luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

connect: bootstrap envoy using -proxy-id 

This PR modifies the Consul CLI arguments used to bootstrap envoy for
Connect sidecars to make use of '-proxy-id' instead of '-sidecar-for'.

Nomad registers the sidecar service, so we know what ID it has. The
'-sidecar-for' was intended for use when you only know the name of the
service for which the sidecar is being created.

The improvement here is that using '-proxy-id' does not require an underlying
request for listing Consul services. This will make make the interaction
between Nomad and Consul more efficient.

Closes #10452
This commit is contained in:
Seth Hoenig 2022-02-04 10:49:15 -06:00
parent c3d28b996d
commit 6550c90198
3 changed files with 23 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/12011.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
connect: bootstrap envoy sidecars using -proxy-for
```

36
client/allocrunner/taskrunner/envoy_bootstrap_hook.go
View File

@ -433,6 +433,8 @@ func (h *envoyBootstrapHook) grpcAddress(env map[string]string) string {
} }
func (h *envoyBootstrapHook) proxyServiceID(group string, service *structs.Service) string { func (h *envoyBootstrapHook) proxyServiceID(group string, service *structs.Service) string {
// Note, it is critical the ID here matches what is actually registered in Consul.
// See: WorkloadServices.Name in structs.go
return agentconsul.MakeAllocServiceID(h.alloc.ID, "group-"+group, service) return agentconsul.MakeAllocServiceID(h.alloc.ID, "group-"+group, service)
} }
@ -445,40 +447,30 @@ func (h *envoyBootstrapHook) newEnvoyBootstrapArgs(
group string, service *structs.Service, group string, service *structs.Service,
grpcAddr, envoyAdminBind, envoyReadyBind, siToken, filepath string, grpcAddr, envoyAdminBind, envoyReadyBind, siToken, filepath string,
) envoyBootstrapArgs { ) envoyBootstrapArgs {
var (
sidecarForID string // sidecar only
gateway string // gateway only
proxyID string // gateway only
namespace string
)
namespace = h.getConsulNamespace() namespace := h.getConsulNamespace()
id := h.proxyServiceID(group, service) proxyID := h.proxyServiceID(group, service)
var gateway string
switch { switch {
case service.Connect.HasSidecar(): case service.Connect.HasSidecar():
sidecarForID = id proxyID += "-sidecar-proxy"
case service.Connect.IsIngress(): case service.Connect.IsIngress():
proxyID = id
gateway = "ingress" gateway = "ingress"
case service.Connect.IsTerminating(): case service.Connect.IsTerminating():
proxyID = id
gateway = "terminating" gateway = "terminating"
case service.Connect.IsMesh(): case service.Connect.IsMesh():
proxyID = id
gateway = "mesh" gateway = "mesh"
} }
h.logger.Info("bootstrapping envoy", h.logger.Info("bootstrapping envoy",
"sidecar_for", service.Name, "bootstrap_file", filepath, "namespace", namespace, "proxy_id", proxyID, "service", service.Name,
"sidecar_for_id", sidecarForID, "grpc_addr", grpcAddr, "gateway", gateway, "bootstrap_file", filepath, "grpc_addr", grpcAddr,
"admin_bind", envoyAdminBind, "ready_bind", envoyReadyBind, "admin_bind", envoyAdminBind, "ready_bind", envoyReadyBind,
"gateway", gateway, "proxy_id", proxyID, "namespace", namespace,
