Conversation
smatting
force-pushed
the
WPB-23903-routes-1
branch
from
c4a1b87 to
28aad07
Compare
zebot
added
the
ok-to-test
|
Naming thing that bugs me across the whole PR, the chart is wire-ingress, the file is ingress-envoy.yaml the route is nginz-websockets. None of thes have any Ingress in them. My point of view, name it like the replacement wire-gateway , gateway-envoy.yaml etc... not blocking when I open a file called ingress-envoy.yaml and the first thing I see is kind: gateway. I have to stop and double check. |
|
A BackendTrafficPolicy is missing for WebSockets, the default timeouts will terminate long-lived connections, I didn't check the default value, https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy |
smatting
force-pushed
the
WPB-23903-routes-1
branch
from
8e81e3f to
83b86e7
Compare
I changed the |
Thank you! Added the policy. We need to run QA tests against this on staging to see if it really works |
| - type: Inline | ||
| inline: | | ||
| function envoy_on_request(request_handle) | ||
| local ssl = request_handle:connection():ssl() |
There was a problem hiding this comment.
Something feels off here, we are trusting a header that the client may be able to forge themselves. Since we do not remove it first, it looks spoofable. Is that really expected on the Federator side?
There was a problem hiding this comment.
Good catch! Addressed in 300c32e
In addition to this it would've been nice to also enforce client certificates, but this would change the protocol (change error codes). I left a comment why client certs are configured optionally
| apiVersion: gateway.envoyproxy.io/v1alpha1 | ||
| kind: EnvoyExtensionPolicy | ||
| metadata: | ||
| name: {{ include "wire-ingress.fullname" . }}-federator-cert-header |
There was a problem hiding this comment.
Other policies in this chart set namespace: {{ .Release.Namespace }} ?
| - type: Inline | ||
| inline: | | ||
| function envoy_on_request(request_handle) | ||
| local ssl = request_handle:connection():ssl() |
| name: {{ printf "%s/%s/https" .Release.Namespace $gatewayName | quote }} | ||
| operation: | ||
| op: add | ||
| path: "/filter_chains/0/filters/0/typed_config/strip_trailing_host_dot" |
There was a problem hiding this comment.
Why don't you use the same approach las in charts/wire-ingress/templates/envoypatchpolicy-federator.yaml:36-41
There was a problem hiding this comment.
ah, this is a leftover from a previous solution. I switched to the new solution in 05e23ad
| @@ -0,0 +1,154 @@ | |||
| {{- if .Values.envoy.enabled }} | |||
There was a problem hiding this comment.
None of the five kinds here carry chart/release label
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: account-pages-http |
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: team-settings-http |
| kind: Service | ||
| metadata: | ||
| name: {{ .Release.Namespace }}-fed | ||
| namespace: {{ .Values.gateway.controllerNamespace }} |
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: webapp-http |
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: {{ .Release.Namespace }}-fed |
There was a problem hiding this comment.
The -fed suffix here is also hardcoded in integration/_helpers.tpl .Both need to stay aligned renaming one side breaks federation discovery with no obvious error.
Ideally a shared helper ? otherwise at least a cross-reference comment in both files pointing to each other ? that would also explain why we don't use wire-ingress.fullname here like everywhere else
There was a problem hiding this comment.
I explored the the shared helper idea again, but it would require passing 4 values consistently in 3 helm releases to avoid this hidden assumption. I went with commenting in both places instead (7f220cc)
| # -----END PRIVATE KEY----- | ||
| # | ||
| # When federator.enabled is true, a ConfigMap named `federator-ca` with a `ca.crt` key | ||
| # must exist in the release namespace. It is created by the wire-server chart |
There was a problem hiding this comment.
This ConfigMap is created by the federator chart, not wire-server ?
There was a problem hiding this comment.
Users don't install the federator only directly, but via requirement of the wire-server chart. (federator is a subchart)
| controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
| ``` | ||
|
|
||
| You need to refer to this object in the `gateway.className` paramter. |
| | `config.dns.base` | Only used for CSP header rendering, which is a multi-ingress feature | | ||
| | `tls.verify_depth` | Envoy Gateway `ClientTrafficPolicy` does not expose a direct verify-depth knob; the CA chain itself controls this | | ||
| | `tls.enabled` | Removed — had no effect; all routes are always TLS-terminated | | ||
| | `secrets.tlsClientCA` | No longer supplied via values. The `federator-ca` ConfigMap is created by the wire-server chart and referenced directly. | |
There was a problem hiding this comment.
Same as previous comment
| @@ -0,0 +1,75 @@ | |||
| {{/* vim: set filetype=mustache: */}} | |||
There was a problem hiding this comment.
getCertificateSecretName, getCustomSolversSecretName, getIssuerName, getGatewayName
I would use it without get, because in Helm charts you usually use short names focused on the result but that's just my opinion
There was a problem hiding this comment.
yeah good point. I removed the prefix in b76200c
smatting
force-pushed
the
WPB-23903-routes-1
branch
from
f8ead45 to
a59a6c7
Compare
There was a problem hiding this comment.
I think we should be agnostic of product names here in general, especially given the current situation with minio
fisx
left a comment
fisx
left a comment
There was a problem hiding this comment.
i've read all the non-helm code (3 files), LGTM!
| CHARTS_DIR="${TOP_LEVEL}/.local/charts" | ||
| HELM_PARALLELISM=${HELM_PARALLELISM:-1} | ||
|
|
||
| changed_files=$(git --no-pager diff-tree --no-commit-id -r --name-only HEAD) |
There was a problem hiding this comment.
so this guard only works if i don't commit my changes first, before running tests. i guess that's a lot better than no guard. you could compute a sha256sum from all of nginx-ingress-services i guess, and compare against a stored copy of the hash. if there is a mismatch, the error will instruct you to commit the changes and update the hash in the script.
i'm not saying you should do that, this is just my brain having ideas.
| prepareNginzK8sRuntimeFiles :: String -> ServiceMap -> IO (FilePath, FilePath, FilePath) | ||
| prepareNginzK8sRuntimeFiles domain sm = do | ||
| tmpDir <- createTempDirectory "/tmp" ("nginz" <> "-" <> domain) | ||
| prepareNginzK8sRuntimeFiles :: ServiceMap -> IO (FilePath, FilePath, FilePath) | ||
| prepareNginzK8sRuntimeFiles sm = do | ||
| tmpDir <- createTempDirectory "/tmp" "nginz-" |
There was a problem hiding this comment.
are you merely changing the name of the temp directory here? why? (just curious.)
5 participants
This PR:
Introduces a new Helm chart
wire-ingressthat targets Envoy Gateway. It is intended as a replacement for thenginx-ingress-serviceschart, which uses ingress-nginx. Thewire-ingresschart is not production-ready yet.Changes the integration test suite: all tests now run against the
wire-ingresschart. The ingress solution can be selected via theWIRE_INGRESS_MODEenvironment variable. The federation domains change in Envoy mode — see comments in the code. Changes to thefederatorandintegrationcharts are made to accommodate both variants fortesting. As a consequence, any changes to
nginx-ingress-serviceswill be untested once this PR is merged. I've added a checkintegration-setup-federation.shthat prevents any changes tonginx-ingress-servicesto avoid this being overlooked.Changes the temporary filenames used in the integration test suite. This fixes issues with filenames that were too long for
nginzto handle.Deletes the unused file
hack/helmfile-federation-v0.yaml.gotmpl.Add a
post-upgradeto all objects needed for testing. This makes running tests on the cluster manually more convenientChecklist
.envrcbefore merging !!!!changelog.d