feat(*) adding kumactl install transparent-proxy #1321
Conversation
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
…y' into feat/kumactl_install_transparent_proxy
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
nickolaev
force-pushed
the
feat/kumactl_install_transparent_proxy
branch
from
1bd8362
to
8233e25
Compare
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
…l_transparent_proxy
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
|
Even if the user installs transparent proxying in some hosts, they may still be setting up
|
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
We do have an explicit check for this already: // this part of validation works only for Universal scenarios with TransparentProxying
if dp.Spec.Networking.TransparentProxying != nil && len(dp.Spec.Networking.Outbound) != 0 {
var err validators.ValidationError
err.AddViolation("outbound", "should be empty since dataplane is in Transparent Proxying mode")
return nil, err.OrNil()
}This happens late in the generation process, so this message is seen on the envoy console, it may make sense to actually check this early when the Dataplane is instantiated.
The iptables rules we deploy have an explicit rule that does not redirect any traffic that is towards localhost. This essentially prevent us from having
It technically can be made to work with some patching, but then we have the iptables rules not forwarding the traffic. Not saying it is impossible, it just will make things harder to maintain in production, and I personally don't see any particular benefit. |
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
nickolaev
force-pushed
the
feat/kumactl_install_transparent_proxy
branch
from
37376da
to
e60bab8
Compare
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
…l_transparent_proxy
|
|
||
| if args.DryRun { | ||
| _, _ = cmd.OutOrStdout().Write([]byte(output)) | ||
| } |
There was a problem hiding this comment.
else: print something like iptables modified.
What happens if I run this command twice?
There was a problem hiding this comment.
can you maybe extract this to method modifyIptables()? and below to modifyResolvConf()?
There was a problem hiding this comment.
Resolv.conf will not be modified for sure. I think iptables will not too.
| cmd.Flags().StringVar(&args.User, "kuma-dp-user", args.UID, "the user that will run kuma-dp") | ||
| cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the UID of the user that will run kuma-dp") | ||
| cmd.Flags().BoolVar(&args.ModifyResolvConf, "modify-resolv-conf", args.ModifyResolvConf, "modify the host `/etc/resolv.conf` to allow `.mesh` resolution through kuma-cp") | ||
| cmd.Flags().IPVar(&args.KumaCpIP, "kuma-cp-ip", args.KumaCpIP, "the ") |
There was a problem hiding this comment.
the ... end? :D
btw. is it IP only without port? can this be a hostname?
| return errors.Wrap(err, "uanble to open /etc/resolv.conf") | ||
| } | ||
| _, _ = cmd.OutOrStdout().Write(content) | ||
| _, _ = cmd.OutOrStdout().Write([]byte("\n")) |
There was a problem hiding this comment.
I think instead of printing resolv.conf I'd print something like:
/etc/resolv.conf modified. The previous version of the file backed up to /etc/resolv.conf.kuma
nit: how about instead of /etc/resolv.conf.kuma call it /etc/resolv.conf.kuma-backup or /etc/resolv.conf.backup-by-kuma. Also it would be nice to add as a first line a comment to this file:
# This file was backed up by kumactl install transparent proxy
There was a problem hiding this comment.
All applied except for modifying the file, as it will make restoring it slightly harder. But meanwhile, its name is still saying enough (kuma-backup).
| Cleanup(dryRun bool) (string, error) | ||
| } | ||
|
|
||
| func GetDefaultTransparentProxy() TransparentProxy { |
There was a problem hiding this comment.
nit: just DefaultTransparentProxy() without Get, to follow our convention in components.go files.
|
|
||
| It("should access the service using .mesh", func() { | ||
|
|
||
| for i := 0; i < iterations; i++ { |
There was a problem hiding this comment.
why do we need iterations?
There was a problem hiding this comment.
well, just to have more tries and see it is consistent.
There was a problem hiding this comment.
but we do have DoWithRetry in the iterations. Even if this is not consistent (example - every other request works), it will be retried in the loop and the test will pass.
| os.Args = append(os.Args, savedArgs...) | ||
| }() | ||
|
|
||
| if err := install.GetCommand().Execute(); err != nil { |
There was a problem hiding this comment.
instead of messing around with global os.Args and os.Stdout, can we do it like with tests?
cmd := install.GetCommand()
cmd.SetArgs(...)
stdout := &bytes.Buffer{}
stderr := &bytes.Buffer{}
cmd.SetOut(stdout)
cmd.SetErr(stderr)
err := cmd.Execute()
stdout.Bytes()
There was a problem hiding this comment.
Unfortunately no, because:
- viper validates that everything in os.Args is a valid flag, and it does not expect to find there our own flags
- the execute functions in istio-iptabes are directly writing to os.Stdout, there is no way around this
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
…l_transparent_proxy
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
|
|
||
| It("should access the service using .mesh", func() { | ||
|
|
||
| for i := 0; i < iterations; i++ { |
There was a problem hiding this comment.
but we do have DoWithRetry in the iterations. Even if this is not consistent (example - every other request works), it will be retried in the loop and the test will pass.
* chore(*) add kuma-iptables to universal * test(e2e) add universal transparent proxy * test(e2e) transparent proxy cleanup * feat(*) add Istio transparent proxy * test(*) e2e uses kumactl install transparent-proxy * chore(*) flexible configuration * chore(*) modify resolv conf * tests(*) transparent proxy * fix(*) new error in golang-migrate/migrate v4.14.1 * test(*) install the transparent proxy * docs(*) more extensive help for transparent proxy Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com> (cherry picked from commit 5dcd5ee) # Conflicts: # go.mod # go.sum
* feat(*) adding kumactl install transparent-proxy (#1321) * chore(*) add kuma-iptables to universal * test(e2e) add universal transparent proxy * test(e2e) transparent proxy cleanup * feat(*) add Istio transparent proxy * test(*) e2e uses kumactl install transparent-proxy * chore(*) flexible configuration * chore(*) modify resolv conf * tests(*) transparent proxy * fix(*) new error in golang-migrate/migrate v4.14.1 * test(*) install the transparent proxy * docs(*) more extensive help for transparent proxy Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com> Co-authored-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Summary
Expanding
kumactlwith new commands to manage host setting and enable Transparent Proxy mode:The
kuma-dpuser should be pre-created on the host and the kuma-dp process should be started as this user. One option is to userunuserThe typical Dataplane resource to be used with transparent proxy looks like this:
Where
{{ name }},{{ address }}and{{ port }}can be command line substituted variables. The ports15001and15006are the defaults set inkumactl install transparent-proxy. The additional flags--redirect-inbound-portand--redirect-outbound-portwill set these to whatever values are needed.A full command that runs
kuma-dpprocess askuma-dpuser and substitutes the variables in the yaml:Reverting the transparent proxy changes made on the host:
Documentation