agentless: support updating health checks on consul clients during an upgrade to agentless #1690
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
force-pushed
the
ishustava/agentless-upgrades
branch
2 times, most recently
from
a945604
to
dedcc3f
Compare
ishustava
commented
Nov 9, 2022
| @@ -236,24 +236,12 @@ spec: | |||
| {{- end }} | |||
| {{- end }} | |||
|
|
|||
| {{- if .Values.global.consulSidecarContainer }} | |||
There was a problem hiding this comment.
These flags are no longer used
There was a problem hiding this comment.
The removal of these are actually in the PR I am working on right now as I missed them last week. I will remove them from my commits and we'll leave them in yours.
There was a problem hiding this comment.
Hopefully the rebase of main onto your PR should automatically clear some of that from your commits.
ishustava
commented
Nov 9, 2022
Comment on lines
+303
to
+308
| items: | ||
| - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} | ||
| path: tls.crt |
There was a problem hiding this comment.
My IDE decided to format these
There was a problem hiding this comment.
clearly our IDEs disagree on how YAML slices should be indented 😭
ishustava
force-pushed
the
ishustava/refactor-connect-inject-package
branch
2 times, most recently
from
d5e5ebd
to
35ea3e0
Compare
ishustava
force-pushed
the
ishustava/agentless-upgrades
branch
from
dedcc3f
to
da5d6c5
Compare
Base automatically changed from
ishustava/refactor-connect-inject-package
to
main
November 9, 2022 22:11
ishustava
force-pushed
the
ishustava/agentless-upgrades
branch
2 times, most recently
from
500aff3
to
d11b712
Compare
… upgrade to agentless
ishustava
force-pushed
the
ishustava/agentless-upgrades
branch
from
d11b712
to
dd486be
Compare
thisisnotashwin
approved these changes
Nov 10, 2022
control-plane/connect-inject/controllers/endpoints/consul_client_health_checks.go
Outdated
Show resolved
Hide resolved
Comment on lines
+51
to
+74
| if r.EnableAutoEncrypt { | ||
| // Get Connect CA. | ||
| caRoots, _, err := serverClient.Agent().ConnectCARoots(nil) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| if caRoots == nil { | ||
| return nil, fmt.Errorf("ca root list is nil") | ||
| } | ||
| if caRoots.Roots == nil { | ||
| return nil, fmt.Errorf("ca roots is nil") | ||
| } | ||
| if len(caRoots.Roots) == 0 { | ||
| return nil, fmt.Errorf("the list of root CAs is empty") | ||
| } | ||
|
|
||
| for _, root := range caRoots.Roots { | ||
| if root.Active { | ||
| ccCfg.TLSConfig.CAFile = "" | ||
| ccCfg.TLSConfig.CAPem = []byte(root.RootCertPEM) | ||
| break | ||
| } | ||
| } | ||
| } |
| } | ||
| } | ||
|
|
||
| func TestConsulClientForNodeAgent(t *testing.T) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
We will need to handle the case when a user has many applications on the service mesh and needs to take time to re-inject all those applications. If that is the case, there may be situations where the application changes its health status, but because it still hasn’t been re-started (re-injected), its health status needs to be synced into Consul clients rather than servers the way we used to do before. To do this, we will add a new annotation to all pods pointing to the current
consul-k8s version: consul.hashicorp.com/consul-k8s-version: 1.0.0. If this annotation is not there or if the version is less than the version that supports “agentless”, we will continue to sync health checks to Consul clients for that particular podHow I've tested this PR:
manual upgrade testing in multiple setups (not-secure, tls, tls +acls, tls+auto-encrypt+acls)
How I expect reviewers to test this PR:
👀
Checklist: