Support Consul namespaces in consul-k8s #197
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
FYI: we'll need #202 before we merge this. Otherwise, envoy fails to start because the bootstrap config has values that aren't supported in our default version. |
lkysow
reviewed
Feb 20, 2020
lkysow
reviewed
Feb 20, 2020
lkysow
approved these changes
Feb 20, 2020
adilyse
force-pushed
the
namespace
branch
2 times, most recently
from
3c9da96 to
08038cb
Compare
|
Personally I find the |
This was a major change to the internals of most of the consul-k8s
commands. As part of the work, there were other changes that affect
folks not using namespaces as well. Details are broken down by process.
--> Catalog Sync
Namespaces:
This allows the catalog sync process to support Consul namespaces,
an Enterprise feature. It supports no namespaces (OSS), syncing k8s
services into a single Consul namespace and mirroring k8s namespaces
in Consul with an optional prefix.
Beyond namespaces:
It updates the settings for which k8s namespaces to sync. These
are now based on allow and deny lists, rather than the two previous
options of (1) a single k8s namespace, or (2) all k8s namespaces
except `kube-system`. This change is backwards compatible, however
if a user upgrades consul-k8s without upgrading the Helm chart as well,
there will be a slight difference in behavior for (2) in that it won't
automatically exclude `kube-system` on its own.
The underlying call to Consul to retrieve services has been switched
to retrieve services by the synthetic node `k8s-sync`. This causes a
slight behavior change in that we will no longer remove services with
the `ConsulK8STag` if it's not attached to the `k8s-sync` node.
Fixes a hot loop bug when getting an error from Consul when retrieving
service information.
Moves `c.sigCh` initialization to the init method to fix a race
condition occurring in tests.
Adds additional debug logging to resource.go and syncer.go.
--> ACL Bootstrapping
Namespaces:
Updates all policies that are created by the bootstrapper to include
namespace permissions as needed. Updates the Connect Injector's AuthMethod
to reflect the namespace registration settings (single destination,
mirroring, mirroring with prefix).
When namespaces are enabled, all policies and tokens for consul-k8s
components are being created within the `Consul` default namespace.
This is required for any cross-namespace permissions, and in the case
of catalog sync and the connect injector, the ability to create
Consul namespaces. Additionally, a specific cross-namespace policy
is created so that it can be attached to all created namespaces
to allow service discovery between Consul namespaces.
This makes sure all policies are updated if the acl bootstrapping
job is rerun, which happens on a helm upgrade. This allows someone
upgrading to a version that includes namespaces or changes their
namespacing config to also update the policies associated with
their acl tokens to reflect that change.
Beyond namespaces:
This separates auth method and binding rule checking logic.
If it exists already, binding rules are now always updated, which
supports config updates.
To make it easier to work with the code, it now uses a shared logger
and has been split into smaller files.
Updates mesh gateway acl policies with the correct permissions
--> Connect Injector
Namespaces:
This adds namespace config options for registering injected
services into a single namespace as well as mirroring k8s
namespaces in Consul with an optional prefix.
It adds functionality to check for Consul namespace existence
and create new namespaces.
Service and proxy registration as well as service-defaults
have been updated to be namespace aware.
Adds additional parsing of the upstream annotation to support namespaces.
The format of the annotation becomes:
`service_name.namespace:port:optional_datacenter`
The `service_name.namespace` is only parsed if namespaces are enabled. If
someone has added a `.namespace` in that case, the upstream will not work
correctly, as is the case where someone has put in an incorrect service
name, port or datacenter.
The upstream definitions in the service registration file includes the
namespace from the annotation. If it wasn't present in the annotation, no
namespace is included. This will automatically fallback to assuming the
service is in the same namespace as the service defining the upstream.
Beyond namespaces:
Updates the default envoy version to 1.13.0.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Placeholder PR for namespaces feature branch.