) )
return envoyBootstrapArgs{ return envoyBootstrapArgs{
consulConfig: h.consulConfig, consulConfig: h.consulConfig,
sidecarFor: sidecarForID,
grpcAddr: grpcAddr, grpcAddr: grpcAddr,
envoyAdminBind: envoyAdminBind, envoyAdminBind: envoyAdminBind,
envoyReadyBind: envoyReadyBind, envoyReadyBind: envoyReadyBind,
@ -494,13 +486,12 @@ func (h *envoyBootstrapHook) newEnvoyBootstrapArgs(
// configuration file for envoy. // configuration file for envoy.
type envoyBootstrapArgs struct { type envoyBootstrapArgs struct {
consulConfig consulTransportConfig consulConfig consulTransportConfig
sidecarFor string // sidecars only
grpcAddr string grpcAddr string
envoyAdminBind string envoyAdminBind string
envoyReadyBind string envoyReadyBind string
siToken string siToken string
gateway string // gateways only gateway string // gateways only
proxyID string // gateways only proxyID string // gateways and sidecars
namespace string namespace string
} }
@ -514,21 +505,14 @@ func (e envoyBootstrapArgs) args() []string {
"-http-addr", e.consulConfig.HTTPAddr, "-http-addr", e.consulConfig.HTTPAddr,
"-admin-bind", e.envoyAdminBind, "-admin-bind", e.envoyAdminBind,
"-address", e.envoyReadyBind, "-address", e.envoyReadyBind,
"-proxy-id", e.proxyID,
"-bootstrap", "-bootstrap",
} }
if v := e.sidecarFor; v != "" {
arguments = append(arguments, "-sidecar-for", v)
}
if v := e.gateway; v != "" { if v := e.gateway; v != "" {
arguments = append(arguments, "-gateway", v) arguments = append(arguments, "-gateway", v)
} }
if v := e.proxyID; v != "" {
arguments = append(arguments, "-proxy-id", v)
}
if v := e.siToken; v != "" { if v := e.siToken; v != "" {
arguments = append(arguments, "-token", v) arguments = append(arguments, "-token", v)
} }

20
client/allocrunner/taskrunner/envoy_bootstrap_hook_test.go
View File

@ -122,7 +122,7 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
t.Run("excluding SI token", func(t *testing.T) { t.Run("excluding SI token", func(t *testing.T) {
ebArgs := envoyBootstrapArgs{ ebArgs := envoyBootstrapArgs{
sidecarFor: "s1", proxyID: "s1-sidecar-proxy",
grpcAddr: "1.1.1.1", grpcAddr: "1.1.1.1",
consulConfig: consulPlainConfig, consulConfig: consulPlainConfig,
envoyAdminBind: "127.0.0.2:19000", envoyAdminBind: "127.0.0.2:19000",
@ -134,15 +134,15 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
"-http-addr", "2.2.2.2", "-http-addr", "2.2.2.2",
"-admin-bind", "127.0.0.2:19000", "-admin-bind", "127.0.0.2:19000",
"-address", "127.0.0.1:19100", "-address", "127.0.0.1:19100",
"-proxy-id", "s1-sidecar-proxy",
"-bootstrap", "-bootstrap",
"-sidecar-for", "s1",
}, result) }, result)
}) })
t.Run("including SI token", func(t *testing.T) { t.Run("including SI token", func(t *testing.T) {
token := uuid.Generate() token := uuid.Generate()
ebArgs := envoyBootstrapArgs{ ebArgs := envoyBootstrapArgs{
sidecarFor: "s1", proxyID: "s1-sidecar-proxy",
grpcAddr: "1.1.1.1", grpcAddr: "1.1.1.1",
consulConfig: consulPlainConfig, consulConfig: consulPlainConfig,
envoyAdminBind: "127.0.0.2:19000", envoyAdminBind: "127.0.0.2:19000",
@ -155,15 +155,15 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
"-http-addr", "2.2.2.2", "-http-addr", "2.2.2.2",
