Enhancement: Consul Compatibility Checking #15818
Conversation
github-actions
bot
added
theme/cli
wilkermichael
force-pushed
the
mw/net-1303-ensure-envoy-compatible
branch
3 times, most recently
from
1a1a2cd to
cf9bb2e
Compare
| c.UI.Error(fmt.Sprintf("Envoy version %s is not supported. If there is a reason you need to use "+ | ||
| "this version of envoy use the ignore-envoy-compatibility flag. Using an unsupported version of Envoy "+ | ||
| "is not recommended and your experience may vary. For more information on compatibility "+ | ||
| "see https://developer.hashicorp.com/consul/docs/connect/proxies/envoy#envoy-and-consul-client-agent", v)) |
There was a problem hiding this comment.
Note to self: if anyone moves this page or renames the subsection with this anchor tag, this link will no longer work. When I write the docs PR, I should make sure the docs page has an internal comment that calls out this dependency from the code that we should aim to preserve.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
wilkermichael
force-pushed
the
mw/net-1303-ensure-envoy-compatible
branch
3 times, most recently
from
968eae9 to
7cca4e6
Compare
|
@hashi-derek This is ready for review There's currently a failing integration test, but it's not related to these changes (It's failing in other PRs) |
wilkermichael
force-pushed
the
mw/net-1303-ensure-envoy-compatible
branch
from
546a93d to
2ff913b
Compare
There was a problem hiding this comment.
I made a few adjustments to the flag description. Also, it seems that there should be an overview section somewhere that describes the default behavior when registering a sidecar proxy. If we don't already have this content, we should make a note to consider creating it.
| - `-ignore-envoy-compatibility` - Specifies whether or not the program should check the envoy version for compatibility. | ||
| If this flag is set to true, the program will not check the envoy version for compatibility. | ||
| It is recommended in most situations to leave this flag set to false, as ensuring compatibility with the | ||
| Envoy version can prevent potential issues. By default this is set to `false`. |
There was a problem hiding this comment.
| - `-ignore-envoy-compatibility` - Specifies whether or not the program should check the envoy version for compatibility. | |
| If this flag is set to true, the program will not check the envoy version for compatibility. | |
| It is recommended in most situations to leave this flag set to false, as ensuring compatibility with the | |
| Envoy version can prevent potential issues. By default this is set to `false`. | |
| - `-ignore-envoy-compatibility` - If set to `true`, this flag ignores the Envoy version compatibility check. We recommend setting this flag set to `false` to ensure compatibility with Envoy and prevent potential issues. Default is `false`. |
Just a few tweaks to simplify the description and consistently use monospace. Did we update the documentation under /connect/proxies/envoy or wherever we describe the Envoy startup process? I was going to add a link, but I'm not sure where it would go. Maybe this would be a better place to document this behavior? /connect/registration/service-registration
There was a problem hiding this comment.
Sorry @trujillo-adam, I'm not sure which paths you're referring to? Where exactly is /connect/registration/service-registration or /connect/proxies/envoy?
This is described here because this is a flag for and specific to the consul connect envoy command
There was a problem hiding this comment.
I was thinking one of these pages would be the place to describe the default bootstrap process:
https://developer.hashicorp.com/consul/docs/connect/proxies/envoy
https://developer.hashicorp.com/consul/docs/connect/registration/service-registration
Maybe we don't need it, though. The beginning of this page says "The default behavior is to generate the necessary bootstrap configuration for Envoy based on the environment variables and options provided and by talking to the local Consul agent." Maybe we should add a sentence there letting people know about the version check.
There was a problem hiding this comment.
Do we need to add a sentence about the version check at an overview level?
It seems like a thing that you don't need to be told about. If you run into it (because you're using an incompatible version), the error message you get will tell you what went wrong and why. It seems like something that's already very discoverable in-context in Consul itself, so doesn't need to be present at an overview level in the docs... Freeing us up to focus on other important, high-level info in the docs.
There was a problem hiding this comment.
I think that makes sense to me
There was a problem hiding this comment.
@jkirschner-hashicorp and @trujillo-adam are you okay with me resolving this discussing and merging this PR?
There was a problem hiding this comment.
I'm going to close this PR for now, we can always create another one if we want to address the documentation updates
wilkermichael
force-pushed
the
mw/net-1303-ensure-envoy-compatible
branch
3 times, most recently
from
42a39ba to
46d79be
Compare
- added an UnsupportedEnvoyVersions list - removed an unused error from TestDetermineSupportedProxyFeaturesFromString - modified minSupportedVersion to use the function for getting the Min Envoy major version. Using just the major version without the patch is equivalent to using `.0`
- added a new exec.go file to not be locked to unix system
wilkermichael
force-pushed
the
mw/net-1303-ensure-envoy-compatible
branch
from
46d79be to
5eae945
Compare
Description
Note: docs team see last commit for docs change
This PR introduces an enhancement to enable users to detect incompatible versions of Envoy early. This PR was motivated by issue #13131.
With the addition of these code changes, when using the
consul connect envoycommand the version of envoy being connected to is compared against the supported versions coded into the Consul binary. If the version of Envoy is deemed to be incompatible, then an error will be logged and the service will exit.Since this is a potentially breaking change, and there may be reasons that a user is using a version of Consul that we don't recognize as compatible (such as custom builds of Envoy), a flag has also been added to disable the check:
--ignore-envoy-compatibility. By default this flag will be set tofalseand we will perform the check and error out as necessary.Example:
consul connect envoy -admin-bind=0.0.0.0:19000 -sidecar-for=svc1 --ignore-envoy-compatibilityHow do we determine compatibility?
Compatibility is defined in proxysupport.go
For the above list, Consul is compatible with any version
>= 1.21.0and<1.25. For example, we are compatible with1.21.1,1.21.2, etc. and anything in between up to any future patches to1.24.A list of explicitly unsupported Envoy versions has also been added to
proxysupport.goin case there is a requirement to explicitly callout patches for breaking compatibility (e.g. if 1.21.2 had a known compatibility breaking change).Log Message Example
dc1svc1 | Envoy version 1.18.3 is not supported. If there is a reason you need to use this version of envoy use the ignore-envoy-compatibility flag. Using an unsupported version of Envoy is not recommended and your experience may vary. For more information on compatibility see https://developer.hashicorp.com/consul/docs/connect/proxies/envoy#envoy-and-consul-client-agentThis resolves #13131
As always, I try to add some extra context to my commits, so that's usually the best way to go through my PRs.
Testing & Reproduction steps
Manual Testing Scenarios
1.21.5, confirmedno error1.21and1.24, confirmedno errorproxysupport.goso that1.23.1was the top of the list, confirmed that1.23.2resulted inno errorproxysupport.goso that1.23.1was the top of the list, confirmed that1.24.0resulted inerrorand exited1.18, confirmed that this resulted in anerrorand exited1.18using--ignore-envoy-compatibilityconfirmed that there wasno errorfor compatibility1.21.1to the incompatibility list, confirmed connecting to this version resulted in anerrorand exitLinks
N/A
PR Checklist