Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NET-6938] Create workloads in Consul for mesh gateway pods #3382

Merged
merged 5 commits into from
Dec 18, 2023
Merged

[NET-6938] Create workloads in Consul for mesh gateway pods #3382

merged 5 commits into from
Dec 18, 2023

Conversation

nathancoleman
Copy link
Member

@nathancoleman nathancoleman commented Dec 15, 2023
edited
Loading

Changes proposed in this PR

The Pod controller currently only creates Workloads in Consul for mesh-injected Pods.
Pods for xGateways are not mesh-injected because it doesn't make sense to add a proxy sidecar to a Pod that's already running a proxy as its primary workload; however, they still require Workloads to be registered in Consul so that we can generate ProxyStateTemplates for them (in a future PR).

This PR modifies the Pod controller to create Workloads in Consul for xGateway pods as well, relying on the fact that a known annotation specifying the gateway-kind is added to all v2 xGateway Pods.

Notably, this also results in a ProxyConfiguration being created for the mesh gateway workload, and I disabled the health endpoint override functionality by adding a predefined annotation to the gateway pods as it doesn't make sense for workloads that are not mesh-injected/don't have a sidecar.

How I've tested this PR

helm install from main with this build for global.imageK8S, meshGateway.enabled=true, and experiments=[resource-apis].

Verify that the Workload and ProxyConfiguration are created in Consul by shelling into consul-server and using the following commands:

Example commands + output

Workload resource:

$ consul resource list catalog.v2beta1.Workload
{
    "resources": [
        {
            "data": {
                "addresses": [
                    {
                        "host": "10.60.2.11",
                        "ports": [
                            "proxy-health",
                            "wan",
                            "mesh"
                        ]
                    }
                ],
                "identity": "mesh-gateway",
                "locality": {
                    "region": "us-east1",
                    "zone": "us-east1-b"
                },
                "ports": {
                    "mesh": {
                        "port": 20000,
                        "protocol": "PROTOCOL_MESH"
                    },
                    "proxy-health": {
                        "port": 21000
                    },
                    "wan": {
                        "port": 8443
                    }
                }
            },
            "generation": "01HHQJDE6HA98NP5F6Y088XKJ7",
            "id": {
                "name": "mesh-gateway-6b4c5cd676-n5z2j",
                "tenancy": {
                    "namespace": "default",
                    "partition": "default",
                    "peerName": "local"
                },
                "type": {
                    "group": "catalog",
                    "groupVersion": "v2beta1",
                    "kind": "Workload"
                },
                "uid": "01HHQJDDCGD3XFGXP5ESRFHWYT"
            },
            "metadata": {
                "gateway-kind": "mesh-gateway",
                "k8s-namespace": "consul",
                "managed-by": "consul-k8s-pod-controller"
            },
            "status": {
                "consul.io/workload-health": {
                    "conditions": [
                        {
                            "message": "One or more workload health checks are not passing",
                            "reason": "HEALTH_CRITICAL",
                            "state": "STATE_FALSE",
                            "type": "healthy"
                        }
                    ],
                    "observedGeneration": "01HHQJDE6HA98NP5F6Y088XKJ7",
                    "updatedAt": "2023-12-15T20:24:17.881165934Z"
                }
            },
            "version": "715"
        }
    ]
}

ProxyConfiguration resource:

$ consul resource list mesh.v2beta1.ProxyConfiguration
{
    "resources": [
        {
            "data": {
                "dynamicConfig": {
                    "mode": "PROXY_MODE_TRANSPARENT",
                    "transparentProxy": {
                        "outboundListenerPort": 15001
                    }
                },
                "workloads": {
                    "names": [
                        "mesh-gateway-6b4c5cd676-n5z2j"
                    ]
                }
            },
            "generation": "01HHQJDE6CNEE6QNNR4XG5PN45",
            "id": {
                "name": "mesh-gateway-6b4c5cd676-n5z2j",
                "tenancy": {
                    "namespace": "default",
                    "partition": "default",
                    "peerName": "local"
                },
                "type": {
                    "group": "mesh",
                    "groupVersion": "v2beta1",
                    "kind": "ProxyConfiguration"
                },
                "uid": "01HHQJDDCBWT3ZFD2ETDWYRJM3"
            },
            "metadata": {
                "gateway-kind": "mesh-gateway",
                "k8s-namespace": "consul",
                "managed-by": "consul-k8s-pod-controller"
            },
            "version": "712"
        }
    ]
}

How I expect reviewers to test this PR

See above

Checklist

@nathancoleman nathancoleman added theme/mesh-gw pr/no-changelog PR does not need a corresponding .changelog entry pr/no-backport signals that a PR will not contain a backport label labels Dec 15, 2023
@nathancoleman nathancoleman force-pushed the create-workloads-for-gateway-pods branch from 4a4bee7 to a0675b2 Compare December 15, 2023 19:27
nathancoleman
nathancoleman commented Dec 15, 2023
View reviewed changes
Copy link
Member Author

