Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add spec.api.onlyBindToAddress configuration #3824

Merged
merged 3 commits into from
Sep 17, 2024
Merged

Add spec.api.onlyBindToAddress configuration #3824

merged 3 commits into from
Sep 17, 2024

Conversation

pschichtel
Copy link
Contributor

I picked up #1038 and rebased it onto main. Smoke tests pass, but not entirely clear what was left here.

From #1038:

Should a new bindAddress option be created and change documentation for the existing address option, or should the existing address option's behavior be changed to match the existing documentation?

The later I can see causing some issues with existing setups, bindAddress is probably the safest route. Currently the default for bindAddress is "0.0.0.0", which is the default kube-api-server uses if the --bind-address flag isn't used.

Issue Fixes #957

What this PR Includes Adds the ability to define a bindAddress for the kube-api-server.

@pschichtel pschichtel requested a review from a team as a code owner December 18, 2023 01:41
@pschichtel pschichtel mentioned this pull request Dec 18, 2023
Closed
twz123
twz123 reviewed Dec 18, 2023
View reviewed changes
Copy link
Member

@twz123 twz123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up.

I'd double-check if there are some bad interactions with node-local load balancing? I imagine the LB config needs to pick up the correct bind addresses as well?

We should think about some integration test, too, I suppose.

docs/configuration.md Outdated Show resolved Hide resolved
docs/configuration.md Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/component/controller/apiserver.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
@pschichtel pschichtel force-pushed the feature/bind-address branch 7 times, most recently from 5d4f908 to 86eeb7b Compare December 18, 2023 21:31
@twz123
Copy link
Member

twz123 commented Dec 19, 2023

Okay, some things to proceed with:

  • We need an integration test. Need to come up with a scenario for that, i.e. what is to be tested.
  • We need to double-check if this plays nicely with nllb and other things. Do we need to update the docs on e.g. external load balancing? How would this affect k0sctl, if at all?

@pschichtel
Copy link
Contributor Author

We need an integration test. Need to come up with a scenario for that, i.e. what is to be tested.

I'm not very familiar with the code base yet, can you point me to examples for integration tests?

We need to double-check if this plays nicely with nllb and other things.

I'd have to look into how nllb works exactly. Depending on how the upstream connection is made its configuration probably needs adjustments.

Do we need to update the docs on e.g. external load balancing?

I guess a disclaimer like "if you change the bind address make sure to align your external load balancer" or so. I feel like people changing bind addresses are probably aware of the impact. But that's just my opinion.

How would this affect k0sctl, if at all?

k0sctl would need to interact with the API server on the correct IP, wouldn't it?

@pschichtel pschichtel force-pushed the feature/bind-address branch from a27e9fd to 81c1516 Compare January 6, 2024 01:05
@michaelbeaumont michaelbeaumont mentioned this pull request Jan 11, 2024
Closed
16 tasks
@twz123
Copy link
Member

twz123 commented Jan 11, 2024

Sorry for getting back to you so late @pschichtel. I'll bluntly blame the holiday season for that. 😅

We need an integration test. Need to come up with a scenario for that, i.e. what is to be tested.

I'm not very familiar with the code base yet, can you point me to examples for integration tests?

We need to double-check if this plays nicely with nllb and other things.

I'd have to look into how nllb works exactly. Depending on how the upstream connection is made its configuration probably needs adjustments.

We could try to start with the existing nllb inttest, copy that over into a separate directory and start hacking on the new one. You can probably delete all the cluster-restart stuff in there, and just rely on the cluster bootstrapping part. You need to add the new directory name to inttest/Makefile.variables. Then you should be able to do something like make check-yolo (or whatever the name is you choose.)

Might make sense to simply try to overwrite the bind addresses of every component that you can get hold of and see what happens to the cluster.

Do we need to update the docs on e.g. external load balancing?

I guess a disclaimer like "if you change the bind address make sure to align your external load balancer" or so. I feel like people changing bind addresses are probably aware of the impact. But that's just my opinion.

Sounds good enough for the start.

How would this affect k0sctl, if at all?

k0sctl would need to interact with the API server on the correct IP, wouldn't it?

Yes. Would it need to look at the k0s config to figure this out? Or would it "just work"? Maybe @kke can tell.

@pschichtel
Copy link
Contributor Author

Sorry for getting back to you so late @pschichtel. I'll bluntly blame the holiday season for that. 😅

No worries, I don't have any rush with this one.

We could try to start with the existing nllb inttest, copy that over into a separate directory and start hacking on the new one. You can probably delete all the cluster-restart stuff in there, and just rely on the cluster bootstrapping part. You need to add the new directory name to inttest/Makefile.variables. Then you should be able to do something like make check-yolo (or whatever the name is you choose.)

