This repository has been archived by the owner on Aug 25, 2021. It is now read-only.
Support transparent proxy in the Consul Helm chart #905
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
force-pushed
the
enable-tproxy
branch
from
6a7a441 to
27ef46b
Compare
2 tasks
ishustava
force-pushed
the
enable-tproxy
branch
from
27ef46b to
ec1c79e
Compare
* Add new connectInject.transparentProxy.defaultEnabled value (default to true) that will allow users to enable or disable tproxy for each helm installation. * Add acceptance tests for connect-inject to test with tproxy
ishustava
force-pushed
the
enable-tproxy
branch
from
ec1c79e to
57cec48
Compare
ishustava
changed the title
ishustava
requested review from
a team,
ndhanushkodi and
thisisnotashwin
and removed request for
a team
ishustava
force-pushed
the
enable-tproxy
branch
from
72a6f07 to
1fbed26
Compare
thisisnotashwin
force-pushed
the
enable-tproxy
branch
from
ec05f15 to
4208a98
Compare
ndhanushkodi
approved these changes
Apr 14, 2021
| @@ -90,6 +90,9 @@ spec: | |||
| -release-name="{{ .Release.Name }}" \ | |||
| -release-namespace="{{ .Release.Namespace }}" \ | |||
| -listen=:8080 \ | |||
| {{- if .Values.connectInject.transparentProxy.defaultEnabled }} | |||
| -enable-transparent-proxy \ | |||
There was a problem hiding this comment.
I'm just noticing this now and it's not a blocker for the release, but should this flag be renamed -default-enable-transparent-proxy in consul-k8s after the release? That's how the metrics flag defaults are named.
There was a problem hiding this comment.
That's a good catch! I'll a task to rename.
| []string{ | ||
| "curl: (52) Empty reply from server", | ||
| "curl: (7) Failed to connect to static-server port 80: Connection refused", | ||
| "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused", |
There was a problem hiding this comment.
Just curious, did you see these additional errors when testing out tproxy?
There was a problem hiding this comment.
Yeah, when with iptables we now get a connection refused. This is most likely because envoy itself will now reject the connection, whereas previously this error was coming from the upstream proxy that verifies intentions.
thisisnotashwin
pushed a commit
that referenced
this pull request
Apr 15, 2021
Support transparent proxy in the consul helm chart * Add new connectInject.transparentProxy.defaultEnabled value (default to true) that will allow users to enable or disable tproxy for each helm installation. * Add acceptance tests for connect-inject to test with tproxy * Acceptance tests default to tproxy not enabled since we don't fully support it for all features yet.
ishustava
added a commit
that referenced
this pull request
Apr 16, 2021
Support transparent proxy in the consul helm chart * Add new connectInject.transparentProxy.defaultEnabled value (default to true) that will allow users to enable or disable tproxy for each helm installation. * Add acceptance tests for connect-inject to test with tproxy * Acceptance tests default to tproxy not enabled since we don't fully support it for all features yet.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
that will allow users to enable or disable tproxy for each helm installation.
How I've tested this PR:
How I expect reviewers to test this PR:
Note that for beta we're only enabling connect tests to run with tproxy. Before GA, ideally, we can default to tproxy all the time and test non-tproxy cases explicitly instead.
Checklist: