Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Best practice to handle a kubernetes job that needs to connect to the mesh #722

Closed
harscoet opened this issue Sep 13, 2021 · 8 comments
Closed

Best practice to handle a kubernetes job that needs to connect to the mesh #722

harscoet opened this issue Sep 13, 2021 · 8 comments
Labels
type/question Question about product, ideally should be pointed to discuss.hashicorp.com

Comments

@harscoet
Copy link

harscoet commented Sep 13, 2021
edited
Loading

Actually to be able to create a kubernetes job that needs to call some services from the mesh, I need to register the job itself as a service in consul. Is it the only solution? Do you have some best practices to handle this really common use case?

Related to this issue #692 I now need to create a kubernetes service, as I don't have any port, what manifest I need to create?
Is it enough?

apiVersion: v1
kind: Service
metadata:
  name: dummy-service
spec:
  clusterIP: None
  selector:
    name: dummy-service

I have a secondary issue related to this kubernetes behavior kubernetes/kubernetes#25908
When my jobs ends, consul sidecars are still running so the job is not considered terminated. Do you have a good solution to handle this? Linkerd for example added a special endpoint to be able to shutdown linkerd/linkerd2-proxy#811

The workaround actually for me is to use shareProcessNamespace: true run my main container as root and run pkill consul at the end of my script
@harscoet harscoet added the type/question Question about product, ideally should be pointed to discuss.hashicorp.com label Sep 13, 2021
@kschoche
Copy link
Contributor

HI @harscoet, thanks for posting this question.
You are correct in that in order to access the mesh you would need to add a headless kubernetes service for your Job to get registered in the service mesh.
You are also correct in that due to the envoy sidecar not being terminated by Kubernetes the pod will be left around even after your container completes. One possible option might be to have your container issue a POST to envoy's admin port /quitquitquit at it's completion, that might avoid having to try to issue a pkill through namespaces?
https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--quitquitquit

@wmorgan
Copy link

wmorgan commented Sep 18, 2021

Linkerd also provides the linkerd-await wrapper that will call the shutdown hook for you when the job terminates, as a convenience. C'mon over and give it a try!

@harscoet
Copy link
Author

harscoet commented Sep 20, 2021
edited
Loading

One possible option might be to have your container issue a POST to envoy's admin port /quitquitquit at it's completion, that might avoid having to try to issue a pkill through namespaces?

Thanks for the reply @kschoche!
It seems to be a good solution to exit the first envoy-sidecar! What about the second one consul-sidecar ?

@kschoche
Copy link
Contributor

kschoche commented Sep 20, 2021
edited
Loading

Hi @harscoet!
We no longer attach the consul-sidecar sidecar in the latest releases, so you should just need to send it to the envoy-sidecar. The only time it gets added anymore is when you're using metrics merging.
Edit: removing the part about the preStop hook as after a closer look it would not work!

@lkysow
Copy link
Member

lkysow commented Sep 21, 2021

Related to Kyle's response, are you using metrics merging?

@nicholasjackson
Copy link
Contributor

nicholasjackson commented Sep 22, 2021
edited
Loading

Adding an additional option to this @harscoet, this code repository:

https://github.com/nrmitchi/k8s-controller-sidecars

contains a controller that you can deploy to your cluster that automatically kills sidecar pods when the main job container exits.

You will need to build this from the go code and bundle it into a Docker container as there is no release (if you just want to test you can use: nicholasjackson/k8s-controller-sidecars:latest). But it works really well, in addition to the injection annotations for Consul you simply add an additional annotation "nrmitchi.com/sidecars": "consul-sidecar,envoy-sidecar". This is a comma-separated list of containers to kill when the main container exits.

I think you are using the transparent proxy features so many of the below annotations may not be required, my cluster is not yet using that.

Example annotations

              "consul.hashicorp.com/connect-inject": "true"
              "consul.hashicorp.com/connect-service": "cron-job"
              "consul.hashicorp.com/connect-service-port": 9090
              "consul.hashicorp.com/connect-service-upstreams": "minecraft-bot:3000"
              "nrmitchi.com/sidecars": "consul-sidecar,envoy-sidecar"

Kind regards,

Nic

lawliet89 pushed a commit to lawliet89/consul-k8s that referenced this issue Oct 6, 2021
@lkysow
Fix PSP when meshGateway.hostNetwork=true (hashicorp#722)
e39b13c
@david-yu
Copy link
Contributor

@harscoet Could you share your example yaml file with your job injected? We're looking into how to solve this now.

@david-yu
Copy link
Contributor

david-yu commented Jul 7, 2023

This is now documented here: https://developer.hashicorp.com/consul/docs/k8s/connect#kubernetes-jobs. Will go ahead and close this issue. Thanks for your feedback. If you're on Consul K8s 1.2.x, you'll need to wait until the next patch release to get the graceful shutdown endpoint.

@david-yu david-yu closed this as completed Jul 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/question Question about product, ideally should be pointed to discuss.hashicorp.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@wmorgan @david-yu @nicholasjackson @lkysow @harscoet @kschoche