Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add namespace toggle to tproxy #510

Merged
merged 10 commits into from
May 6, 2021
Merged

add namespace toggle to tproxy #510

merged 10 commits into from
May 6, 2021

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented May 4, 2021
edited
Loading

Changes proposed in this PR:

  • Adds ability to define default tproxy mode settings at the k8s namespace level.
  • renames tproxy annotation to "consul.hashicorp.com/transparent-proxy-default"

How I've tested this PR:
Unit tests, manual testing via deploying a simple counting service with no tproxy annotations set, then toggling the namespace label true/false and redeploying:

% kubectl describe pod counting | grep redirect
      # Apply traffic redirection rules.
      /consul/connect-inject/consul connect redirect-traffic \
% kubectl get namespaces --show-labels| grep transparent
default           Active   261d   consul.hashicorp.com/transparent-proxy=true
% kubectl delete -f svc.yaml
service "counting" deleted
serviceaccount "counting" deleted
pod "counting" deleted
% kubectl label namespace default consul.hashicorp.com/transparent-proxy=false --overwrite
namespace/default labeled
% kubectl apply -f svc.yaml
service/counting created
serviceaccount/counting created
pod/counting created
% kubectl describe pod counting | grep redirect
%

NOTE: hashicorp/consul-helm#942 must be merged in order to support this.

How I expect reviewers to test this PR:
Unit tests, manual test

Checklist:

  • Tests added
  • CHANGELOG entry added (HashiCorp engineers only, community PRs should not add a changelog entry)

@kschoche kschoche added type/enhancement New feature or request theme/tproxy Items related to transparent proxy labels May 4, 2021
@kschoche kschoche self-assigned this May 4, 2021
@kschoche kschoche marked this pull request as ready for review May 4, 2021 17:09
@kschoche kschoche marked this pull request as draft May 4, 2021 17:47
@kschoche kschoche mentioned this pull request May 5, 2021
Merged
2 tasks
@kschoche kschoche changed the title wip: add namespace toggle to tproxy add namespace toggle to tproxy May 5, 2021
@kschoche kschoche marked this pull request as ready for review May 5, 2021 18:10
kschoche
kschoche commented May 5, 2021
View reviewed changes
connect-inject/container_init.go
// Check if tproxy is enabled on this pod.
tproxyEnabled, err := transparentProxyEnabled(pod, h.EnableTransparentProxy)
tproxyEnabled, err := transparentProxyEnabled(namespace, pod, h.EnableTransparentProxy)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We now pass the namespace into containerInit from the handler, this allows us to (1) re-use the transparentProxyEnabled() function between containerInit/endpointsController and (2) makes testing simpler so we do not need to load up a k8s clientset for every containerInit test.

@kschoche kschoche requested review from a team, ndhanushkodi and thisisnotashwin and removed request for a team May 5, 2021 18:37
thisisnotashwin
thisisnotashwin reviewed May 5, 2021
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really great!! Have a few suggestions for improvements!!

CHANGELOG.md Outdated
Comment on lines 28 to 30
* If set as a `pod annotation` - This will define whether tproxy is enabled/disabled for the pod.
* If set as a `namespace label` - This will define the default behaviour for pods in this namespace which do not have their respective annotation set.
* If not set on either pod or namespace - The default behaviour will be defined by the `connectInject.transparentProxy.defaultEnabled` helm value.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given this a change in consul-k8s, can you rephrase the connectInject.transparentProxy.defaultEnabled helm value as the equivalent flag and sub-command it gets set on in consul-k8s?
Additionally, I'd phrase it as annotation on the Pod and label on the Namespace. I don't think pod annotation and namespace label seem accurate.
Conversely:
Setting the annotations consul.hashicorp.com/transparent-proxy to true/false on the pod will define whether tproxy is enabled/disabled for the pod. Maybe?

connect-inject/annotations.go Outdated Show resolved Hide resolved
connect-inject/container_init.go Outdated Show resolved Hide resolved
@kschoche kschoche requested a review from thisisnotashwin May 6, 2021 15:52
ndhanushkodi
ndhanushkodi approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great Kyle!!

thisisnotashwin
thisisnotashwin reviewed May 6, 2021
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
thisisnotashwin
thisisnotashwin reviewed May 6, 2021
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
thisisnotashwin
thisisnotashwin approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work bud!!

@kschoche
Apply suggestions from code review
b87fd97 
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
@kschoche kschoche merged commit 96cd4fa into master May 6, 2021
@kschoche kschoche deleted the tproxy_add_namespace_toggle_support branch May 6, 2021 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishustava ishustava ishustava left review comments

@lkysow lkysow lkysow left review comments

@thisisnotashwin thisisnotashwin thisisnotashwin approved these changes

@ndhanushkodi ndhanushkodi ndhanushkodi approved these changes

Assignees

@kschoche kschoche

Labels
theme/tproxy Items related to transparent proxy type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kschoche @lkysow @ndhanushkodi @ishustava @thisisnotashwin