Implement kubernetes_service registration and startup #4611
Conversation
awly
requested review from
fspmarshall,
klizhentas,
russjones and
webvictim
as code owners
awly
changed the title
awly
force-pushed
the
andrew/kubernetes_service_core
branch
from
da90a79 to
a1f2b4d
Compare
awly
force-pushed
the
andrew/kubernetes_service_core
branch
2 times, most recently
from
79e595a to
40be491
Compare
lib/config/fileconf.go
Outdated
| if s.Configured() { | ||
| return !s.Enabled(def) | ||
| } | ||
| return !def |
There was a problem hiding this comment.
Hm, may be just me but it's a bit confusing - so the passed value def is in fact not the default but the inverse of the default? I.e. Disabled(true) will in fact return false if the service is not configured and vice versa?
There was a problem hiding this comment.
This is more than a little confusing to me too.
There was a problem hiding this comment.
Yeah, this is confusing.
def specifies whether a given service is enabled by default in teleport, not the default return value for this method if service isn't configured.
Changed this to set the default value as a field in Service. Hopefully it's less confusing.
lib/kube/proxy/forwarder.go
Outdated
| From: &c.remoteAddr, | ||
| To: &utils.NetAddr{AddrNetwork: "tcp", Addr: c.targetAddr}, | ||
| }) | ||
| func (c *tpClusterClient) Dial(network, addr string) (net.Conn, error) { |
There was a problem hiding this comment.
Nit: Missing godocs on Dial and DialWithContext.
There was a problem hiding this comment.
these methods are on an unexported struct and won't appear in godoc output.
lib/config/fileconf.go
Outdated
| if s.Configured() { | ||
| return !s.Enabled(def) | ||
| } | ||
| return !def |
There was a problem hiding this comment.
This is more than a little confusing to me too.
awly
force-pushed
the
andrew/kubernetes_service_core
branch
from
40be491 to
3e486ee
Compare
awly
force-pushed
the
andrew/kubernetes_service_core
branch
2 times, most recently
from
4e81998 to
258c282
Compare
| c.Assert(conf.Proxy.WebAddr, check.Equals, "tcp://web_addr") | ||
| c.Assert(conf.Proxy.TunAddr, check.Equals, "reverse_tunnel_address:3311") | ||
| conf, err = ReadFromFile(testConfigs.configFile) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Have you considered asserting the value as a whole instead of individual attributes?
I'm not too familiar with the require package and not sure how one goes about that but it is generally less verbose and more consistent since it avoids unexpected changes to attributes that aren't validated.
There was a problem hiding this comment.
Yep, I was too lazy when refactoring this test the first time.
Changed to do a full struct compare, plus testing the Service helpers
lib/service/connect.go
Outdated
| // Only attempt to connect through the proxy for nodes. | ||
| if identity.ID.Role != teleport.RoleNode { | ||
| // Don't attempt to connect through a tunnel as a proxy or auth server. | ||
| if identity.ID.Role == teleport.RoleAuth || identity.ID.Role == teleport.RoleProxy { | ||
| return nil, trace.Unwrap(err) |
There was a problem hiding this comment.
I've never seen the error being actually unwrapped on return and just wanted to make sure it is intentional.
There was a problem hiding this comment.
Yeah, this looks like a typo.
If it's not, there should've been a comment explaining it.
Changed to trace.Wrap
awly
force-pushed
the
andrew/kubernetes_service_core
branch
from
258c282 to
6b035f6
Compare
The new service now starts, registers (locally or via a join token) and heartbeats its presence to the auth server. This service can handle k8s requests (like a proxy) but not to remote teleport clusters. Proxies will be responsible for routing those. The client (tsh) will not yet go to this service, until proxy routing is implemented. I manually tweaked server addres in kubeconfig to test it. You can also run `tctl get kube_service` to list all registered instances. The self-reported info is currently limited - only listening address is set.
awly
force-pushed
the
andrew/kubernetes_service_core
branch
from
6b035f6 to
7a52a6d
Compare
| if payload != nil { | ||
| // Graceful shutdown. | ||
| warnOnErr(kubeServer.Shutdown(payloadContext(payload))) | ||
| agentPool.Stop() |
There was a problem hiding this comment.
@awly Just noticed something in this old PR as I'm working on a similar part in db access. Looks like in case of direct dial (!conn.UseTunnel() case above), agentPool will stay uninitialized so these stop/wait calls will probably panic in that case?
There was a problem hiding this comment.
The new service now starts, registers (locally or via a join token) and
heartbeats its presence to the auth server.
This service can handle k8s requests (like a proxy) but not to remote
teleport clusters. Proxies will be responsible for routing those.
The client (kubectl after tsh configures is) will not yet reach this service automatically, until proxy routing is
implemented. I manually tweaked server addres in kubeconfig to test it.
You can also run
tctl get kube_serviceto list all registeredinstances. The reported info is currently limited - only listening
address is set.
Existing k8s functionality in the proxy is not affected.
Updates #3952