-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Made base transport layer force ipv4 usage if ipv6 is not supported #10485
Conversation
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: Click here to see the affected service packagesall service packages are affected
|
Adding @ScottSuarez as a mandatory reviewer- we should ensure that MTLS is not broken as a result of this change. |
trans := http.DefaultTransport.(*http.Transport).Clone() | ||
// Increase MaxIdleConnsPerHost due to reported performance issues under load in the | ||
// GCS client. | ||
trans.MaxIdleConnsPerHost = 100 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm understanding correctly, these tweaks are from here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, you did mention it in the comment, but I'll leave the link here just for posterity
// default transport and makes some tweaks to match best practices | ||
// from google-api-go-client, as well as ensuring that IPv6 does | ||
// not get used in environments that don't support it. | ||
func baseTransport() (http.RoundTripper, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be missing something here, but why can't we reuse the google-api-go-client's NewClient method and override the given transport's dial context after?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
http.Client's Transport is a RoundTripper rather than a Transport, so we would need to cast it back to a Transport in order to do that. I don't see a reason that wouldn't work, and that would've been a lot easier to implement.
I think, having dug through the code, I would slightly prefer this way because we know exactly what we're getting and don't have to worry about the intricacies of NewClient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's reasonable now that we've gone through the code. My only concerns are about missing something, but I've gone through it myself now and everything seems in order.
Do we want a provider-wide changelog note? |
added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for non-MTLS stuff
We are expecting some user-facing impact right? Specifically user's facing hashicorp/terraform-provider-google#6782 will now have their ipv4 settings honored? |
🤦 yep. yep. we sure are. fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As is, this pr will likely break mtls.
Mtls endpoint switch is detected here:
https://github.com/modular-magician/terraform-provider-google-beta/blob/5c35eba9eb80027ba7ca98ebc3dddbf3229500af/google-beta/provider/mtls_util.go#L19
https://github.com/googleapis/google-api-go-client/blob/81ccc7e5305f4913388c254b39144c9a144abb20/internal/cba.go#L289
https://github.com/google/s2a-go/blob/fcfd1dacc64be11cc3532ab6a7e1cdd1a3e4b69e/s2a.go#L361
The long term solution was the switch to the DCL (at the time).
They have a testing playbook for mtls here:
https://docs.google.com/document/d/1MeAoY-XQ2O1DmP_PZDYWS1PFx9vkZ4qWwnhSV0_kfPU/edit?tab=t.0#heading=h.r7dggrs9pw6r
// from google-api-go-client, as well as ensuring that IPv6 does | ||
// not get used in environments that don't support it. | ||
func baseTransport() (http.RoundTripper, error) { | ||
trans := http.DefaultTransport.(*http.Transport).Clone() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We switched to using the goapis transport since it has the capability of auto discovering the client certificate apart of for mtls handshake.
https://docs.google.com/document/d/10tFeBhvTgtKl9XwMXbuKOPzq9mGdV-RSyLuXOQtRZos/edit?tab=t.0
https://docs.google.com/document/d/1Ns3gnY94yV07-mMFaISY3CZi5DJwCKb_6A2OGseRT60/edit?tab=t.0
https://docs.google.com/document/d/14Y2PyzXJS1yvvPY9yYK54jsA-V8o6Vdvbom9GBeP2FY/edit?tab=t.0
The clientCertSource contains the auto loaded mtls credentials.
https://github.com/googleapis/google-api-go-client/blob/707b9b287dc37fb07c2553c0391f83995f1420a6/transport/http/dial.go#L37
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Marking request changes so that we can't click the big green button accidentally
Unfortunately the "just override the transport's dialcontext" approach is not feasible because the base transport is wrapped a few times and two of them use private fields to store the wrapped RoundTripper. |
yaqs/5034757202074664960 |
I'm going to attempt to get this change made in google-api-go-client |
@melinath, this PR is waiting for action from you. Please address any comments or change requests, or re-request review from a core reviewer if no action is required. If no action is taken, this PR will be closed in 14 days. This notification can be disabled with the |
Hey! I'm closing this PR as a part of a cleanup of older inactive PRs, using a threshold of PRs last updated over 3 months ago. This doesn't represent rejection of the change, and feel free to comment for me to reopen it if you plan to pick it back up, or feel free to start a new PR with the same changes in the future. |
Fixes hashicorp/terraform-provider-google#6782
Workaround for golang/go#25321
Note that while I was able to reproduce the Go issue, I was not able to reproduce the TF issue - there seems to be some amount of randomness in terms of when it presents. However, this seems to be the best option for working around the issue.
This PR also removes a lot of complexity that was previously implicitly part of our transport setup via transport.NewHTTPClient and that was mostly unused. (I traced through the code to boil it down to the
10 or so6 lines we were actually using.)yaqs/47302089738551296
Release Note Template for Downstream PRs (will be copied)