-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Admin Partitions #729
Conversation
72e54a6
to
0707b8c
Compare
* Create Admin Partitions when enabled
* Add support for Partition Service - This is a loadBalancer service that allows one to expose the server pods. This allows a constant value for client auto-join even if the node IPs of the server pods change. * Support NodePort along with LoadBalancer as service types for Partition service. - This will allows interop with Kind. Additionally, users can set explicit NodePorts for Serf, HTTPS and RPC endpoints.
* Fail if agents in server cluster are created in a partition not "default" * Fail helm upgrades if partition name is updated. - This does not cause the parition-init job from running or the agents from attempting to join the new partition, but the helm upgrade stays in a failed state until an upgrade is run with the partition name reverted.
* Add partition support to config entries * Fail if namespaces are not enabled and admin partitions are enabled
f5af9a6
to
683642d
Compare
683642d
to
5fac8ee
Compare
5fac8ee
to
7bf487f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Haven't looked at the code since it's all been reviewed already, but left some suggestions/questions on the changelog.
CHANGELOG.md
Outdated
* Add support for Admin Partitions. **(Consul Enterprise only)** | ||
**ALPHA** [[GH-729](https://github.com/hashicorp/consul-k8s/pull/729)] | ||
|
||
This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this section needs to be intended so that it all looks like a part of the admin partitions bullet point.
CHANGELOG.md
Outdated
**ALPHA** [[GH-729](https://github.com/hashicorp/consul-k8s/pull/729)] | ||
|
||
This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul | ||
servers. The services on each cluster can be independently managed. This feature in the alpha phase requires a flat pod |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be nice to put these requirements into a bulleted list so that it reads better.
CHANGELOG.md
Outdated
tls: | ||
enabled: true | ||
image: hashicorp/consul-enterprise:1.11.0-ent-alpha | ||
imageK8S: hashicorp/consul-k8s-control-plane:0.34.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this image is probably not needed since it's the default, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point!! 😄
CHANGELOG.md
Outdated
|
||
This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul | ||
servers. The services on each cluster can be independently managed. This feature in the alpha phase requires a flat pod | ||
and node network in order for inter-partition networking to work. This feature requires TLS to be enabled. This feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is TLS required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We require HTTPS for communication to externalServers. We had that already as a requirement and I decided not to loosen it for AP.
CHANGELOG.md
Outdated
kubectl get svc consul-consul-partition-service -o json | jq -r '.status.loadBalancer.ingress[0].ip' | ||
``` | ||
|
||
Migrate the TLS certs from the server cluster to the workload clusters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Migrate the TLS certs from the server cluster to the workload clusters | |
Migrate the TLS CA credentials from the server cluster to the workload clusters |
CHANGELOG.md
Outdated
kubectl get secret consul-consul-ca-cert --context "server-context" -o yaml | kubectl apply --context "workload-context" -f - | ||
``` | ||
|
||
Configure the Workload cluster using the following config. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configure the Workload cluster using the following config. | |
Configure the workload cluster using the following config. |
CHANGELOG.md
Outdated
``` | ||
|
||
This should lead to the workload cluster having only Consul agents that connect with the Consul server. Services in this | ||
cluster behave like independent services. They can be configured to communicated with services in other partitions by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cluster behave like independent services. They can be configured to communicated with services in other partitions by | |
cluster behave like independent services. They can be configured to communicate with services in other partitions by |
96670f5
to
6e3a627
Compare
Changes proposed in this PR:
Update this PR with the alpha image for Consul 1.11 and ensure the acceptance tests are 🟢
We will not update the values file with the above image as it is an alpha image.
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist: