Skip to content

Commit

Permalink
Add documentation to inform users that Transparent Proxy and Mesh should
Browse files Browse the repository at this point in the history 
not be set via the CRD
  • Loading branch information
@thisisnotashwin
thisisnotashwin committed Apr 27, 2021
1 parent cd685e2 commit 9747805
Show file tree
Hide file tree
Showing 6 changed files with 213 additions and 21 deletions.
2 changes: 2 additions & 0 deletions api/v1alpha1/proxydefaults_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ type ProxyDefaultsSpec struct {
// Expose controls the default expose path configuration for Envoy.
Expose Expose `json:"expose,omitempty"`
// TransparentProxy controls configuration specific to proxies in transparent mode.
// Note: This cannot be set using the CRD and should be set using annotations on the
// services that are part of the mesh.
TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"`
}

Expand Down
73 changes: 63 additions & 10 deletions api/v1alpha1/servicedefaults_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
package v1alpha1

import (
"time"

"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
capi "github.com/hashicorp/consul/api"
Expand Down Expand Up @@ -58,12 +56,16 @@ type ServiceDefaultsSpec struct {
// to be changed to a non-connect value when federating with an external system.
ExternalSNI string `json:"externalSNI,omitempty"`
// TransparentProxy controls configuration specific to proxies in transparent mode.
// Note: This cannot be set using the CRD and should be set using annotations on the
// services that are part of the mesh.
TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"`
// Mode can be one of direct or transparent. transparent represents that inbound and outbound
// and outbound application traffic is being captured and redirected through the proxy. This
// mode does not enable the traffic redirection itself. Instead it signals Consul to configure
// Envoy as if traffic is already being redirected. direct represents that the proxy's
// listeners must be dialed directly by the local application and other proxies.
// Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound
// application traffic is being captured and redirected through the proxy. This mode does not
// enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if
// traffic is already being redirected. "direct" represents that the proxy's listeners must be
// dialed directly by the local application and other proxies.
// Note: This cannot be set using the CRD and should be set using annotations on the
// services that are part of the mesh.
Mode *ProxyMode `json:"mode,omitempty"`
// UpstreamConfig controls default configuration settings that apply across all upstreams,
// and per-upstream configuration overrides. Note that per-upstream configuration applies
Expand Down Expand Up @@ -97,7 +99,7 @@ type Upstream struct {
// will be ignored if a discovery chain is active.
EnvoyClusterJSON string `json:"envoyClusterJSON,omitempty"`
// Protocol describes the upstream's service protocol. Valid values are "tcp",
// "http" and "grpc". Anything else is treated as tcp. The enables protocol
// "http" and "grpc". Anything else is treated as tcp. This enables protocol
// aware features like per-request metrics and connection pooling, tracing,
// routing etc.
Protocol string `json:"protocol,omitempty"`
Expand All @@ -110,7 +112,7 @@ type Upstream struct {
// PassiveHealthCheck configuration determines how upstream proxy instances will
// be monitored for removal from the load balancing pool.
PassiveHealthCheck *PassiveHealthCheck `json:"passiveHealthCheck,omitempty"`
// MeshGatewayConfig controls how Mesh Gateways are configured and used
// MeshGatewayConfig controls how Mesh Gateways are configured and used.
MeshGateway MeshGateway `json:"meshGateway,omitempty"`
}

Expand All @@ -136,7 +138,7 @@ type UpstreamLimits struct {
type PassiveHealthCheck struct {
// Interval between health check analysis sweeps. Each sweep may remove
// hosts or return hosts to the pool.
Interval time.Duration `json:"interval,omitempty"`
Interval metav1.Duration `json:"interval,omitempty"`
// MaxFailures is the count of consecutive failures that results in a host
// being removed from the pool.
MaxFailures uint32 `json:"maxFailures,omitempty"`
Expand Down Expand Up @@ -226,6 +228,7 @@ func (in *ServiceDefaults) ToConsul(datacenter string) capi.ConfigEntry {
Expose: in.Spec.Expose.toConsul(),
ExternalSNI: in.Spec.ExternalSNI,
TransparentProxy: in.Spec.TransparentProxy.toConsul(),
UpstreamConfig: in.Spec.UpstreamConfig.toConsul(),
Meta: meta(datacenter),
}
}
Expand Down Expand Up @@ -277,13 +280,63 @@ func (in *Upstreams) validate(path *field.Path) field.ErrorList {
return errs
}

func (in *Upstreams) toConsul() *capi.UpstreamConfiguration {
if in == nil {
return nil
}
upstreams := &capi.UpstreamConfiguration{}
upstreams.Defaults = in.Defaults.toConsul()
for _, override := range in.Overrides {
upstreams.Overrides = append(upstreams.Overrides, override.toConsul())
}
return upstreams
}

