connect: reconcile how upstream configuration works with discovery chains #6225
Conversation
| @@ -305,6 +304,203 @@ func TestState_WatchesAndUpdates(t *testing.T) { | |||
| stages []verificationStage | |||
| } | |||
|
|
|||
| newConnectProxyCase := func(meshGatewayProxyConfigValue structs.MeshGatewayMode) testCase { | |||
There was a problem hiding this comment.
I lifted the definition of the former "connect-proxy" case into a generator function so I could reuse the whole setup for different proxy-devel values of the mesh gateway mode without copypasta.
| leafWatchID: genVerifyLeafWatch("web", "dc1"), | ||
| intentionsWatchID: genVerifyIntentionWatch("web", "dc1"), | ||
| "upstream:prepared_query:query": genVerifyPreparedQueryWatch("query", "dc1"), | ||
| "discovery-chain:api": genVerifyDiscoveryChainWatch(&structs.DiscoveryChainRequest{ |
There was a problem hiding this comment.
Everything goes through discovery chain now except for prepared queries.
agent/xds/sni.go
Outdated
| @@ -45,3 +45,10 @@ func QuerySNI(service string, datacenter string, cfgSnap *proxycfg.ConfigSnapsho | |||
| func TargetSNI(target structs.DiscoveryTarget, cfgSnap *proxycfg.ConfigSnapshot) string { | |||
| return ServiceSNI(target.Service, target.ServiceSubset, target.Namespace, target.Datacenter, cfgSnap) | |||
| } | |||
|
|
|||
| func CustomizeSNI(sni string, chain *structs.CompiledDiscoveryChain) string { | |||
There was a problem hiding this comment.
This is only used when computing the envoy names for clusters.
| "resources": [ | ||
| { | ||
| "@type": "type.googleapis.com/envoy.api.v2.Cluster", | ||
| "name": "78ebd528.db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", |
There was a problem hiding this comment.
This is the main subtle difference now.
| @@ -90,10 +90,10 @@ function init_workdir { | |||
| cp consul-base-cfg/* workdir/${DC}/consul/ | |||
|
|
|||
| # Add any overrides if there are any (no op if not) | |||
| find ${CASE_DIR} -name '*.hcl' -maxdepth 1 -type f -exec cp -f {} workdir/${DC}/consul \; | |||
| find ${CASE_DIR} -maxdepth 1 -name '*.hcl' -type f -exec cp -f {} workdir/${DC}/consul \; | |||
There was a problem hiding this comment.
Fixed an unrelated warning I was seeing executing find with args in the wrong order.
There was a problem hiding this comment.
Thats bsd vs gnu coreutils for you.
rboyer
force-pushed
the
validate-upstreams
branch
from
1145897 to
82c4252
Compare
rboyer
force-pushed
the
upstreams-in-chain
branch
from
1d9f4b2 to
1e0f33b
Compare
…ains The following upstream config fields for connect sidecars sanely integrate into discovery chain resolution: - Destination Namespace/Datacenter: Compilation occurs locally but using different default values for namespaces and datacenters. The xDS clusters that are created are named as they normally would be. - Mesh Gateway Mode (single upstream): If set this value overrides any value computed for any resolver for the entire discovery chain. The xDS clusters that are created may be named differently (see below). - Mesh Gateway Mode (whole sidecar): If set this value overrides any value computed for any resolver for the entire discovery chain. If this is specifically overridden for a single upstream this value is ignored in that case. The xDS clusters that are created may be named differently (see below). - Protocol (in opaque config): If set this value overrides the value computed when evaluating the entire discovery chain. If the normal chain would be TCP or if this override is set to TCP then the result is that we explicitly disable L7 Routing and Splitting. The xDS clusters that are created may be named differently (see below). - Connect Timeout (in opaque config): If set this value overrides the value for any resolver in the entire discovery chain. The xDS clusters that are created may be named differently (see below). If any of the above overrides affect the actual result of compiling the discovery chain (i.e. "tcp" becomes "grpc" instead of being a no-op override to "tcp") then the relevant parameters are hashed and provided to the xDS layer as a prefix for use in naming the Clusters. This is to ensure that if one Upstream discovery chain has no overrides and tangentially needs a cluster named "api.default.XXX", and another Upstream does have overrides for "api.default.XXX" that they won't cross-pollinate against the operator's wishes. Fixes #6159
|
In a discussion @banks raised the point that The one place this breaks down is when a cluster gets shared between two upstreams in the same sidecar proxy:
In this configuration The solution in this PR would hash the connect timeout override value and prepend the Without that it is undefined which I'm going to keep this as-is for now and open an issue (#6262) to look into ways of achieving the same thing perhaps in a way that doesn't necessarily need to take a trip through the compiler. |
rboyer
force-pushed
the
upstreams-in-chain
branch
from
1e0f33b to
e888cf7
Compare
| @@ -90,10 +90,10 @@ function init_workdir { | |||
| cp consul-base-cfg/* workdir/${DC}/consul/ | |||
|
|
|||
| # Add any overrides if there are any (no op if not) | |||
| find ${CASE_DIR} -name '*.hcl' -maxdepth 1 -type f -exec cp -f {} workdir/${DC}/consul \; | |||
| find ${CASE_DIR} -maxdepth 1 -name '*.hcl' -type f -exec cp -f {} workdir/${DC}/consul \; | |||
There was a problem hiding this comment.
Thats bsd vs gnu coreutils for you.
The following upstream config fields for connect sidecars sanely
integrate into discovery chain resolution:
Destination Namespace/Datacenter: Compilation occurs locally but using
different default values for namespaces and datacenters. The xDS
clusters that are created are named as they normally would be.
Mesh Gateway Mode (single upstream): If set this value overrides any
value computed for any resolver for the entire discovery chain. The xDS
clusters that are created may be named differently (see below).
Mesh Gateway Mode (whole sidecar): If set this value overrides any
value computed for any resolver for the entire discovery chain. If this
is specifically overridden for a single upstream this value is ignored
in that case. The xDS clusters that are created may be named differently
(see below).
Protocol (in opaque config): If set this value overrides the value
computed when evaluating the entire discovery chain. If the normal chain
would be TCP or if this override is set to TCP then the result is that
we explicitly disable L7 Routing and Splitting. The xDS clusters that
are created may be named differently (see below).
Connect Timeout (in opaque config): If set this value overrides the
value for any resolver in the entire discovery chain. The xDS clusters
that are created may be named differently (see below).
If any of the above overrides affect the actual result of compiling the
discovery chain (i.e. "tcp" becomes "grpc" instead of being a no-op
override to "tcp") then the relevant parameters are hashed and provided
to the xDS layer as a prefix for use in naming the Clusters. This is to
ensure that if one Upstream discovery chain has no overrides and
tangentially needs a cluster named
"api.default.XXX", and anotherUpstream does have overrides for
"api.default.XXX"that they won'tcross-pollinate against the operator's wishes.
Fixes #6159