Might make sense to simply try to overwrite the bind addresses of every component that you can get hold of and see what happens to the cluster.

Makes sense, I'll have a go at that.

@pschichtel pschichtel force-pushed the feature/bind-address branch from 81c1516 to d5c491e Compare January 29, 2024 02:15
@twz123
Copy link
Member

twz123 commented Feb 19, 2024

(The linter error will go away after a rebase. See #3991 for details.)

@pschichtel
Copy link
Contributor Author

yeah I plan to work on this again towards the end of this week

@andycandy-de
Copy link

Any idea when this feature will be available? I also have multiple IPs and only want to bind the k0scontroller to a specific IP.

@pschichtel
Copy link
Contributor Author

@andycandy-de sadly this had to be pushed back a little in my prio list, but I still intent to eventuelly finish this up. I think some of the recent k0s/k8s releases also added additional components, which probably needs/deserves some investigation. I'm currently unable to work on it until mid of April, so no sooner than that.

@pschichtel pschichtel force-pushed the feature/bind-address branch from 22ddd5f to 241f2e4 Compare April 14, 2024 09:25
twz123
twz123 reviewed Apr 16, 2024
View reviewed changes
pkg/apis/k0s/v1beta1/api.go Outdated Show resolved Hide resolved
pkg/apis/k0s/v1beta1/api_test.go Outdated Show resolved Hide resolved
@pschichtel pschichtel force-pushed the feature/bind-address branch from 241f2e4 to 42a1627 Compare April 16, 2024 19:50
@pschichtel
Copy link
Contributor Author

Great. I'm currently on the go, but can probably clean this up on Sunday.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has merge conflicts that need to be resolved.

@jnummelin jnummelin added this to the 1.31 milestone Sep 6, 2024
@twz123 twz123 changed the title Add spec.api.bindAddress configuration Add spec.api.onlyBindToAddress configuration Sep 6, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 6, 2024

This pull request has merge conflicts that need to be resolved.

@pschichtel pschichtel force-pushed the feature/bind-address branch 2 times, most recently from 142dd33 to 2f1d5b5 Compare September 6, 2024 21:39
@pschichtel
Copy link
Contributor Author

Is that failing job just flakyness? It seems to exceeded a deadline unrelated to my change, right?

@twz123
Copy link
Member

twz123 commented Sep 10, 2024

Yep, the inttests are quite a bit flaky, unfortunately.

gakio12 and others added 3 commits September 15, 2024 20:58
@gakio12 @pschichtel
Add spec.api.bindAddress configuration
548dc41 
Signed-off-by: Alex Hutchins <[email protected]>
Signed-off-by: gakio12 <[email protected]>
Signed-off-by: Phillip Schichtel <[email protected]>

# Conflicts:
#	cmd/controller/certificates.go
@pschichtel
Add an integration test for spec.api.bindAddress
e799ec7 
Signed-off-by: Phillip Schichtel <[email protected]>
@pschichtel
replace BindAddress by Address and OnlyBindToAddress
a759281 
Signed-off-by: Phillip Schichtel <[email protected]>
twz123
twz123 approved these changes Sep 17, 2024
View reviewed changes
Copy link
Member

@twz123 twz123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@twz123 twz123 merged commit d9473da into k0sproject:main Sep 17, 2024
88 checks passed
@mback2k
Copy link

mback2k commented Oct 10, 2024

k0sctl will need to be tweaked to support this as it currently tries to validate the API server coming up this way:

executing `curl -kso /dev/null --connect-timeout 20 -w \"%{http_code}\" \"https://localhost:6443/version\"`"

and then fails this way:

INFO ==> Running phase: Upgrade controllers 
INFO [ssh] ...: starting upgrade   
INFO [ssh] ...: waiting for the k0s service to start 
INFO * Running clean-up for phase: Acquire exclusive host lock 
INFO * Running clean-up for phase: Upgrade controllers 
INFO ==> Apply failed

@twz123
Copy link
Member

twz123 commented Oct 11, 2024

@mback2k Mind creating a k0sctl issue for that?

@mback2k mback2k mentioned this pull request Oct 11, 2024
Closed
@kke kke mentioned this pull request Oct 14, 2024
Merged
This was referenced Jan 9, 2025
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnummelin jnummelin jnummelin left review comments

@kke kke kke left review comments

@twz123 twz123 twz123 approved these changes

@makhov makhov Awaiting requested review from makhov makhov is a code owner automatically assigned from k0sproject/k0s-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.31
Development

Successfully merging this pull request may close these issues.

Changing "bind-address" of kube-api
8 participants
@pschichtel @twz123 @andycandy-de @jr200 @mback2k @kke @jnummelin @gakio12