func (in *Upstream) validate(path *field.Path) *field.Error {
if in == nil {
return nil
}
return in.MeshGateway.validate(path.Child("meshGateway"))
}

func (in *Upstream) toConsul() *capi.UpstreamConfig {
if in == nil {
return nil
}
return &capi.UpstreamConfig{
Name: in.Name,
Namespace: in.Namespace,
EnvoyListenerJSON: in.EnvoyListenerJSON,
EnvoyClusterJSON: in.EnvoyClusterJSON,
Protocol: in.Protocol,
ConnectTimeoutMs: in.ConnectTimeoutMs,
Limits: in.Limits.toConsul(),
PassiveHealthCheck: in.PassiveHealthCheck.toConsul(),
MeshGateway: in.MeshGateway.toConsul(),
}
}

func (in *UpstreamLimits) toConsul() *capi.UpstreamLimits {
if in == nil {
return nil
}
return &capi.UpstreamLimits{
MaxConnections: in.MaxConnections,
MaxPendingRequests: in.MaxPendingRequests,
MaxConcurrentRequests: in.MaxConcurrentRequests,
}
}

func (in *PassiveHealthCheck) toConsul() *capi.PassiveHealthCheck {
if in == nil {
return nil
}
return &capi.PassiveHealthCheck{
Interval: in.Interval.Duration,
MaxFailures: in.MaxFailures,
}
}

// DefaultNamespaceFields has no behaviour here as service-defaults have no namespace specific fields.
func (in *ServiceDefaults) DefaultNamespaceFields(_ bool, _ string, _ bool, _ string) {
return
Expand Down
138 changes: 138 additions & 0 deletions api/v1alpha1/servicedefaults_types_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,76 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
TransparentProxy: &TransparentProxy{
OutboundListenerPort: 1000,
},
UpstreamConfig: &Upstreams{
Defaults: &Upstream{
Name: "upstream-default",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 10,
Limits: &UpstreamLimits{
MaxConnections: intPointer(10),
MaxPendingRequests: intPointer(10),
MaxConcurrentRequests: intPointer(10),
},
PassiveHealthCheck: &PassiveHealthCheck{
Interval: metav1.Duration{
Duration: 2 * time.Second,
},
MaxFailures: uint32(20),
},
MeshGateway: MeshGateway{
Mode: "local",
},
},
Overrides: []*Upstream{
{
Name: "upstream-override-1",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 15,
Limits: &UpstreamLimits{
MaxConnections: intPointer(5),
MaxPendingRequests: intPointer(5),
MaxConcurrentRequests: intPointer(5),
},
PassiveHealthCheck: &PassiveHealthCheck{
Interval: metav1.Duration{
Duration: 2 * time.Second,
},
MaxFailures: uint32(10),
},
MeshGateway: MeshGateway{
Mode: "remote",
},
},
{
Name: "upstream-default",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 10,
Limits: &UpstreamLimits{
MaxConnections: intPointer(2),
MaxPendingRequests: intPointer(2),
MaxConcurrentRequests: intPointer(2),
},
PassiveHealthCheck: &PassiveHealthCheck{
Interval: metav1.Duration{
Duration: 2 * time.Second,
},
MaxFailures: uint32(10),
},
MeshGateway: MeshGateway{
Mode: "remote",
},
},
},
},
},
},
&capi.ServiceConfigEntry{
Expand Down Expand Up @@ -96,6 +166,70 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
TransparentProxy: &capi.TransparentProxyConfig{
OutboundListenerPort: 1000,
},
UpstreamConfig: &capi.UpstreamConfiguration{
Defaults: &capi.UpstreamConfig{
Name: "upstream-default",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 10,
Limits: &capi.UpstreamLimits{
MaxConnections: intPointer(10),
MaxPendingRequests: intPointer(10),
MaxConcurrentRequests: intPointer(10),
},
PassiveHealthCheck: &capi.PassiveHealthCheck{
Interval: 2 * time.Second,
MaxFailures: uint32(20),
},
MeshGateway: capi.MeshGatewayConfig{
Mode: "local",
},
},
Overrides: []*capi.UpstreamConfig{
{
Name: "upstream-override-1",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 15,
Limits: &capi.UpstreamLimits{
MaxConnections: intPointer(5),
MaxPendingRequests: intPointer(5),
MaxConcurrentRequests: intPointer(5),
},
PassiveHealthCheck: &capi.PassiveHealthCheck{
Interval: 2 * time.Second,
MaxFailures: uint32(10),
},
MeshGateway: capi.MeshGatewayConfig{
Mode: "remote",
},
},
{
Name: "upstream-default",
Namespace: "ns",
EnvoyListenerJSON: `{"key": "value"}`,
EnvoyClusterJSON: `{"key": "value"}`,
Protocol: "http2",
ConnectTimeoutMs: 10,
Limits: &capi.UpstreamLimits{
MaxConnections: intPointer(2),
MaxPendingRequests: intPointer(2),
MaxConcurrentRequests: intPointer(2),
},
PassiveHealthCheck: &capi.PassiveHealthCheck{
Interval: 2 * time.Second,
MaxFailures: uint32(10),
},
MeshGateway: capi.MeshGatewayConfig{
Mode: "remote",
},
},
},
},
Meta: map[string]string{
common.SourceKey: common.SourceValue,
common.DatacenterKey: "datacenter",
Expand Down Expand Up @@ -528,3 +662,7 @@ func TestServiceDefaults_ObjectMeta(t *testing.T) {
}
require.Equal(t, meta, serviceDefaults.GetObjectMeta())
}

