Skip to content

[v14] Support proxy version server#36220

Merged
bernardjkim merged 10 commits intobranch/v14from
bernard/backport-auto-updates/v14
Jan 8, 2024
Merged

[v14] Support proxy version server#36220
bernardjkim merged 10 commits intobranch/v14from
bernard/backport-auto-updates/v14

Conversation

@bernardjkim
Copy link
Copy Markdown
Contributor

@bernardjkim bernardjkim commented Jan 3, 2024
edited by camscale
Loading

Backport #35150, #35342, #35996, #35998 to branch/v14

changelog: Support running a version server in the proxy for automatic agent upgrades.

hugoShaka and others added 5 commits January 2, 2024 16:38
@hugoShaka @bernardjkim
Add a version server in the proxy + use it in agent chart (#35150)
94622bd 
This PR adds an embedded [version server](https://goteleport.com/docs/architecture/agent-update-management/#version-server-and-source-of-truth) in the proxy to address: gravitational/cloud#6773

The version server can be configured through `teleport.yaml`:

```yaml
proxy_service:
  enabled: "yes"
  automatic_upgrades_channels:
    stable/cloud:
      forward_url: https://updates.releases.teleport.dev/v1/stable/cloud
    preview/cloud:
      static_version: v12.5.4
```

The forwarded call results are cached for a minute.
@hugoShaka @bernardjkim
automatic upgrades: use default version channel everywhere (#35342)
b5a18e4 
* Use default upgrade channel

This commit:
- initializes default upgrade channels based on the server features
- makes all integrations use the upgrade channels instead of hitting
  hardcoded s3 bucket
- makes the version channel return its own version if the target
  version is too high
- makes the NoVersion handler properly: returned as an error. This way
  soneone relying on the version getter doesn't have to check
- moves the version kube-agent-updater lib in main teleport libs
- add tests for noVersion channels

* Update lib/web/join_tokens.go

Co-authored-by: Bernard Kim <bernard@goteleport.com>

* address marco's feedback

* address marco's feedback pt.2

---------

Co-authored-by: Bernard Kim <bernard@goteleport.com>
@hugoShaka @bernardjkim
Fix teleport.e integrations builds (#35996)
b83ef82 
* Move automaticupgrades packages in `lib/automaticupgrades`

* Fix `kube-agent-udpater` Dockerfile
@bernardjkim
Write handler config (#35998)
3e5819b
@bernardjkim
go mod tidy
0ab48a9
@bernardjkim
Copy link
Copy Markdown
Contributor Author

bernardjkim commented Jan 3, 2024
edited
Loading

Testing

  • Verify default version server
curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/stable/cloud/version
v13.4.13%curl https://updates.releases.teleport.dev/v1/stable/cloud/version
v13.4.13
  • Verify forward_url and static_version
# teleport.yaml
proxy_service:                                                              
  enabled: yes                                                              
  automatic_upgrades_channels:                                              
    stable/cloud:                                                           
      forward_url: https://updates.releases.teleport.dev/v1/stable/cloud/v14
    stable/cloud/v13:                                                       
      forward_url: https://updates.releases.teleport.dev/v1/stable/cloud/v13
    stable/cloud/v14:                                                       
      forward_url: https://updates.releases.teleport.dev/v1/stable/cloud/v14
    static/cloud/v13:                                                       
      static_version: v13.4.14                                                
    static/cloud/v14:                                                       
      static_version: v14.3.0                                              
    static/cloud/v15:                                                       
      static_version: v15.0.0       
curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/stable/cloud/version
v14.2.4%curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/stable/cloud/v13/version
v13.4.13%curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/stable/cloud/v14/version
v14.2.4%curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/static/cloud/v13/version
v13.4.14%curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/static/cloud/v14/version
v14.3.0%curl https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/static/cloud/v15/version
14.3.0%
  • Verify kube agent upgrade v13.x -> v14.2.4
# k -n teleport logs teleport-agent-updater...
2024-01-03T02:16:04Z    INFO    starting the updater    {"version": "14.3.0", "url": "https://bernard-dev.cloud.gravitational.io/webapi/automaticupgrades/channel/stable/cloud"}
...
2024-01-03T02:07:45Z    DEBUG   New version candidate   {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "nextVersion": "v14.2.4"}
2024-01-03T02:07:45Z    DEBUG   Version change is valid, building img candidate {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet"}
2024-01-03T02:07:45Z    DEBUG   Verifying candidate img {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "img": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.4"}
2024-01-03T02:07:45Z    DEBUG   Image approved by the validator {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "image": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.4", "validator": "cosign signature validator-a55977c6d752759f68c4883ac10ad8a85f5cfd0f", "resolvedImages": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.4@sha256:15f8f4cd71569974f56a0b60cefe2945df6a56bf41e80adb92984cf200bd64ae"}
2024-01-03T02:07:45Z    DEBUG   The following image was verified        {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "verifiedImage": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.4@sha256:15f8f4cd71569974f56a0b60cefe2945df6a56bf41e80adb92984cf200bd64ae"}
2024-01-03T02:07:45Z    INFO    Updating podSpec with image     {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "image": "public.ecr.aws/gravitational/teleport-ent-distroless:14.2.4@sha256:15f8f4cd71569974f56a0b60cefe2945df6a56bf41e80adb92984cf200bd64ae"}
2024-01-03T02:07:45Z    DEBUG   statefulset managed pods        {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet", "managedPodsList": ["teleport-agent-0", "teleport-agent-1"]}
2024-01-03T02:07:45Z    DEBUG    no statefulset unhealthy pods from old revisions       {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"teleport-agent","namespace":"teleport"}, "namespace": "teleport", "name": "teleport-agent", "reconcileID": "ba23deda-d813-4654-ba04-cc92fc8c54a8", "namespacedname": {"name":"teleport-agent","namespace":"teleport"}, "kind": "StatefulSet"}
  • Verify install scripts
# kube agent install command
$ helm install teleport-agent teleport/teleport-kube-agent -f prod-cluster-values.yaml --version 14.2.4 --create-namespace --namespace teleport
# systemd agent install script
$ curl -fsSL https://bernard-dev.cloud.gravitational.io/scripts/.../install-node.sh | grep TELEPORT_VERSION -m 1
TELEPORT_VERSION='14.2.4'

@bernardjkim bernardjkim marked this pull request as ready for review January 3, 2024 02:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 3, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@bernardjkim bernardjkim enabled auto-merge January 4, 2024 02:06
@bernardjkim bernardjkim disabled auto-merge January 4, 2024 15:36
@bernardjkim bernardjkim added this pull request to the merge queue Jan 8, 2024
Merged via the queue into branch/v14 with commit 1d56609 Jan 8, 2024
@bernardjkim bernardjkim deleted the bernard/backport-auto-updates/v14 branch January 8, 2024 19:28
@camscale camscale mentioned this pull request Jan 10, 2024
Merged
@BrewTestBot BrewTestBot mentioned this pull request Jan 11, 2024
Merged
@zmb3 zmb3 mentioned this pull request Jan 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@tigrato tigrato tigrato approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas klizhentas is a code owner

@russjones russjones Awaiting requested review from russjones russjones is a code owner

@zmb3 zmb3 Awaiting requested review from zmb3 zmb3 is a code owner

@fheinecke fheinecke Awaiting requested review from fheinecke fheinecke is a code owner

@camscale camscale Awaiting requested review from camscale camscale is a code owner

@tcsc tcsc Awaiting requested review from tcsc tcsc is a code owner

Assignees

No one assigned

Labels

backport helm size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bernardjkim @r0mant @marcoandredinis @tigrato @hugoShaka