-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
controller: resolve external services with public DNS #360
Conversation
3ab34d2
to
d03cd80
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable to me so far
controller/destination/egress.go
Outdated
informer.mutex.Lock() | ||
defer informer.mutex.Unlock() | ||
|
||
for l in range(informer.listeners) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if I remember correctly, this might be giving you the index instead of the item....
controller/destination/egress.go
Outdated
|
||
for l in range(informer.listeners) { | ||
if l == listener { | ||
//todo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something to watch out for: you probably want to stop the informer and remove it from the map if the list of listeners becomes empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's what the stopCh
is meant as well. In Unsubscribe
, I expect that if the list has become empty, to shutdown that informer. Still looking up super basic things like removing an element from an array :D
39b7789
to
36babcd
Compare
I wanted to start trying to write tests for this file, but have hit some snags in how best to do that. I'd love to create some |
36babcd
to
307341d
Compare
Signed-off-by: Sean McArthur <sean@seanmonstar.com>
307341d
to
1ba2e29
Compare
in |
24ffc5b
to
79aa55b
Compare
Signed-off-by: Sean McArthur <sean@seanmonstar.com>
79aa55b
to
ea01a76
Compare
Woo, unit tests pass, and theres a relcon test passing with this also. So, uh, needs a review. Also, there's some implementation details that still have questions:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really great. A few comments below.
@@ -0,0 +1,186 @@ | |||
package destination |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd consider naming this file dns_watcher.go since the contents of the file make no reference to the term egress
} | ||
|
||
func (i* informer) update(addrs []string) { | ||
// diff with current set, send any updates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a diff
function in endpoints.go
that could be factored out into util.go
and then re-used here.
} | ||
additions = append(additions, common.TcpAddress{ | ||
Ip: ip, | ||
Port: 80, //magical |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the host can optionally include a port. We should split on :
and use the specified port if it exists. Otherwise, we should use the default port for the protocol. This probably requires a change to the destination protobuf to start sending the protocol.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, we can punt on this and default to 80 for now, but this will not work for HTTPS egress calls.
See #392. |
@briansmith thanks for pointing this out. that is, indeed, an interesting wrinkle. If I understand correctly, the following would work for us, at least for this release:
Would this be correct behavior for 0.3? @seanmonstar If so, I imagine this isn't all that hard to implement in the next day. (I can help on the proxy work, if needed). |
I don't think we want to wait for a destination service round-trip to route
each request with DNS resolution.
Should the proxy cache that a particular authority is not resolvable by the
destination service? For how long?
Or should the destination API be expanded to include a state in the
response stream which indicates that the destination service could not
resolve the authority?
…On Mon, Feb 19, 2018 at 4:47 PM, Oliver Gould ***@***.***> wrote:
@briansmith <https://github.com/briansmith> thanks for pointing this out.
that is, indeed, an interesting wrinkle.
If I understand correctly, the following would work for us, at least for
this release:
1. proxy to tries to resolve all names through the controller. the
controller does NOT attempt to DNS resolution.
2. if the controller cannot resolve the name through the kubernetes
API, the proxy simply uses the original dst addr, which should be already
resolved through DNS by the application
Would this be correct behavior for 0.3?
If so, I imagine this isn't *all* that hard to implement in the next day.
(I can help on the proxy work, if needed).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#360 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADy6InY6VLmn1AurtcKahaEwFTwSIYeIks5tWhYbgaJpZM4SGElO>
.
|
The controller would have to return a distinct indicator that means "don't rely on me for this name." I don't know if it currently does that; it might need to be modified to do so.
It would be more correct than the current behavior and safer than what's proposed in this PR. It wouldn't be completely correct because we'd still resolve I suggest a slight variation of your suggested implementation, by making the decision in the proxy instead of in the Destination service: If Either your way or this more efficient way would allow external services to work. Regardless, in 0.4 we'll need to properly handle names like |
I think this is all addressed by my suggestion above in #360 (comment). |
Closing in favor of #397 |
This is a pretty basic stab at providing DNS support for external services (see #155). Notably:
net.LookupHost
. This means it was much easier to implement, but that it doesn't observe TTLs, and so the interval it checks for updates is rather arbitrary.Endpoints
stuff to keep only 1 querying thing per host, even if multiple proxies are all asking for it.informer.run()
part is sufficiently separate that we could later add in usage ofdns
orcoredns
or something.Closes #155