Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow users to use well-known ports for client connections to both ingress controllers #997

Merged
merged 10 commits into from
Jun 21, 2023

Conversation

panyuenlau
Copy link
Member

@panyuenlau panyuenlau commented Jun 14, 2023

Description

Current implementation: when users set this externalListener[x].anyCastPort value, Koperator uses this directly as the corresponding container port for the envoy controller containers and target port for the associated services.

envoy controller

When users use a well-known port (with port number < 1024), Koperator can handle this for envoy controller since the envoy container is run as root, for example:

kubectl exec envoy-external-kafka-6495bf4fd7-9n2b8 -c envoy -n kafka -- whoami                                                                                                                          
root

But this still could be problematic if the users want to use a customized envoy image but do not wish to run it as root.

istioingress controller

When users use a well-known port, Koperator creates a IstioMeshGateway object with using that well-known port directly as the targetPort for one of the service ports, for example:

    - name: tcp-all-broker
      port: 443 # anyCastPort is set to 443
      protocol: TCP
      targetPort: 443

And the resulting istioingress controller container fails to use this well-known port and therefore the kafka brokers can't be reached by external clients.

What is in this PR?

  • Introduce a new optional field, ingressControllerTargetPort under ExternalListenerConfig to allow users to specify the container port that they would like to use in the ingress controller. It also extends the validation webhook implementation to prevent users from using well-known port for the istioingress controller's deployment.

    This way, users can use any anyCastPort values for client access while using either of the ingress controllers

  • Add checks to the KafkaCluster validation webhook (both create and update) to prevent invalid user configurations on external listeners

Type of Change

  • New Feature

Checklist

  • I have read the contributing guidelines
  • Existing issues have been referenced (where applicable)
  • I have verified this change is not present in other open pull requests
  • Functionality is documented
  • All code style checks pass
  • New code contribution is covered by automated tests
  • All new and existing tests pass

@panyuenlau panyuenlau marked this pull request as ready for review June 14, 2023 21:05
@panyuenlau panyuenlau requested a review from a team as a code owner June 14, 2023 21:05
@@ -113,7 +113,7 @@ func generateExternalPorts(kc *v1beta1.KafkaCluster, brokerIds []int,
Name: fmt.Sprintf(kafkautils.AllBrokerServiceTemplate, "tcp"),
Protocol: string(corev1.ProtocolTCP),
Port: externalListenerConfig.GetAnyCastPort(),
TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(externalListenerConfig.GetAnyCastPort()))},
TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(externalListenerConfig.GetIngressControllerTargetPort()))},
Copy link
Member Author

@panyuenlau panyuenlau Jun 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI - looks like named targetPort can't be used here, becasue istio-operator complains about not having an exact value for this field when it reconciles the IstioMeshGateway resource. But I could me missing something

Copy link
Member

@pregnor pregnor Jun 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's saddening.

Kuvesz
Kuvesz previously approved these changes Jun 15, 2023
Copy link
Contributor

@Kuvesz Kuvesz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM really

pregnor
pregnor previously approved these changes Jun 15, 2023
Copy link
Member

@pregnor pregnor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, take the other PR's comment into account here

pkg/webhooks/kafkacluster_validator_test.go Outdated Show resolved Hide resolved
pkg/webhooks/kafkacluster_validator_test.go Outdated Show resolved Hide resolved
@panyuenlau panyuenlau dismissed stale reviews from pregnor and Kuvesz via fb5e11e June 16, 2023 02:28
@panyuenlau panyuenlau force-pushed the elistener/previledged-ports branch 2 times, most recently from fc40df3 to 723e843 Compare June 16, 2023 02:35
@panyuenlau panyuenlau force-pushed the elistener/previledged-ports branch from 723e843 to 45c48e4 Compare June 16, 2023 02:40
@panyuenlau
Copy link
Member Author

panyuenlau commented Jun 16, 2023

The changes in this validation function are not really required for the original purpose of this PR, it is more for
something that we haven't been doing to prevent user error - https://github.com/banzaicloud/koperator/pull/997/files#diff-7161be6912ad21f597382d9e2dcef3eb028c868b8206ac2d1fafa9f2cde317f5R222-R249

@panyuenlau panyuenlau requested review from pregnor and Kuvesz June 16, 2023 13:55
Copy link
Member

@pregnor pregnor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than my question on one of the cases, LGTM.

pkg/webhooks/kafkacluster_validator_test.go Show resolved Hide resolved
Copy link
Contributor

@Kuvesz Kuvesz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, like the attention to small details like the healthcheck port. Thanks!

@panyuenlau panyuenlau merged commit 1a3ef2a into master Jun 21, 2023
@panyuenlau panyuenlau deleted the elistener/previledged-ports branch June 21, 2023 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants