-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ROX 23555: Remove egress-proxy #1768
Conversation
Skipping CI for Draft Pull Request. |
a7c3763
to
855b9cf
Compare
3d78716
to
446da01
Compare
faefc90
to
dbff8dc
Compare
dbff8dc
to
5ca1258
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://issues.redhat.com/browse/ROX-13199 the egress-proxy will not be removed from existing tenants. We should check that this is really the case.
Don't want to block this PR. The egress-proxy deployments will not be removed for existing tenants, but they will not be used anymore. We could also remove them with a script if it's too much effort to fix ROX-13199.
5ca1258
to
494c920
Compare
494c920
to
f8086e8
Compare
f8086e8
to
387968d
Compare
e3b0a83
to
5044bf6
Compare
5044bf6
to
f48beb2
Compare
8663b66
to
747f97f
Compare
apiVersion: v1 | ||
kind: Service | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Had to change this from Service
to NetworkPolicy
because the tenant resource garbage collection mechanism no longer manages objects of type Service
(see the change to zzz_managed_resources.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this will be a problem, but we do need to be careful - this isn't conditional on setting the secureTenantNetwork flag. If we disabled that flag, and this resource exists, all network traffic will be blocked for all tenants.
Can we use a non-NetworkPolicy resource? A ConfigMap or Secret?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if you noticed that this is a dummy file used in tests only.
Due to the way tenant resource deletion works, we can only use types that are mentioned in zzz_managed_resources.go
. The types in that file are auto-generated by parsing everything in fleetshard/pkg/central/charts/data/tenant-resources
.
These types currently are VerticalPodAutoscaler
and NetworkPolicy
. If you use any other type, the objects will not get deleted and some tests will fail (e.g. TestChartResourcesAreAddedAndRemoved
).
The tests themselves are not conditional on secureTenantNetwork
. But if we will no longer have NetworkPolicies deployed as tenant resources, this dummy file will need to be fixed, and dependent tests too.
@@ -35,7 +35,6 @@ type Config struct { | |||
ServiceAccountTokenFile string `env:"FLEET_MANAGER_TOKEN_FILE"` | |||
CreateAuthProvider bool `env:"CREATE_AUTH_PROVIDER" envDefault:"false"` | |||
MetricsAddress string `env:"FLEETSHARD_METRICS_ADDRESS" envDefault:":8080"` | |||
EgressProxyImage string `env:"EGRESS_PROXY_IMAGE"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will deleting this remove the ENV flag and break if we try to set it? Or will the unknown flag be silently ignored?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the order in which these are loaded is in reverse.
.Values.fleetshardSync.egressProxy.image
in the fleetshard-sync template creates the env var. The value in the env var is then loaded here.
They were both removed, but the helm value is still set (for now) in the gitops config. I think helm will silently ignore that value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK; sounds good.
apiVersion: v1 | ||
kind: Service | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this will be a problem, but we do need to be careful - this isn't conditional on setting the secureTenantNetwork flag. If we disabled that flag, and this resource exists, all network traffic will be blocked for all tenants.
Can we use a non-NetworkPolicy resource? A ConfigMap or Secret?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ebensh, mclasmeier The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Removes the egress-proxy, as it has been replaced by NetworkPolicies.
Checklist (Definition of Done)
Test manual
ROX-12345: ...
Test manual
TODO: Add manual testing efforts