CNI File watcher and pre applying rules setup (#1345)

* Add file watcher to CNI installer to watch for config file changes and repair breakages. * Wait for CNI config file to show up on the host file system before attempting to install consul-cni configuration. * Add some code to get ready for the next PR that applying iptables rules * Unit tests for installer and plugin scenarios
hashicorp · Aug 19, 2022 · 07ccb89 · 07ccb89
1 parent 46d138a
commit 07ccb89
Show file tree

Hide file tree

Showing 36 changed files with 2,105 additions and 1,113 deletions.
diff --git a/Makefile b/Makefile
@@ -15,7 +15,7 @@ bats-tests: ## Run Helm chart bats tests.
 # ===========> Control Plane Targets
 
 control-plane-dev: ## Build consul-k8s-control-plane binary.
-	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o $(GOOS) -a $(GOARCH)
+	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o linux -a amd64
 
 control-plane-dev-docker: ## Build consul-k8s-control-plane dev Docker image.
 	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o linux -a $(GOARCH)
@@ -135,6 +135,7 @@ SHELL = bash
 GOOS?=$(shell go env GOOS)
 GOARCH?=$(shell go env GOARCH)
 DEV_IMAGE?=consul-k8s-control-plane-dev
+DOCKER_HUB_USER=$(shell cat $(HOME)/.dockerhub)
 GIT_COMMIT?=$(shell git rev-parse --short HEAD)
 GIT_DIRTY?=$(shell test -n "`git status --porcelain`" && echo "+CHANGES" || true)
 GIT_DESCRIBE?=$(shell git describe --tags --always)

diff --git a/charts/consul/templates/cni-daemonset.yaml b/charts/consul/templates/cni-daemonset.yaml
@@ -64,7 +64,6 @@ spec:
             - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}
             - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }}
             - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }}
-            - -dns-prefix={{ template "consul.fullname" . }}
           {{- with .Values.connectInject.cni.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

diff --git a/charts/consul/test/unit/cni-daemonset.bats b/charts/consul/test/unit/cni-daemonset.bats
@@ -91,10 +91,6 @@ load _helpers
   local actual=$(echo "$cmd" |
     yq 'any(contains("cni-net-dir=foo"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-
-  local actual=$(echo "$cmd" |
-    yq 'any(contains("dns-prefix=bar-consul"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
 }
 
 #--------------------------------------------------------------------
@@ -139,7 +135,7 @@ rollingUpdate:
       --set 'connectInject.enabled=true' \
       . | tee /dev/stderr |
       yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
-  [ "${actual}" = '{"limits":{"cpu":"50m","memory":"50Mi"},"requests":{"cpu":"50m","memory":"50Mi"}}' ]
+  [ "${actual}" = '{"limits":{"cpu":"75m","memory":"75Mi"},"requests":{"cpu":"50m","memory":"50Mi"}}' ]
 }
 
 @test "cni/DaemonSet: resources can be overridden" {

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -1972,8 +1972,8 @@ connectInject:
         memory: "50Mi"
         cpu: "50m"
       limits:
-        memory: "50Mi"
-        cpu: "50m"
+        memory: "75Mi"
+        cpu: "75m"
 
     # Resource quotas for running the daemonset as system critical pods
     resourceQuota:

diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile
@@ -44,6 +44,7 @@ RUN addgroup ${BIN_NAME} && \
     adduser -S -G ${BIN_NAME} 100
 
 COPY pkg/bin/linux_${TARGETARCH}/${BIN_NAME} /bin
+COPY cni/pkg/bin/linux_${TARGETARCH}/${CNI_BIN_NAME} /bin
 
 USER 100
 CMD /bin/${BIN_NAME}

diff --git a/control-plane/cni/config/config.go b/control-plane/cni/config/config.go
@@ -1,19 +1,42 @@
 package config
 
+const (
+	DefaultPluginName = "consul-cni"
+	DefaultPluginType = "consul-cni"
+	DefaultCNIBinDir  = "/opt/cni/bin"
+	DefaultCNINetDir  = "/etc/cni/net.d"
+	DefaultMultus     = false
+	// defaultKubeconfig is named ZZZ-.. as part of a convention that other CNI plugins use.
+	DefaultKubeconfig = "ZZZ-consul-cni-kubeconfig"
+	DefaultLogLevel   = "info"
+)
+
 // CNIConfig is the configuration that both the CNI installer and plugin will use.
 type CNIConfig struct {
-	// Name of the plugin
+	// Name of the plugin.
 	Name string `json:"name"        mapstructure:"name"`
-	// Type of plugin (consul-cni)
+	// Type of plugin (consul-cni).
 	Type string `json:"type"        mapstructure:"type"`
 	// CNIBinDir is the location of the cni config files on the node. Can bet as a cli flag.
 	CNIBinDir string `json:"cni_bin_dir" mapstructure:"cni_bin_dir"`
 	// CNINetDir is the locaion of the cni plugin on the node. Can be set as a cli flag.
 	CNINetDir string `json:"cni_net_dir" mapstructure:"cni_net_dir"`
-	// Multus is if the plugin is a multus plugin. Can be set as a cli flag.
-	Multus bool `json:"multus"      mapstructure:"multus"`
 	// Kubeconfig file name. Can be set as a cli flag.
 	Kubeconfig string `json:"kubeconfig"  mapstructure:"kubeconfig"`
 	// LogLevl is the logging level. Can be set as a cli flag.
 	LogLevel string `json:"log_level"   mapstructure:"log_level"`
+	// Multus is if the plugin is a multus plugin. Can be set as a cli flag.
+	Multus bool `json:"multus"      mapstructure:"multus"`
+}
+
+func NewDefaultCNIConfig() *CNIConfig {
+	return &CNIConfig{
+		Name:       DefaultPluginName,
+		Type:       DefaultPluginType,
+		CNIBinDir:  DefaultCNIBinDir,
+		CNINetDir:  DefaultCNINetDir,
+		Kubeconfig: DefaultKubeconfig,
+		LogLevel:   DefaultLogLevel,
+		Multus:     DefaultMultus,
+	}
 }
diff --git a/control-plane/cni/go.mod b/control-plane/cni/go.mod
@@ -1,16 +1,20 @@
 module github.com/hashicorp/consul-k8s/control-plane/cni
 
 require (
+	github.com/cenkalti/backoff v2.1.1+incompatible
 	github.com/containernetworking/cni v1.1.1
 	github.com/containernetworking/plugins v1.1.1
+	github.com/hashicorp/consul/sdk v0.9.0
 	github.com/hashicorp/go-hclog v0.16.1
+	github.com/stretchr/testify v1.7.1
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/fatih/color v1.12.0 // indirect
 	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -24,7 +28,10 @@ require (
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.1.0 // indirect
 	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
@@ -37,11 +44,12 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/klog/v2 v2.9.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
 	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
 
 replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220531155537-364758ef2f50
 
-go 1.17
+go 1.18