Agent: add support for watching kvstoremesh prefixes #26154
Conversation
giorio94
added
area/clustermesh
|
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/660/ The failure was #25964 |
giorio94
force-pushed
the
mio/kvstoremesh-agent
branch
from
1dbbd1f
to
93f2d89
Compare
|
Rebased onto main to pick the fixes for conformance-ginkgo |
|
/test |
giorio94
force-pushed
the
mio/kvstoremesh-agent
branch
from
93f2d89
to
33d9a9b
Compare
|
/test |
|
/ci-aks Hit #26075 |
|
/ci-external-workloads |
joestringer
added
the
kind/enhancement
|
/ci-ginkgo |
There was a problem hiding this comment.
clustermesh: enable watching the "cached" ipcache prefix
Thanks for the detailed commit messages. Changes lgtm for my codeowner (ipcache), just a high-level question regarding upgrade/downgrade - will the ipcache entries will be stored at both the legacy and the new path (when kvstoremesh is enabled)?
The clustermesh-apiserver still uses the old prefixes to store the information concerning the local cluster, while kvstoremesh uses the new ones to cache the information retrieved from remote clusters. This is transparent from the agents POW, because they select which ones to watch based on the Cached capability part of the cluster config (defaulting to the old behavior if unspecified). When performing an upgrade enabling kvstoremesh, the agents will switch from watching the remote kvstores to watching the local one (because their |
This commit adapts the nodes and services watchers to use the newly introduced "cache" prefixes in case the corresponding capability is set. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Currently, the ipcache entries are stored under the kvstore key `cilium/state/ip/v1/default/<ip>` regardless of the configured cluster name. Yet, this is problematic if the same kvstore hosts information concerning multiple clusters, because it is impossible to watch only the entries referring to a single one (and there would be conflicts in case of overlapping PodCIDRs). This commit adapts the ipcache watcher logic to use the newly introduced "cached" prefix (i.e., `cilium/cache/ip/v1/<cluster-name>) when retrieving the entries from remote clusters, in case the corresponding capability is set (i.e., it has been created by kvstoremesh). This prevents backward compatibility issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Currently, the identities entries are stored under the kvstore prefix `cilium/state/identities/v1/id/<identity>` regardless of the configured cluster name. Yet, this is problematic if the same kvstore hosts information concerning multiple clusters, because it is impossible to watch only the entries referring to a single one. This commit adapts the identities watcher logic to use the newly introduced "cached" prefix (`cilium/state/identities/v1/<cluster>/id>` when retrieving the identities from remote clusters, in case the corresponding capability is set (i.e., it has been created by kvstoremesh). This prevents backward compatibility issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
This commit adds a test to ensure that remoteCluster.Run() appropriately sets up the kvstore watchers based on the remote cluster config settings. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
When kvstoremesh is enabled, the agent connects to the local kvstore, rather to remote ones. Hence, it targets the corresponding service. Yet, since agents run in host network, service resolution requires that the DNSPolicy is set to ClusterFirstWithHostNet, introducing a dependency on CoreDNS. To prevent this requirement, let's configure a custom dialer responsible for service resolution based on the service cached information. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
force-pushed
the
mio/kvstoremesh-agent
branch
from
33d9a9b
to
fd85bcb
Compare
|
Rebased onto main to pick the changes already introduced in #26083 |
|
/test |
maintainer-s-little-helper
bot
added
the
ready-to-merge
This PR introduces a set of minor modifications to enable Cilium agents watching the kvstore prefixes used by kvstoremesh. Please refer to the individual commit descriptions for additional details.