aggregator: add port support, unified for both modes #45082
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sttts Assign the PR to them by writing
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
size/L
|
@cheftako you want to take a look? |
| @@ -96,7 +97,10 @@ func (c *APIServiceRegistrationController) sync(key string) error { | |||
| return err | |||
| } | |||
|
|
|||
| c.apiHandlerManager.AddAPIService(apiService, c.getDestinationHost(apiService)) | |||
| host := c.getDestinationHost(apiService) | |||
| if len(host) > 0 { | |||
There was a problem hiding this comment.
If an APIService is updated to remove its referenced service (becomes local), we need to update to reflect that, right?
sttts
force-pushed
the
sttts-aggregator-ports
branch
2 times, most recently
from
ff58e0d to
d79e123
Compare
|
|
||
| port := int32(443) | ||
| if len(service.Spec.Ports) > 0 { | ||
| port = service.Spec.Ports[0].Port |
There was a problem hiding this comment.
This seems fine if len() == 1. However if len() > 1 this seems problematic. I couldn't find any indication of ordering in our documentation so I'm not sure we can rely on that. In fact one of our examples has the https port second and that seems like the port we should be using. So if len() > 1 we could look for a name which indicates what we should be using, such as https. We could also look to fix the registration system to specify a port (?name) if there is more than 1 port. Picking the first port seems like what we should do if all other resolution mechanisms fail.
There was a problem hiding this comment.
I assumed that there is an order. If not, this does not make sense, totally agree. Actually, I do not want too many heuristic. I would prefer adding an explicit port name to the apiservice spec and only allow to leave that empty if there is exactly one port in a service. Wdyt?
| } | ||
|
|
||
| port := int32(443) | ||
| if len(service.Spec.Ports) > 0 { |
There was a problem hiding this comment.
The validation code as far as I can tell prevents you getting in to the length equals 0 case. Not sure it would be safe to force the port to 443 if that wasn't true. Not sure how the networking code would function if no ports were specified but if it either left all ports open or forwarded based on which ports the relevant pod specified, then you could be forcing to the wrong port and something that had been working would now be broken.
k8s-github-robot
added
the
needs-rebase
@sttts Why not just support portName right away? |
sttts
force-pushed
the
sttts-aggregator-ports
branch
from
d79e123 to
1588934
Compare
k8s-github-robot
added
size/XL
sttts
changed the title
sttts
added
release-note-none
|
@deads2k @cheftako I rebased this onto the merged pod ip resolver code, reactivated our old resolver tests and unified both resolvers. I would very much like to get this into 1.7 before people start using the new api, especially the requirements around service ports and the service name syntax |
| } | ||
| if len(portStr) == 0 { | ||
| switch svcScheme { | ||
| case "http": |
There was a problem hiding this comment.
You can't safely proxy over http. I think we should always force https.
There was a problem hiding this comment.
My argument for http was that it's useful during development without certs. But if we can ignore self-signed certs anyway, there is not much need for http.
We have to use SSL in order to identify the aggregator from the user API server. For ports, my first choice is always 443 on the service (the endpoint thing is going to have to do the translation), my second choice is to add a port field and the endpoint thing still has to do the translation from service to endpoint port. |
sttts
force-pushed
the
sttts-aggregator-ports
branch
from
cce231a to
f3fa433
Compare
sttts
changed the title
|
I have extracted the uncontroversial part of the code without the scheme+port syntax into #46623. ptal. |
I favor this one. Let us add a |
sttts
force-pushed
the
sttts-aggregator-ports
branch
from
f3fa433 to
5d2838e
Compare
sttts
force-pushed
the
sttts-aggregator-ports
branch
3 times, most recently
from
0e094f7 to
5fdf001
Compare
k8s-github-robot
added
size/XXL
sttts
force-pushed
the
sttts-aggregator-ports
branch
from
5fdf001 to
6fc2aae
Compare
sttts
force-pushed
the
sttts-aggregator-ports
branch
from
6fc2aae to
810422a
Compare
|
@k8s-bot pull-kubernetes-unit test this |
1 similar comment
|
@k8s-bot pull-kubernetes-unit test this |
|
@k8s-bot pull-kubernetes-verify test this |
Automatic merge from submit-queue (batch tested with PRs 43505, 45168, 46439, 46677, 46623) aggregator: unify resolver implementation and tests This is #45082, but without the port support.
|
@sttts PR needs rebase |
k8s-github-robot
added
the
needs-rebase
|
We decided not to implement custom port support. So closing it for now. |
|
@sttts I wonder why " we decided not to implement custom port support"? I think it is nice to have. |
|
@WIZARD-CXY because it is only "nice to have", i.e. you can easily use a default port. |
Add a port field to the service reference of an APIService.