-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.14 Backports 2024-05-16 #32571
Merged
Merged
v1.14 Backports 2024-05-16 #32571
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit d0af3d7 ] We shouldn't import testing code into production code, as it can lead to unexpected side effects due to e.g., init functions. Let's address this by hard-coding the "PolicyEnforcement" constant, rather than importing it. This is consistent with the same usage as part of the "config" command. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit cfb3b8a ] [ backporter's notes: applied the changes to pkg/clustermesh/internal/config.go, and additionally exposed the ConfigFiles method through the clustermesh package to workaround the internal packages limitations. ] It is intended to be used by CLI tools to retrieve the configuration files of all remote clusters in a given directory, to be used, e.g., for troubleshooting purposes. While being there, let's also replace the path package with the filepath one, which is more appropriate in this context, and it would allow to theoretically handle Windows paths as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 2d07cfc ] [ backporter's notes: replaced cmp.Or usage, as not yet available in go 1.21. ] Troubleshooting etcd connectivity issues, regardless of whether to the Cilium kvstore or to a remote cluster, is a complex activity, as issues can concern network connectivity, TLS certificates mismatch, authn/authz policies and so on. As an effort to simplify this process, let's introduce a new utility responsible for performing a set of sanity checks, and outputting the result in a user-friendly way. This utility is intended to be then leveraged by dedicated CLI commands integrated with the various components. More in detail, this utility performs the following operations: * Asserts that the etcd configuration can be correctly parsed; * For each endpoint: - Outputs the DNS resolution; - Assert that the endpoint is reachable at the network level (i.e., that a TCP connection can be successfully established); - When https is enabled, asserts that a TLS connection can be correctly established to the endpoint (i.e., that the provided certificates are valid); the check includes both server and client (if enabled) authentication; additionally outputs TLS specific information; - Outputs the version of the endpoint, as returned by GET /version; * Outputs information regarding Root CAs and client certificates, if configured; additionally checks whether the client certificate is valid according to the root CAs; * Asserts that the etcd client can correctly establish a connection; * Asserts that the heartbeat key can be retrieved, as a basic authorization check. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 9654576 ] [ backporter's notes: moved the files to cilium/cmd, and performed minor adaptations as necessary. ] Introduce two new cilium-dbg commands, namely "troubleshoot kvstore" and "troubleshoot clustermesh", responsible for running a set of sanity checks to help troubleshoot etcd connectivity issues, covering network connectivity, TLS authentication, authn/authz policies and so on. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 9156e23 ] [ backporter's notes: changed the cilium command from cilium-dbg to cilium. ] As useful to troubleshoot kvstore and clustermesh issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 4172c62 ] [ backporter's notes: dropped the reference to running the KVStoreMesh troubleshot command, as not available in Cilium v1.14. Additionally replaced cilium-dbg with cilium. ] Document the usage of the newly introduced troubleshoot command to investigate connectivity issues towards the clustermesh control plane (i.e., etcd) in remote clusters. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 189e8ba ] [ backporter's notes: dropped the cilium-dbg change, as not applicable to Cilium v1.14. ] Add a clarification note that the manual steps presented in the guide are mostly alternative to using the automatic tools described in the previous section. Additionally, drop the example errors from the TLS certificates step, as potentially misleading. Users shall leverage the troubleshoot command instead. Finally, let's fix a couple of typos. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 913e41b ] [ backporter's notes: replaced cilium-dbg with cilium, and resolved minor conflicts due to different surrounding contexts. ] They apply only when Cilium is configured in kvstore mode, which is seldom the case these days. The lack of local information is also not clustermesh specific, and would imply other serious issues. Moreover, the given checks would not work, and lead to additional confusion when Cilium operates in CRD mode. Hence, let's just replace them with the suggestion of checking whether both Cilium agents and KVStoreMesh (if enabled) are correctly connected to all remote clusters, and the synchronization has completed. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
added
kind/backports
This PR provides functionality previously merged into master.
backport/1.14
This PR represents a backport for Cilium 1.14.x of a PR that was merged to main.
area/clustermesh
Relates to multi-cluster routing functionality in Cilium.
labels
May 16, 2024
/test-backport-1.14 |
squeed
reviewed
May 17, 2024
lmb
approved these changes
May 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/clustermesh
Relates to multi-cluster routing functionality in Cilium.
backport/1.14
This PR represents a backport for Cilium 1.14.x of a PR that was merged to main.
kind/backports
This PR provides functionality previously merged into master.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ℹ️ Resolved minor conflicts detailed in the individual commit messages. Dropped 8c951b2 and 041321b, as the clustermesh-apiserver container has a different structure in v1.14, and adaptations would be potentially confusing at this point.
ℹ️ Resolved minor conflicts detailed in the individual commit messages. Dropped 952df8f as kvstoremesh status reporting is not available in v1.14.
Once this PR is merged, a GitHub action will update the labels of these PRs: