Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tproxy: add implicit constraint on client version #20623

Merged
merged 1 commit into from
May 17, 2024
Merged

tproxy: add implicit constraint on client version #20623

merged 1 commit into from
May 17, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented May 17, 2024

The new transparent proxy feature already has an implicity constraint on the presence of the CNI plugin. But if the CNI plugin is installed on an older version of Nomad, this isn't sufficient to protect against placing tproxy workloads on clients that can't support it. Add a Nomad version constraint as well.

Fixes: #20614

@tgross
tproxy: add implicit constraint on client version
cc831ce 
The new transparent proxy feature already has an implicity constraint on the
presence of the CNI plugin. But if the CNI plugin is installed on an older
version of Nomad, this isn't sufficient to protect against placing tproxy
workloads on clients that can't support it. Add a Nomad version constraint as
well.

Fixes: #20614
@tgross
Copy link
Member Author

tgross commented May 17, 2024
edited

Plan showing attempted deployment to a 1.7.6 client:

$ nomad job plan ./jobs/tproxy.nomad.hcl
+ Job: "countdash"
+ Task Group: "api" (1 create)
  + Task: "connect-proxy-count-api" (forces create)
  + Task: "web" (forces create)

+ Task Group: "dashboard" (1 create)
  + Task: "connect-proxy-count-dashboard" (forces create)
  + Task: "dashboard" (forces create)

Scheduler dry-run:
- WARNING: Failed to place all allocations.
  Task Group "api" (failed to place 1 allocation):
    * Class "multipass": 1 nodes excluded by filter
    * Constraint "${attr.nomad.version} semver >= 1.8.0-dev": 1 nodes excluded by filter

  Task Group "dashboard" (failed to place 1 allocation):
    * Class "multipass": 1 nodes excluded by filter
    * Constraint "${attr.nomad.version} semver >= 1.8.0-dev": 1 nodes excluded by filter

Job Modify Index: 0
To submit the job with version verification run:

nomad job run -check-index 0 ./jobs/tproxy.nomad.hcl

When running the job with the check-index flag, the job will only be run if the
job modify index given matches the server-side version. If the index has
changed, another user has modified the job and the plan's results are
potentially invalid.

Same job, after upgrading the client to this patch:

$ nomad job plan ./jobs/tproxy.nomad.hcl
+ Job: "countdash"
+ Task Group: "api" (1 create)
  + Task: "connect-proxy-count-api" (forces create)
  + Task: "web" (forces create)

+ Task Group: "dashboard" (1 create)
  + Task: "connect-proxy-count-dashboard" (forces create)
  + Task: "dashboard" (forces create)

Scheduler dry-run:
- All tasks successfully allocated.

Job Modify Index: 0
To submit the job with version verification run:

nomad job run -check-index 0 ./jobs/tproxy.nomad.hcl

When running the job with the check-index flag, the job will only be run if the
job modify index given matches the server-side version. If the index has
changed, another user has modified the job and the plan's results are
potentially invalid.

@tgross tgross marked this pull request as ready for review May 17, 2024 13:59
@tgross tgross added type/bug theme/consul/connect Consul Connect integration labels May 17, 2024
@tgross tgross requested a review from philrenaud May 17, 2024 13:59
@tgross tgross added this to the 1.8.0 milestone May 17, 2024
@tgross tgross requested a review from angrycub May 17, 2024 14:00
@tgross tgross mentioned this pull request May 17, 2024
Closed
@tgross tgross merged commit 5a6262d into main May 17, 2024
25 checks passed
@tgross tgross deleted the tproxy-version-constraint branch May 17, 2024 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philrenaud philrenaud philrenaud approved these changes

@gulducat gulducat Awaiting requested review from gulducat

@Juanadelacuesta Juanadelacuesta Awaiting requested review from Juanadelacuesta

@angrycub angrycub Awaiting requested review from angrycub

Assignees
No one assigned
Labels
theme/consul/connect Consul Connect integration type/bug
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.

[beta] Transparent proxy jobs can be scheduled on nodes without transparent proxy (ie. older versions)
2 participants
@tgross @philrenaud