connect: use deterministic injected dynamic exposed port

This PR uses the checksum of the check for which a dynamic exposed
port is being generated (instead of a UUID prefix) so that the
generated port label is deterministic.

This fixes 2 bugs:
 - 'job plan' output is now idempotent for jobs making use of injected ports
 - tasks will no longer be destructively updated when jobs making use of
   injected ports are re-run without changing any user specified part of
   job config.

Closes: https://github.com/hashicorp/nomad/issues/10099
This commit is contained in:
Seth Hoenig 2021-04-30 14:43:12 -06:00
parent 2e01d623b7
commit b024d85f48
3 changed files with 59 additions and 29 deletions

View file

@ -52,6 +52,7 @@ BUG FIXES:
* cli: Remove extra linefeeds in monitor.log files written by `nomad operator debug`. [[GH-10252](https://github.com/hashicorp/nomad/issues/10252)]
* client: Fixed log formatting when killing tasks. [[GH-10135](https://github.com/hashicorp/nomad/issues/10135)]
* client: Fixed a bug where small files would be assigned the wrong content type. [[GH-10348](https://github.com/hashicorp/nomad/pull/10348)]
* consul/connect: Fixed a bug where job plan always different when using expose checks. [[GH-10492](https://github.com/hashicorp/nomad/pull/10492)]
* consul/connect: Fixed a bug where HTTP ingress gateways could not use wildcard names. [[GH-10457](https://github.com/hashicorp/nomad/pull/10457)]
* csi: Fixed a bug where volume with IDs that are a substring prefix of another volume could use the wrong volume for feasibility checking. [[GH-10158](https://github.com/hashicorp/nomad/issues/10158)]
* scheduler: Fixed a bug where Nomad reports negative or incorrect running children counts for periodic jobs. [[GH-10145](https://github.com/hashicorp/nomad/issues/10145)]

View file

@ -5,7 +5,6 @@ import (
"strconv"
"strings"
"github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/pkg/errors"
)
@ -22,7 +21,7 @@ func (jobExposeCheckHook) Name() string {
func (jobExposeCheckHook) Mutate(job *structs.Job) (_ *structs.Job, warnings []error, err error) {
for _, tg := range job.TaskGroups {
for _, s := range tg.Services {
for _, c := range s.Checks {
for i, c := range s.Checks {
if c.Expose {
// TG isn't validated yet, but validation
// may depend on mutation results.
@ -33,7 +32,7 @@ func (jobExposeCheckHook) Mutate(job *structs.Job) (_ *structs.Job, warnings []e
continue
}
if exposePath, err := exposePathForCheck(tg, s, c); err != nil {
if exposePath, err := exposePathForCheck(tg, s, c, i); err != nil {
return nil, nil, err
} else if exposePath != nil {
serviceExposeConfig := serviceExposeConfig(s)
@ -180,7 +179,7 @@ func checkIsExposable(check *structs.ServiceCheck) bool {
// exposePathForCheck extrapolates the necessary expose path configuration for
// the given consul service check. If the check is not compatible, nil is
// returned.
func exposePathForCheck(tg *structs.TaskGroup, s *structs.Service, check *structs.ServiceCheck) (*structs.ConsulExposePath, error) {
func exposePathForCheck(tg *structs.TaskGroup, s *structs.Service, check *structs.ServiceCheck, i int) (*structs.ConsulExposePath, error) {
if !checkIsExposable(check) {
return nil, nil
}
@ -197,8 +196,15 @@ func exposePathForCheck(tg *structs.TaskGroup, s *structs.Service, check *struct
//
// This lets PortLabel be optional for any exposed check.
if check.PortLabel == "" {
// Note: because the check label is not set yet, and we want to create a
// deterministic label based on the check itself, use the index of the check
// on the service as part of the service name as input into Hash, ensuring
// the hash for the check is unique.
suffix := check.Hash(fmt.Sprintf("%s_%d", s.Name, i))[:6]
port := structs.Port{
Label: fmt.Sprintf("svc_%s_ck_%s", s.Name, uuid.Generate()[:6]),
HostNetwork: "default",
Label: fmt.Sprintf("svc_%s_ck_%s", s.Name, suffix),
To: -1,
}

View file

@ -226,6 +226,8 @@ func TestJobExposeCheckHook_Validate(t *testing.T) {
func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
t.Parallel()
const checkIdx = 0
t.Run("not expose compatible", func(t *testing.T) {
c := &structs.ServiceCheck{
Type: "tcp", // not expose compatible
@ -235,7 +237,7 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
}
ePath, err := exposePathForCheck(&structs.TaskGroup{
Services: []*structs.Service{s},
}, s, c)
}, s, c, checkIdx)
require.NoError(t, err)
require.Nil(t, ePath)
})
@ -255,7 +257,7 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
ePath, err := exposePathForCheck(&structs.TaskGroup{
Name: "group1",
Services: []*structs.Service{s},
}, s, c)
}, s, c, checkIdx)
require.NoError(t, err)
require.Equal(t, &structs.ConsulExposePath{
Path: "/health",
@ -286,7 +288,7 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
{Label: "sPort", Value: 4000},
},
}},
}, s, c)
}, s, c, checkIdx)
require.NoError(t, err)
require.Equal(t, &structs.ConsulExposePath{
Path: "/health",
@ -317,11 +319,12 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
// service declares "sPort", but does not exist
},
}},
}, s, c)
}, s, c, checkIdx)
require.EqualError(t, err, `unable to determine local service port for service check group1->service1->check1`)
})
t.Run("empty check port", func(t *testing.T) {
setup := func() (*structs.TaskGroup, *structs.Service, *structs.ServiceCheck) {
c := &structs.ServiceCheck{
Name: "check1",
Type: "http",
@ -340,15 +343,35 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
DynamicPorts: []structs.Port{},
}},
}
ePath, err := exposePathForCheck(tg, s, c)
return tg, s, c
}
tg, s, c := setup()
ePath, err := exposePathForCheck(tg, s, c, checkIdx)
require.NoError(t, err)
require.Len(t, tg.Networks[0].DynamicPorts, 1)
require.Equal(t, "default", tg.Networks[0].DynamicPorts[0].HostNetwork)
require.Equal(t, "svc_", tg.Networks[0].DynamicPorts[0].Label[0:4])
require.Equal(t, &structs.ConsulExposePath{
Path: "/health",
Protocol: "",
LocalPathPort: 9999,
ListenerPort: tg.Networks[0].DynamicPorts[0].Label,
}, ePath)
t.Run("deterministic generated port label", func(t *testing.T) {
tg2, s2, c2 := setup()
ePath2, err2 := exposePathForCheck(tg2, s2, c2, checkIdx)
require.NoError(t, err2)
require.Equal(t, ePath, ePath2)
})
t.Run("unique on check index", func(t *testing.T) {
tg3, s3, c3 := setup()
ePath3, err3 := exposePathForCheck(tg3, s3, c3, checkIdx+1)
require.NoError(t, err3)
require.NotEqual(t, ePath.ListenerPort, ePath3.ListenerPort)
})
})
t.Run("missing network with no service check port label", func(t *testing.T) {
@ -370,7 +393,7 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
Services: []*structs.Service{s},
Networks: nil, // not set, should cause validation error
}
ePath, err := exposePathForCheck(tg, s, c)
ePath, err := exposePathForCheck(tg, s, c, checkIdx)
require.EqualError(t, err, `group "group1" must specify one bridge network for exposing service check(s)`)
require.Nil(t, ePath)
})