCServers` endpoint that mirrors the `Status.Peers` endpoint but provides the RPC server addresses instead of the Raft addresses. This fixes the authentication bug but also ensures we're only registering with servers in the client's region and not in any other servers that might have registered with Consul. This changeset also expands the test coverage of the RPC endpoint and closes up potential holes in the `ResolveACL` method that aren't currently bugs but easily could become bugs if we called the method without ensuring its invariants are upheld. Co-authored-by: tantra35 <[email protected]>
tgross
force-pushed
the
client-access-to-status-members
branch
from
f8d1dc1 to
2bb67c3
Compare
2 tasks
|
Ok, I've tested this out on a cluster on AWS using HCP Consul for discovery and the networking tweaks discussed in #16507 to ensure that we're using the serf advertisement: There is no anonymous policy set. And both the servers and client end up happy:
|
tgross
force-pushed
the
client-access-to-status-members
branch
from
ff33dae to
4010fdb
Compare
tgross
force-pushed
the
client-access-to-status-members
branch
from
4010fdb to
25d0361
Compare
tgross
commented
Mar 15, 2023
schmichael
reviewed
Mar 15, 2023
client/client.go
Outdated
| srv := &servers.Server{Addr: addr} | ||
| nomadServers = append(nomadServers, srv) | ||
| } | ||
| if slices.Contains(s.ServiceTags, region) { |
There was a problem hiding this comment.
If we switch to Meta (see below) this will need to change.
However now I think we introduced ordering to our otherwise flexible upgrade procedure (at least one Server would need to be upgraded before any Clients for this to work). 🤔
But wait... what actually happens if a Client in Region A calls Node.Register on a Server in Region B?
- If the Regions are Federated, the Node.Register RPC is Forwarded and replies with the correct server list for Region A!
- If the Regions are not Federated, the Node.Register RPC errors and the Client will try the next Server, presumably until reaching a Server in its own Region.
...except I don't think that will happen for the following reasons: 😭
- The
Client.registerNode()code doesn't appear to use the response it gets from Node.Register! We pluck out the HeartbeatTTL but throw away the Server list. 👎 - If the Regions aren't Federated, we wait up to 30s before retrying the Node.Register RPC. This means for clusters with <1,000 nodes we risk going
downon Client agent restarts just from a single failed Node.Register call! 👎
Have I mentioned lately I hate all of this discovery/registration code and logic? I think it's too clever by half and makes the really critical operations like Restarting Clients really need to Register before HeartbeatTTL extremely difficult to determine/observe/tune. 😞
There was a problem hiding this comment.
I've updated the PR (and the description above) to drop the extra tags/meta on Consul. And then I've updated the registerNode method to use the servers we get back from the response. If we get no servers or a "no path to region", we'll bubble that state up to the retry loop so that it triggers discovery again and hits the fast-path retry rather than the longer retry of 15s.
We don't really have to worry about regions in the Consul discovery step. If we hit a different region and they're federated, the request will be forwarded. If the regions aren't federated (not a very safe topology in general), the node registration will fail and we'll retry. Eliminate the region tags we added to Consul. Have `registerNode` update the server list based on the response we get, and have it return the "no servers" error if we get no servers so that we kick off discovery again and retry immediately rather than 15s later.
tgross
force-pushed
the
client-access-to-status-members
branch
from
307a0c2 to
a7a6cdf
Compare
schmichael
approved these changes
Mar 16, 2023
tgross
changed the title
Status.RPCServers RPC for Consul discoveryStatus RPC for Consul discovery (#16490)
tgross
added
backport/1.3.x
This was referenced Mar 20, 2023
Merged
tgross
added a commit
that referenced
this pull request
Mar 20, 2023
In #16217 we switched clients using Consul discovery to the `Status.Members` endpoint for getting the list of servers so that we're using the correct address. This endpoint has an authorization gate, so this fails if the anonymous policy doesn't have `node:read`. We also can't check the `AuthToken` for the request for the client secret, because the client hasn't yet registered so the server doesn't have anything to compare against. Instead of hitting the `Status.Peers` or `Status.Members` RPC endpoint, use the Consul response directly. Update the `registerNode` method to handle the list of servers we get back in the response; if we get a "no servers" or "no path to region" response we'll kick off discovery again and retry immediately rather than waiting 15s.
tgross
added a commit
that referenced
this pull request
Mar 20, 2023
In #16217 we switched clients using Consul discovery to the `Status.Members` endpoint for getting the list of servers so that we're using the correct address. This endpoint has an authorization gate, so this fails if the anonymous policy doesn't have `node:read`. We also can't check the `AuthToken` for the request for the client secret, because the client hasn't yet registered so the server doesn't have anything to compare against. Instead of hitting the `Status.Peers` or `Status.Members` RPC endpoint, use the Consul response directly. Update the `registerNode` method to handle the list of servers we get back in the response; if we get a "no servers" or "no path to region" response we'll kick off discovery again and retry immediately rather than waiting 15s.
tgross
added a commit
that referenced
this pull request
Mar 20, 2023
In #16217 we switched clients using Consul discovery to the `Status.Members` endpoint for getting the list of servers so that we're using the correct address. This endpoint has an authorization gate, so this fails if the anonymous policy doesn't have `node:read`. We also can't check the `AuthToken` for the request for the client secret, because the client hasn't yet registered so the server doesn't have anything to compare against. Instead of hitting the `Status.Peers` or `Status.Members` RPC endpoint, use the Consul response directly. Update the `registerNode` method to handle the list of servers we get back in the response; if we get a "no servers" or "no path to region" response we'll kick off discovery again and retry immediately rather than waiting 15s. Co-authored-by: Tim Gross <[email protected]>
tgross
added a commit
that referenced
this pull request
Mar 20, 2023
In #16217 we switched clients using Consul discovery to the `Status.Members` endpoint for getting the list of servers so that we're using the correct address. This endpoint has an authorization gate, so this fails if the anonymous policy doesn't have `node:read`. We also can't check the `AuthToken` for the request for the client secret, because the client hasn't yet registered so the server doesn't have anything to compare against. Instead of hitting the `Status.Peers` or `Status.Members` RPC endpoint, use the Consul response directly. Update the `registerNode` method to handle the list of servers we get back in the response; if we get a "no servers" or "no path to region" response we'll kick off discovery again and retry immediately rather than waiting 15s. Co-authored-by: Tim Gross <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #16470
In #16217 we switched clients using Consul discovery to the
Status.Membersendpoint for getting the list of servers so that we're using the correct
address. This endpoint has an authorization gate, so this fails if the anonymous
policy doesn't have
node:read. We also can't check theAuthTokenfor therequest for the client secret, because the client hasn't yet registered so the
server doesn't have anything to compare against.
Instead of hitting the
Status.PeersorStatus.MembersRPC endpoint, use theConsul response directly. Update the
registerNodemethod to handle the list ofservers we get back in the response; if we get a "no servers" or "no path to
region" response we'll kick off discovery again and retry immediately rather
than waiting 15s.