"-admin-bind", "127.0.0.2:19000", "-admin-bind", "127.0.0.2:19000",
"-address", "127.0.0.1:19100", "-address", "127.0.0.1:19100",
"-proxy-id", "s1-sidecar-proxy",
"-bootstrap", "-bootstrap",
"-sidecar-for", "s1",
"-token", token, "-token", token,
}, result) }, result)
}) })
t.Run("including certificates", func(t *testing.T) { t.Run("including certificates", func(t *testing.T) {
ebArgs := envoyBootstrapArgs{ ebArgs := envoyBootstrapArgs{
sidecarFor: "s1", proxyID: "s1-sidecar-proxy",
grpcAddr: "1.1.1.1", grpcAddr: "1.1.1.1",
consulConfig: consulTLSConfig, consulConfig: consulTLSConfig,
envoyAdminBind: "127.0.0.2:19000", envoyAdminBind: "127.0.0.2:19000",
@ -175,8 +175,8 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
"-http-addr", "2.2.2.2", "-http-addr", "2.2.2.2",
"-admin-bind", "127.0.0.2:19000", "-admin-bind", "127.0.0.2:19000",
"-address", "127.0.0.1:19100", "-address", "127.0.0.1:19100",
"-proxy-id", "s1-sidecar-proxy",
"-bootstrap", "-bootstrap",
"-sidecar-for", "s1",
"-ca-file", "/etc/tls/ca-file", "-ca-file", "/etc/tls/ca-file",
"-client-cert", "/etc/tls/cert-file", "-client-cert", "/etc/tls/cert-file",
"-client-key", "/etc/tls/key-file", "-client-key", "/etc/tls/key-file",
@ -198,9 +198,9 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
"-http-addr", "2.2.2.2", "-http-addr", "2.2.2.2",
"-admin-bind", "127.0.0.2:19000", "-admin-bind", "127.0.0.2:19000",
"-address", "127.0.0.1:19100", "-address", "127.0.0.1:19100",
"-proxy-id", "_nomad-task-803cb569-881c-b0d8-9222-360bcc33157e-group-ig-ig-8080",
"-bootstrap", "-bootstrap",
"-gateway", "my-ingress-gateway", "-gateway", "my-ingress-gateway",
"-proxy-id", "_nomad-task-803cb569-881c-b0d8-9222-360bcc33157e-group-ig-ig-8080",
}, result) }, result)
}) })
@ -219,9 +219,9 @@ func TestEnvoyBootstrapHook_envoyBootstrapArgs(t *testing.T) {
"-http-addr", "2.2.2.2", "-http-addr", "2.2.2.2",
"-admin-bind", "127.0.0.2:19000", "-admin-bind", "127.0.0.2:19000",
"-address", "127.0.0.1:19100", "-address", "127.0.0.1:19100",
"-proxy-id", "_nomad-task-803cb569-881c-b0d8-9222-360bcc33157e-group-mesh-mesh-8080",
"-bootstrap", "-bootstrap",
"-gateway", "my-mesh-gateway", "-gateway", "my-mesh-gateway",
"-proxy-id", "_nomad-task-803cb569-881c-b0d8-9222-360bcc33157e-group-mesh-mesh-8080",
}, result) }, result)
}) })
} }
@ -235,7 +235,7 @@ func TestEnvoyBootstrapHook_envoyBootstrapEnv(t *testing.T) {
require.Equal(t, []string{ require.Equal(t, []string{
"foo=bar", "baz=1", "foo=bar", "baz=1",
}, envoyBootstrapArgs{ }, envoyBootstrapArgs{
sidecarFor: "s1", proxyID: "s1-sidecar-proxy",
grpcAddr: "1.1.1.1", grpcAddr: "1.1.1.1",
consulConfig: consulPlainConfig, consulConfig: consulPlainConfig,
envoyAdminBind: "localhost:3333", envoyAdminBind: "localhost:3333",
@ -249,7 +249,7 @@ func TestEnvoyBootstrapHook_envoyBootstrapEnv(t *testing.T) {
"CONSUL_HTTP_SSL=true", "CONSUL_HTTP_SSL=true",
"CONSUL_HTTP_SSL_VERIFY=true", "CONSUL_HTTP_SSL_VERIFY=true",
}, envoyBootstrapArgs{ }, envoyBootstrapArgs{
sidecarFor: "s1", proxyID: "s1-sidecar-proxy",
grpcAddr: "1.1.1.1", grpcAddr: "1.1.1.1",
consulConfig: consulTLSConfig, consulConfig: consulTLSConfig,
envoyAdminBind: "localhost:3333", envoyAdminBind: "localhost:3333",