Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix tproxy listeners with discovery chains. #14751

Merged
merged 5 commits into from
Oct 5, 2022
Merged

Fix tproxy listeners with discovery chains. #14751

merged 5 commits into from
Oct 5, 2022

Conversation

hashi-derek
Copy link
Member

@hashi-derek hashi-derek commented Sep 26, 2022
edited
Loading

Description

Transparent proxy does not spawn outbound listeners for explicit upstreams to service-resolvers. When upstreams are explicitly defined, a corresponding listener should be spawned.

Testing & Reproduction steps

Create a service with the following fields configured:

consul.hashicorp.com/connect-inject: "true"
consul.hashicorp.com/connect-service-upstreams: "upstream:9001"
consul.hashicorp.com/transparent-proxy: "true"

Create a service resolver that will be used as the upstream.

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceResolver
metadata:
  name: upstream
spec:
  redirect:
    service: other-svc

Check the Envoy admin config dump and observe that no listeners are spawned.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern

@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Sep 26, 2022
freddygv
freddygv reviewed Sep 27, 2022
View reviewed changes
Copy link
Contributor

@freddygv freddygv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a good start! Though there is a gotcha here because there are assumptions in the code that discovery chain watches for tproxy only get managed in one place.

I left a comment below explaining.

agent/proxycfg/connect_proxy.go Show resolved Hide resolved
@hashi-derek hashi-derek force-pushed the derekm/tproxy-bug-14 branch 3 times, most recently from 9f68840 to 0aaf903 Compare September 27, 2022 19:02
@hashi-derek hashi-derek marked this pull request as ready for review September 27, 2022 19:24
freddygv
freddygv reviewed Oct 4, 2022
View reviewed changes
agent/proxycfg/connect_proxy.go
if !upstream.CentrallyConfigured {
seenUpstreams[uid] = struct{}{}
}
}

// Clean up data from services that were not in the update
for uid, targets := range snap.ConnectProxy.WatchedUpstreams {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if instead we modify the check for cross-datacenter upstreams to instead check !CentrallyConfigured? That way we avoid allocating a new map. We're already checking UpstreamConfig in the reconciliation.

if upstream, ok := snap.ConnectProxy.UpstreamConfig[uid]; ok && upstream.Datacenter != "" && upstream.Datacenter != s.source.Datacenter {
	continue
}

Could become:

if upstream, ok := snap.ConnectProxy.UpstreamConfig[uid]; ok && !upstream.CentrallyConfigured {
	continue
}

This works because a cross-DC watch can only be done explicitly, and not via service-defaults/CentrallyConfigured.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Applies through L549))

freddygv
freddygv approved these changes Oct 5, 2022
View reviewed changes
Copy link
Contributor

@freddygv freddygv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hashi-derek hashi-derek merged commit a279d2d into main Oct 5, 2022
@hashi-derek hashi-derek deleted the derekm/tproxy-bug-14 branch October 5, 2022 19:38
This was referenced Oct 5, 2022
Closed
Merged
hashi-derek added a commit that referenced this pull request Oct 5, 2022
@hashi-derek
Fix explicit tproxy listeners with discovery chains. (#14751)
9c2b54c
@hashi-derek hashi-derek mentioned this pull request Oct 5, 2022
Merged
hashi-derek added a commit that referenced this pull request Oct 6, 2022
@hashi-derek
Fix explicit tproxy listeners with discovery chains. (#14751)
d7f8ad1
@hashi-derek hashi-derek linked an issue Oct 7, 2022 that may be closed by this pull request
If tproxy is enabled, explicit upstreams with serviceresolver create no envoy listeners #13400
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freddygv freddygv freddygv approved these changes

Assignees
No one assigned
Labels
theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

If tproxy is enabled, explicit upstreams with serviceresolver create no envoy listeners
2 participants
@hashi-derek @freddygv