@nathancoleman nathancoleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personal review

control-plane/connect-inject/controllers/pod/pod_controller.go
@@ -336,9 +336,11 @@ func (r *Controller) writeWorkload(ctx context.Context, pod corev1.Pod) error {
}
data := inject.ToProtoAny(workload)

resourceID := getWorkloadID(pod.GetName(), r.getConsulNamespace(pod.Namespace), r.getPartition())
r.Log.Info("registering workload with Consul", getLogFieldsForResource(resourceID)...)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds helpful logging analogous to what we do elsewhere

consul-k8s/control-plane/connect-inject/controllers/serviceaccount/serviceaccount_controller.go

Line 112 in 2b0ef6a

r.Log.Info("registering workload identity with Consul", getLogFieldsForResource(workloadIdentityResource.Id)...)

consul-k8s/control-plane/connect-inject/controllers/endpointsv2/endpoints_controller.go

Line 336 in 2b0ef6a

r.Log.Info("writing service to Consul", getLogFieldsForResource(consulSvcResource.Id)...)

control-plane/connect-inject/common/common.go
if pod.Annotations == nil {
return false
}
if anno, ok := pod.Annotations[constants.AnnotationGatewayKind]; ok && anno != "" {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This utilizes a known annotation added to all v2 mesh gateway (and api/terminating in the future) pods

consul-k8s/control-plane/gateways/deployment.go

Line 65 in c8e5d9e

constants.AnnotationGatewayKind: meshGatewayAnnotationKind,

control-plane/connect-inject/controllers/pod/pod_controller.go
@@ -762,3 +764,11 @@ func getDestinationsID(name, namespace, partition string) *pbresource.ID {
},
}
}

func getLogFieldsForResource(id *pbresource.ID) []any {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be helpful to move this out into a commonly-used package at some point but didn't do this now

@nathancoleman nathancoleman requested review from thisisnotashwin, a team, missylbytes and sarahalsmiller and removed request for a team December 15, 2023 21:15
@nathancoleman nathancoleman changed the title Create workloads in Consul for xGateway pods Create workloads in Consul for mesh gateway pods Dec 15, 2023
@nathancoleman nathancoleman changed the title Create workloads in Consul for mesh gateway pods [NET-6938] Create workloads in Consul for mesh gateway pods Dec 15, 2023
@nathancoleman nathancoleman marked this pull request as ready for review December 16, 2023 01:33
@nathancoleman
Create workload in Consul for gateway pods
e3eb693 
Gateway pods are not mesh-injected because it doesn't make sense for an Envoy proxy workload to have a sidecar; however, they still need workloads created in Consul for them.
@nathancoleman
Log when pod controller creates workload in Consul
32dacd1
@nathancoleman
Disable t-proxy probe overwrite for mesh gateway pods
e9b547b
@nathancoleman
Update test assertions
66739e7
@nathancoleman nathancoleman force-pushed the create-workloads-for-gateway-pods branch from e89f00e to d4cd4ee Compare December 18, 2023 15:16
@nathancoleman nathancoleman force-pushed the create-workloads-for-gateway-pods branch from d4cd4ee to e518860 Compare December 18, 2023 15:59
sarahalsmiller
sarahalsmiller approved these changes Dec 18, 2023
View reviewed changes
Copy link
Member

@sarahalsmiller sarahalsmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks for walking me through it

@nathancoleman nathancoleman merged commit 2e5c86b into main Dec 18, 2023
3 checks passed
@nathancoleman nathancoleman deleted the create-workloads-for-gateway-pods branch December 18, 2023 20:29
sarahalsmiller pushed a commit that referenced this pull request Jan 5, 2024
@nathancoleman @sarahalsmiller
[NET-6938] Create workloads in Consul for mesh gateway pods (#3382)
fe08a81 
* Create workload in Consul for gateway pods

Gateway pods are not mesh-injected because it doesn't make sense for an Envoy proxy workload to have a sidecar; however, they still need workloads created in Consul for them.

* Log when pod controller creates workload in Consul

* Disable t-proxy probe overwrite for mesh gateway pods

* Update test assertions

* Add test case for gateway pod reconciliation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarahalsmiller sarahalsmiller sarahalsmiller approved these changes

@thisisnotashwin thisisnotashwin Awaiting requested review from thisisnotashwin

@missylbytes missylbytes Awaiting requested review from missylbytes missylbytes was automatically assigned from hashicorp/consul-api-gateway

Assignees
No one assigned
Labels
pr/no-backport signals that a PR will not contain a backport label pr/no-changelog PR does not need a corresponding .changelog entry theme/mesh-gw
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nathancoleman @sarahalsmiller