Skip to content

Commit

Permalink
cmd/contour: optional CRDs
Browse files Browse the repository at this point in the history 
Allow disabling certain informers for CRDs by passing a
command line flag to the serve command. This makes the
corresponding CRD effectively optional.

Fixes #4684

Signed-off-by: Niklas Simons <niklas.simons@est.tech>
  • Loading branch information
Niklas Simons committed Feb 10, 2023
1 parent d044dbd commit 7dac89f
Show file tree
Hide file tree
Showing 5 changed files with 70 additions and 47 deletions.
5 changes: 5 additions & 0 deletions changelogs/unreleased/tbd-nsimons-minor.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Allow Disabling Features

A new flag has been added to the `contour serve` command that allows disabling the informer
for ExtensionService and/or ControurConfiguration resources, effectively making the corresponding CRDs optional in the cluster.
The flag is `--disable-feature` and can be used multiple times with arguments `extensionservices` and/or `contourconfigurations`.
15 changes: 12 additions & 3 deletions cmd/contour/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
serve.Flag("debug", "Enable debug logging.").Short('d').BoolVar(&ctx.Config.Debug)
serve.Flag("debug-http-address", "Address the debug http endpoint will bind to.").PlaceHolder("<ipaddr>").StringVar(&ctx.debugAddr)
serve.Flag("debug-http-port", "Port the debug http endpoint will bind to.").PlaceHolder("<port>").IntVar(&ctx.debugPort)
serve.Flag("disable-feature", "Do not start an informer for the specified resource.").PlaceHolder("<extensionservices|contourconfigurations>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "contourconfigurations")
serve.Flag("disable-leader-election", "Disable leader election mechanism.").BoolVar(&ctx.LeaderElection.Disable)

serve.Flag("envoy-http-access-log", "Envoy HTTP access log.").PlaceHolder("/path/to/file").StringVar(&ctx.httpAccessLog)
Expand Down Expand Up @@ -469,15 +470,23 @@ func (s *Server) doServe() error {
Counter: contourMetrics.EventHandlerOperations,
}

// Inform on default resources.
for name, r := range map[string]client.Object{
// Start to build informers.
informerResources := map[string]client.Object{
"httpproxies": &contour_api_v1.HTTPProxy{},
"tlscertificatedelegations": &contour_api_v1.TLSCertificateDelegation{},
"extensionservices": &contour_api_v1alpha1.ExtensionService{},
"contourconfigurations": &contour_api_v1alpha1.ContourConfiguration{},
"services": &corev1.Service{},
"ingresses": &networking_v1.Ingress{},
} {
}

// Some of the resources are optional and can be disabled, do not create informers for those.
for _, feat := range s.ctx.disabledFeatures {
delete(informerResources, feat)
}

// Inform on the remaining resources.
for name, r := range informerResources {
if err := informOnResource(r, eventHandler, s.mgr.GetCache()); err != nil {
s.log.WithError(err).WithField("resource", name).Fatal("failed to create informer")
}
Expand Down
3 changes: 3 additions & 0 deletions cmd/contour/servecontext.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ type serveContext struct {

// Leader election configuration.
LeaderElection LeaderElection

// Features disabled by the user.
disabledFeatures []string
}

type ServerConfig struct {
Expand Down
89 changes: 45 additions & 44 deletions site/content/docs/main/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,50 +16,51 @@ The `contour serve` command is the main command which is used to watch for Kuber
There are a number of flags that can be passed to this command which further configures how Contour operates.
Many of these flags are mirrored in the [Contour Configuration File](#configuration-file).

