Add etcd backed storage #1108
Add etcd backed storage #1108
Conversation
The previous test doesnt actually testing ListConnectors code. For
example the following pseudocode will pass the test:
```
ListConnectors() { return nil, nil }
```
Instead change to actually fetch and compare list of connectors,
ordering by name
storage/etcd/config.go
Outdated
| ) | ||
|
|
||
| type EtcdSSL struct { | ||
| ServerName string `json:"server_name" yaml:"server_name"` |
There was a problem hiding this comment.
nit: we use camel case for struct tags. json:"serverName"
There was a problem hiding this comment.
Why don't we just use transport.TLSInfo https://github.com/coreos/etcd/blob/master/pkg/transport/listener.go#L59?
tlsInfo := transport.TLSInfo{
CertFile: "/tmp/test-certs/test-name-1.pem",
KeyFile: "/tmp/test-certs/test-name-1-key.pem",
TrustedCAFile: "/tmp/test-certs/trusted-ca.pem",
}
tlsConfig, err := tlsInfo.ClientConfig()
...
clientv3.New(clientv3.Config{
...
TLS: tlsConfig,
})
storage/etcd/config.go
Outdated
| CertFile string `json:"cert_file" yaml:"cert_file"` | ||
| } | ||
|
|
||
| type Etcd struct { |
There was a problem hiding this comment.
Hmm what do you mean ? Like setting a etcd namespace ? I think its usually done now with the help of the grpc-proxy, isnt it ?
There was a problem hiding this comment.
Like setting a etcd namespace ?
Yeah an equivalent of etcd grpc-proxy start --namespace=<prefix>
I think its usually done now with the help of the grpc-proxy, isnt it ?
I think it depends on your setup. But yeah we can document the grpc-proxy solution then add native namespace functionality later.
There was a problem hiding this comment.
Still need struct tags
Endpoints []string `yaml:"endpoints"`
storage/etcd/config.go
Outdated
|
|
||
| type Etcd struct { | ||
| Endpoints []string `json:"endpoints" yaml:"endpoints"` | ||
| DialTimeout int `json:"dial_timeout" yaml:"dial_timeout"` |
There was a problem hiding this comment.
We generally don't make everything configurable just because the client library does. Can we set DialTimeout and AutoSyncInterval to reasonable defaults and if there are compelling reasons to expose them later we can?
There was a problem hiding this comment.
Hmm that works for me to. I can set them to the same default as etcdctl.
storage/etcd/config.go
Outdated
| Username string `json:"username" yaml:"username"` | ||
| Password string `json:"password" yaml:"password"` | ||
| SSL EtcdSSL `json:"ssl" yaml:"ssl"` | ||
| RejectOldCluster bool `json:"reject-old-cluster" yaml:"reject-old-cluster"` |
There was a problem hiding this comment.
// RejectOldCluster when set will refuse to create a client against an outdated cluster.
RejectOldCluster bool `json:"reject-old-cluster"`
as before, will also remove this knob for now.
storage/etcd/etcd.go
Outdated
| return c.txnUpdate(ctx, key, func(currentValue []byte) ([]byte, error) { | ||
| var current RefreshToken | ||
| if len(currentValue) > 0 { | ||
| if err := json.Unmarshal([]byte(currentValue), ¤t); err != nil { |
There was a problem hiding this comment.
Any thoughts on using a faster serialization format like protobuf? We use JSON for CRDs because CRDs only support JSON
There was a problem hiding this comment.
I dont have any preference. Go's json stdlib is indeed slow-ish compared to other serialization format, but usually its not significant in practice i think.
| @@ -0,0 +1,109 @@ | |||
| #!/bin/bash | |||
|
|
|||
| if [ "$EUID" -ne 0 ] | |||
There was a problem hiding this comment.
Admittedly we've used these scripts less and less. I think instructions for downloading the binary releases would suffice https://github.com/coreos/etcd/releases
| return nil | ||
| } | ||
|
|
||
| func (c *conn) txnUpdate(ctx context.Context, key string, update func(current []byte) ([]byte, error)) error { |
There was a problem hiding this comment.
cc @xiang90 mind taking a look at this?
There was a problem hiding this comment.
looks right to me.
we could do auto retry inside the txnUpdate by calling update func multiple times when there are conflicts (maybe it is already wrapped?).
There was a problem hiding this comment.
I dont think auto-retry should be applied here. At least thats how the current test is structured ( also how sql transaction works ).
Although IIUC there are differences on the order of transaction between sql and non-sql storages now ( k8s or etcd ). In sql the first started transaction win vs the first finished transaction win in others.
storage/etcd/etcd_test.go
Outdated
| } | ||
| newStorage := func() storage.Storage { | ||
| s := &Etcd{ | ||
| Endpoints: []string{endpoints}, |
There was a problem hiding this comment.
Weird that we call the var ENDPOINTS but only allow one.
There was a problem hiding this comment.
Yah, in tests we only setup 1 endpoint so it still works 😛 I was lazy to do the transformation from env vars to list of endpoints.
|
Since adding a new storage is a big overhead to all future developers, if this is committed we need to be running these tests in travis. Also just to address your commit message
We intentionally build the OpenID Connect authenticator in Kubernetes to operate fine if dex isn't running. While the dependency looks circular, our experience of running dex on Tectonic would imply that that's a perfectly fine setup. |
|
Can we handle timeout better? Or there is a future plan? Right now, we simply pass in context.TODO(). |
|
@xiang90 I think exposing a context is something we have to do on the dex end, unfortunately. |
storage/etcd/etcd.go
Outdated
| return err | ||
| } | ||
| if !updateResp.Succeeded { | ||
| return fmt.Errorf("failed to update key=%q: updated not by us", key) |
There was a problem hiding this comment.
failed to update key = %q: concurrent conflicting update happened.
|
I only took a look at the txnUpdate func. Let me know if there is anything else I could help on. |
yah i think the storage interface needs to be changed so we can pass context downwards. Right now not sure what else can we do here:
|
this is what i usually do if the api layer does not expose context. it is safer. but i am not a dex expert, so i cannot speak for this exact case. |
|
A hard-coded timeout sounds fine. |
This patch adds etcd storage implementation. This should be useful in environments where - we dont want to depends on a separate, hard to maintain SQL cluster - we dont want to incur the overhead of talking to kubernetes apiservers - kubernetes is not available yet, or if kubernetes depends on dex to perform authentication and the operator would like to remove any circular dependency if possible.
This change vendors github.com/coreos/etcd related packages to support etcd storage implementation.
|
added default timeout = 5s, and kv namespace support via |
storage/etcd/config.go
Outdated
| CertFile string `json:"cert_file" yaml:"cert_file"` | ||
| } | ||
|
|
||
| type Etcd struct { |
There was a problem hiding this comment.
Still need struct tags
Endpoints []string `yaml:"endpoints"`
|
@ericchiang Thanks ! I will look into docs and travis change. |
This patch uses docker to run an etcd container in travis CI so we can run storage/etcd conformance tests.
This adds references to etcd storage, including: - only supports etcd v3 - list of options and their meanings when connecting to etcd cluster
This explicitly adds struct tags for etcd storage instead of implicitly depends on yaml/json config serialization.
Add etcd backed storage
This adds a storage implementation backed by etcd. This should be useful mostly in cases where we dont want to depend on a separate SQL cluster ( and etcd is easier to operate ), or if we dont want to incur some overhead of using kubernetes CRD.
There are no documentation yet ! Once this looks good i can try to add them.