Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp) Support probes with mTLS enabled #1036

Merged
merged 10 commits into from
Sep 24, 2020
Merged

feat(kuma-cp) Support probes with mTLS enabled #1036

merged 10 commits into from
Sep 24, 2020

Conversation

lobkovilya
Copy link
Contributor

@lobkovilya lobkovilya commented Sep 21, 2020
edited

Summary

Current PR fixes the known issue of Kuma - the ability to add Kubernetes probes with mTLS enabled.
Given HttpGet probe :8080/health will be automatically converted to virtual probe :9000/8080/health, where 9000 is an insecure port regardless of the state of mTLS. Traffic from this port is always forwarded by Envoy to localhos:8080/health.

Changes in kuma-cp config

injector section has new fields:

injector:
  ...
  virtualProbesEnabled: true
  virtualProbesPort: 9000

They allows us to set another value for insecure port or disable virtual probes at all.

New Pod annotations

Both values from previous section could be override by Pod's annotations:

// KumaVirtualProbesPortAnnotation is an insecure port for listening virtual probes
KumaVirtualProbesPortAnnotation = "kuma.io/virtual-probes-port"

// KumaMetricsPrometheusPort allows to override `Mesh`-wide default port
KumaMetricsPrometheusPort = "prometheus.metrics.kuma.io/port"

Annotation refactoring

We used to check annotation values only against "good" values, some "junk" was allowed, like:

kuma.io/ingress: some-junk

was considered as not "enabled". Current PR makes annotation more strict

Issues resolved

Fix #795

Documentation

@lobkovilya
feat(kuma-cp) enrich Dataplane model with probes, add validation
73c2521 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
chore(kuma-cp) implement Probes converted and Envoy generator
829e953 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
feat(kuma-cp) add annotations to override kuma-cp config values, smal…
ef5d769 
…l refactoring of Annotations

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya lobkovilya requested a review from a team as a code owner September 21, 2020 09:52
@lobkovilya
feat(kuma-cp) fix tests
e47da10 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
jakubdyszkiewicz
jakubdyszkiewicz requested changes Sep 21, 2020
View reviewed changes
Copy link
Contributor

@jakubdyszkiewicz jakubdyszkiewicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

really nice job here 👍 can we have this tested in E2E test somehow? Can we add HTTP probe to some existing app?

pkg/core/resources/apis/mesh/dataplane_validator_test.go Show resolved Hide resolved
pkg/plugins/runtime/k8s/metadata/annotations.go Outdated Show resolved Hide resolved
pkg/plugins/runtime/k8s/webhooks/injector/injector.go Outdated Show resolved Hide resolved
pkg/plugins/runtime/k8s/webhooks/injector/injector.go Outdated Show resolved Hide resolved
pkg/plugins/runtime/k8s/webhooks/injector/injector.go Show resolved Hide resolved
pkg/xds/generator/probe_generator_test.go Show resolved Hide resolved
pkg/xds/generator/probe_generator.go Show resolved Hide resolved
pkg/plugins/runtime/k8s/probes/probe.go Outdated Show resolved Hide resolved
pkg/plugins/runtime/k8s/controllers/pod_converter.go Outdated Show resolved Hide resolved
api/mesh/v1alpha1/dataplane.proto Show resolved Hide resolved
@lobkovilya
feat(kuma-cp) fix comments
cc2f47b 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
feat(kuma-cp) remove excess condition
11bce12 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
feat(kuma-cp) change return type of ToReal method
2761837 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
feat(kuma-cp) allow only GET requests on insecure probe's port
48943a0 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya
feat(kuma-cp) add probe for e2e test
f23f15c 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
jakubdyszkiewicz
jakubdyszkiewicz approved these changes Sep 24, 2020
View reviewed changes
pkg/plugins/runtime/k8s/probes/probe.go Outdated
}
vport, err := strconv.ParseInt(segments[1], 10, 32)
if err != nil {
return KumaProbe{}, false
return KumaProbe{}, errors.New("can't parse Pod's probe")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be more descriptive why it cannot be parsed

@lobkovilya
feat(kuma-cp) more detailed error messages
feecf13 
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
@lobkovilya lobkovilya merged commit 7fea17f into master Sep 24, 2020
@nickolaev nickolaev deleted the feat/mtls-probes branch October 6, 2020 11:57
@lobkovilya lobkovilya mentioned this pull request Dec 7, 2020
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubdyszkiewicz jakubdyszkiewicz jakubdyszkiewicz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support probes on Kubernetes
2 participants
@lobkovilya @jakubdyszkiewicz