| Flag Name | Description |
| -------------------------------------------------------- | ---------------------------------------------------------------------- |
| `--config-path` | Path to base configuration |
| `--contour-config-name` | Name of the ContourConfiguration resource to use |
| `--incluster` | Use in cluster configuration |
| `--kubeconfig=</path/to/file>` | Path to kubeconfig (if not in running inside a cluster) |
| `--xds-address=<ipaddr>` | xDS gRPC API address |
| `--xds-port=<port>` | xDS gRPC API port |
| `--stats-address=<ipaddr>` | Envoy /stats interface address |
| `--stats-port=<port>` | Envoy /stats interface port |
| `--debug-http-address=<address>` | Address the debug http endpoint will bind to. |
| `--debug-http-port=<port>` | Port the debug http endpoint will bind to |
| `--http-address=<ipaddr>` | Address the metrics HTTP endpoint will bind to |
| `--http-port=<port>` | Port the metrics HTTP endpoint will bind to. |
| `--health-address=<ipaddr>` | Address the health HTTP endpoint will bind to |
| `--health-port=<port>` | Port the health HTTP endpoint will bind to |
| `--contour-cafile=</path/to/file\|CONTOUR_CERT_FILE>` | CA bundle file name for serving gRPC with TLS |
| `--contour-cert-file=</path/to/file\|CONTOUR_CERT_FILE>` | Contour certificate file name for serving gRPC over TLS |
| `--contour-key-file=</path/to/file\|CONTOUR_KEY_FILE>` | Contour key file name for serving gRPC over TLS |
| `--insecure` | Allow serving without TLS secured gRPC |
| `--root-namespaces=<ns,ns>` | Restrict contour to searching these namespaces for root ingress routes |
| `--ingress-class-name=<name>` | Contour IngressClass name (comma-separated list allowed) |
| `--ingress-status-address=<address>` | Address to set in Ingress object status |
| `--envoy-http-access-log=</path/to/file>` | Envoy HTTP access log |
| `--envoy-https-access-log=</path/to/file>` | Envoy HTTPS access log |
| `--envoy-service-http-address=<ipaddr>` | Kubernetes Service address for HTTP requests |
| `--envoy-service-https-address=<ipaddr>` | Kubernetes Service address for HTTPS requests |
| `--envoy-service-http-port=<port>` | Kubernetes Service port for HTTP requests |
| `--envoy-service-https-port=<port>` | Kubernetes Service port for HTTPS requests |
| `--envoy-service-name=<name>` | Name of the Envoy service to inspect for Ingress status details. |
| `--envoy-service-namespace=<namespace>` | Envoy Service Namespace |
| `--use-proxy-protocol` | Use PROXY protocol for all listeners |
| `--accesslog-format=<envoy\|json>` | Format for Envoy access logs |
| `--disable-leader-election` | Disable leader election mechanism |
| `--leader-election-lease-duration` | The duration of the leadership lease. |
| `--leader-election-renew-deadline` | The duration leader will retry refreshing leadership before giving up. |
| `--leader-election-retry-period` | The interval which Contour will attempt to acquire leadership lease. |
| `--leader-election-resource-name` | The name of the resource (Lease) leader election will lease. |
| `--leader-election-resource-namespace` | The namespace of the resource (Lease) leader election will lease. |
| `-d, --debug` | Enable debug logging |
| `--kubernetes-debug=<log level>` | Enable Kubernetes client debug logging |
| `--log-format=<text\|json>` | Log output format for Contour. Either text (default) or json. |
| `--kubernetes-client-qps=<qps>` | QPS allowed for the Kubernetes client. |
| `--kubernetes-client-burst=<burst>` | Burst allowed for the Kubernetes client. |
| Flag Name | Description |
| --------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `--config-path` | Path to base configuration |
| `--contour-config-name` | Name of the ContourConfiguration resource to use |
| `--incluster` | Use in cluster configuration |
| `--kubeconfig=</path/to/file>` | Path to kubeconfig (if not in running inside a cluster) |
| `--xds-address=<ipaddr>` | xDS gRPC API address |
| `--xds-port=<port>` | xDS gRPC API port |
| `--stats-address=<ipaddr>` | Envoy /stats interface address |
