controller: resolve external services with public DNS #360
Conversation
seanmonstar
force-pushed
the
controller-public-dns
branch
from
3ab34d2
to
d03cd80
Compare
controller/destination/egress.go
Outdated
| informer.mutex.Lock() | ||
| defer informer.mutex.Unlock() | ||
|
|
||
| for l in range(informer.listeners) { |
There was a problem hiding this comment.
if I remember correctly, this might be giving you the index instead of the item....
controller/destination/egress.go
Outdated
|
|
||
| for l in range(informer.listeners) { | ||
| if l == listener { | ||
| //todo |
There was a problem hiding this comment.
something to watch out for: you probably want to stop the informer and remove it from the map if the list of listeners becomes empty.
There was a problem hiding this comment.
Yes, that's what the stopCh is meant as well. In Unsubscribe, I expect that if the list has become empty, to shutdown that informer. Still looking up super basic things like removing an element from an array :D
seanmonstar
force-pushed
the
controller-public-dns
branch
12 times, most recently
from
39b7789
to
36babcd
Compare
|
I wanted to start trying to write tests for this file, but have hit some snags in how best to do that. I'd love to create some |
seanmonstar
force-pushed
the
controller-public-dns
branch
from
36babcd
to
307341d
Compare
Signed-off-by: Sean McArthur <sean@seanmonstar.com>
seanmonstar
force-pushed
the
controller-public-dns
branch
from
307341d
to
1ba2e29
Compare
|
in |
seanmonstar
force-pushed
the
controller-public-dns
branch
4 times, most recently
from
24ffc5b
to
79aa55b
Compare
Signed-off-by: Sean McArthur <sean@seanmonstar.com>
seanmonstar
force-pushed
the
controller-public-dns
branch
from
79aa55b
to
ea01a76
Compare
|
Woo, unit tests pass, and theres a relcon test passing with this also. So, uh, needs a review. Also, there's some implementation details that still have questions:
|
| @@ -0,0 +1,186 @@ | |||
| package destination | |||
There was a problem hiding this comment.
I'd consider naming this file dns_watcher.go since the contents of the file make no reference to the term egress
| } | ||
|
|
||
| func (i* informer) update(addrs []string) { | ||
| // diff with current set, send any updates |
There was a problem hiding this comment.
There is a diff function in endpoints.go that could be factored out into util.go and then re-used here.
| } | ||
| additions = append(additions, common.TcpAddress{ | ||
| Ip: ip, | ||
| Port: 80, //magical |
There was a problem hiding this comment.
I believe the host can optionally include a port. We should split on : and use the specified port if it exists. Otherwise, we should use the default port for the protocol. This probably requires a change to the destination protobuf to start sending the protocol.
There was a problem hiding this comment.
Alternatively, we can punt on this and default to 80 for now, but this will not work for HTTPS egress calls.
|
See #392. |
|
@briansmith thanks for pointing this out. that is, indeed, an interesting wrinkle. If I understand correctly, the following would work for us, at least for this release:
Would this be correct behavior for 0.3? @seanmonstar If so, I imagine this isn't all that hard to implement in the next day. (I can help on the proxy work, if needed). |
|
I don't think we want to wait for a destination service round-trip to route
each request with DNS resolution.
Should the proxy cache that a particular authority is not resolvable by the
destination service? For how long?
Or should the destination API be expanded to include a state in the
response stream which indicates that the destination service could not
resolve the authority?
…On Mon, Feb 19, 2018 at 4:47 PM, Oliver Gould ***@***.***> wrote:
@briansmith <https://github.com/briansmith> thanks for pointing this out.
that is, indeed, an interesting wrinkle.
If I understand correctly, the following would work for us, at least for
this release:
1. proxy to tries to resolve all names through the controller. the
controller does NOT attempt to DNS resolution.
2. if the controller cannot resolve the name through the kubernetes
API, the proxy simply uses the original dst addr, which should be already
resolved through DNS by the application
Would this be correct behavior for 0.3?
If so, I imagine this isn't *all* that hard to implement in the next day.
(I can help on the proxy work, if needed).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#360 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADy6InY6VLmn1AurtcKahaEwFTwSIYeIks5tWhYbgaJpZM4SGElO>
.
|
The controller would have to return a distinct indicator that means "don't rely on me for this name." I don't know if it currently does that; it might need to be modified to do so.
It would be more correct than the current behavior and safer than what's proposed in this PR. It wouldn't be completely correct because we'd still resolve I suggest a slight variation of your suggested implementation, by making the decision in the proxy instead of in the Destination service: If Either your way or this more efficient way would allow external services to work. Regardless, in 0.4 we'll need to properly handle names like |
I think this is all addressed by my suggestion above in #360 (comment). |
|
Closing in favor of #397 |
This is a pretty basic stab at providing DNS support for external services (see #155). Notably:
net.LookupHost. This means it was much easier to implement, but that it doesn't observe TTLs, and so the interval it checks for updates is rather arbitrary.Endpointsstuff to keep only 1 querying thing per host, even if multiple proxies are all asking for it.informer.run()part is sufficiently separate that we could later add in usage ofdnsorcorednsor something.Closes #155