func intPointer(i int) *int {
return &i
}
1 change: 1 addition & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion config/crd/bases/consul.hashicorp.com_proxydefaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ spec:
type: string
type: object
transparentProxy:
description: TransparentProxy controls configuration specific to proxies in transparent mode.
description: 'TransparentProxy controls configuration specific to proxies in transparent mode. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
properties:
outboundListenerPort:
description: The port of the listener where outbound application traffic is being redirected to.
Expand Down
18 changes: 8 additions & 10 deletions config/crd/bases/consul.hashicorp.com_servicedefaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,13 +81,13 @@ spec:
type: string
type: object
mode:
description: Mode can be one of direct or transparent. transparent represents that inbound and outbound and outbound application traffic is being captured and redirected through the proxy. This mode does not enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected. direct represents that the proxy's listeners must be dialed directly by the local application and other proxies.
description: 'Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound application traffic is being captured and redirected through the proxy. This mode does not enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if traffic is already being redirected. "direct" represents that the proxy''s listeners must be dialed directly by the local application and other proxies. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
type: string
protocol:
description: Protocol sets the protocol of the service. This is used by Connect proxies for things like observability features and to unlock usage of the service-splitter and service-router config entries for a service.
type: string
transparentProxy:
description: TransparentProxy controls configuration specific to proxies in transparent mode.
description: 'TransparentProxy controls configuration specific to proxies in transparent mode. Note: This cannot be set using the CRD and should be set using annotations on the services that are part of the mesh.'
properties:
outboundListenerPort:
description: The port of the listener where outbound application traffic is being redirected to.
Expand Down Expand Up @@ -122,7 +122,7 @@ spec:
type: integer
type: object
meshGateway:
description: MeshGatewayConfig controls how Mesh Gateways are configured and used
description: MeshGatewayConfig controls how Mesh Gateways are configured and used.
properties:
mode:
description: Mode is the mode that should be used for the upstream connection. One of none, local, or remote.
Expand All @@ -139,15 +139,14 @@ spec:
properties:
interval:
description: Interval between health check analysis sweeps. Each sweep may remove hosts or return hosts to the pool.
format: int64
type: integer
type: string
maxFailures:
description: MaxFailures is the count of consecutive failures that results in a host being removed from the pool.
format: int32
type: integer
type: object
protocol:
description: Protocol describes the upstream's service protocol. Valid values are "tcp", "http" and "grpc". Anything else is treated as tcp. The enables protocol aware features like per-request metrics and connection pooling, tracing, routing etc.
description: Protocol describes the upstream's service protocol. Valid values are "tcp", "http" and "grpc". Anything else is treated as tcp. This enables protocol aware features like per-request metrics and connection pooling, tracing, routing etc.
type: string
type: object
overrides:
Expand Down Expand Up @@ -177,7 +176,7 @@ spec:
type: integer
type: object
meshGateway:
description: MeshGatewayConfig controls how Mesh Gateways are configured and used
description: MeshGatewayConfig controls how Mesh Gateways are configured and used.
properties:
mode:
description: Mode is the mode that should be used for the upstream connection. One of none, local, or remote.
Expand All @@ -194,15 +193,14 @@ spec:
properties:
interval:
description: Interval between health check analysis sweeps. Each sweep may remove hosts or return hosts to the pool.
format: int64
type: integer
type: string
maxFailures:
description: MaxFailures is the count of consecutive failures that results in a host being removed from the pool.
format: int32
type: integer
type: object
protocol:
description: Protocol describes the upstream's service protocol. Valid values are "tcp", "http" and "grpc". Anything else is treated as tcp. The enables protocol aware features like per-request metrics and connection pooling, tracing, routing etc.
description: Protocol describes the upstream's service protocol. Valid values are "tcp", "http" and "grpc". Anything else is treated as tcp. This enables protocol aware features like per-request metrics and connection pooling, tracing, routing etc.
type: string
type: object
type: array
Expand Down

0 comments on commit 9747805

Please sign in to comment.