| `--stats-port=<port>` | Envoy /stats interface port |
| `--debug-http-address=<address>` | Address the debug http endpoint will bind to. |
| `--debug-http-port=<port>` | Port the debug http endpoint will bind to |
| `--http-address=<ipaddr>` | Address the metrics HTTP endpoint will bind to |
| `--http-port=<port>` | Port the metrics HTTP endpoint will bind to. |
| `--health-address=<ipaddr>` | Address the health HTTP endpoint will bind to |
| `--health-port=<port>` | Port the health HTTP endpoint will bind to |
| `--contour-cafile=</path/to/file\|CONTOUR_CERT_FILE>` | CA bundle file name for serving gRPC with TLS |
| `--contour-cert-file=</path/to/file\|CONTOUR_CERT_FILE>` | Contour certificate file name for serving gRPC over TLS |
| `--contour-key-file=</path/to/file\|CONTOUR_KEY_FILE>` | Contour key file name for serving gRPC over TLS |
| `--insecure` | Allow serving without TLS secured gRPC |
| `--root-namespaces=<ns,ns>` | Restrict contour to searching these namespaces for root ingress routes |
| `--ingress-class-name=<name>` | Contour IngressClass name (comma-separated list allowed) |
| `--ingress-status-address=<address>` | Address to set in Ingress object status |
| `--envoy-http-access-log=</path/to/file>` | Envoy HTTP access log |
| `--envoy-https-access-log=</path/to/file>` | Envoy HTTPS access log |
| `--envoy-service-http-address=<ipaddr>` | Kubernetes Service address for HTTP requests |
| `--envoy-service-https-address=<ipaddr>` | Kubernetes Service address for HTTPS requests |
| `--envoy-service-http-port=<port>` | Kubernetes Service port for HTTP requests |
| `--envoy-service-https-port=<port>` | Kubernetes Service port for HTTPS requests |
| `--envoy-service-name=<name>` | Name of the Envoy service to inspect for Ingress status details. |
| `--envoy-service-namespace=<namespace>` | Envoy Service Namespace |
| `--use-proxy-protocol` | Use PROXY protocol for all listeners |
| `--accesslog-format=<envoy\|json>` | Format for Envoy access logs |
| `--disable-leader-election` | Disable leader election mechanism |
| `--disable-feature=<extensionservices\|contourconfigurations>` | Do not start an informer for the specified resource. |
| `--leader-election-lease-duration` | The duration of the leadership lease. |
| `--leader-election-renew-deadline` | The duration leader will retry refreshing leadership before giving up. |
| `--leader-election-retry-period` | The interval which Contour will attempt to acquire leadership lease. |
| `--leader-election-resource-name` | The name of the resource (Lease) leader election will lease. |
| `--leader-election-resource-namespace` | The namespace of the resource (Lease) leader election will lease. |
| `-d, --debug` | Enable debug logging |
| `--kubernetes-debug=<log level>` | Enable Kubernetes client debug logging |
| `--log-format=<text\|json>` | Log output format for Contour. Either text (default) or json. |
| `--kubernetes-client-qps=<qps>` | QPS allowed for the Kubernetes client. |
| `--kubernetes-client-burst=<burst>` | Burst allowed for the Kubernetes client. |

## Configuration File

Expand Down
5 changes: 5 additions & 0 deletions site/content/docs/main/deploy-options.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,11 @@ Next, pass `--envoy-service-http-port=80 --envoy-service-https-port=443` to the
This is best paired with a DaemonSet (perhaps paired with Node affinity) to ensure that a single instance of Contour runs on each Node.
See the [AWS NLB tutorial][10] as an example.

## Disabling Features

You can run Contour with certain features disabled by passing `--disable-feature=extensionservices` and/or `--disable-feature=contourconfigurations` flags to the Contour `serve` command.
This will instruct Contour to not create any informer for the specified custom resources, meaning that the corresponding CRD does not need to be present in the cluster.

## Upgrading Contour/Envoy

At times, it's needed to upgrade Contour, the version of Envoy, or both.
Expand Down

0 comments on commit 7dac89f

Please sign in to comment.