v1.13 Backports 2024-05-16 #32573
Merged
v1.13 Backports 2024-05-16 #32573
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit d0af3d7 ] We shouldn't import testing code into production code, as it can lead to unexpected side effects due to e.g., init functions. Let's address this by hard-coding the "PolicyEnforcement" constant, rather than importing it. This is consistent with the same usage as part of the "config" command. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit cfb3b8a ] [ backporter's notes: applied the changes to pkg/clustermesh/config.go ] It is intended to be used by CLI tools to retrieve the configuration files of all remote clusters in a given directory, to be used, e.g., for troubleshooting purposes. While being there, let's also replace the path package with the filepath one, which is more appropriate in this context, and it would allow to theoretically handle Windows paths as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
added
kind/backports
giorio94
force-pushed
the
pr/v1.13-backport-2024-05-16-11-35
branch
from
bb8eb91
to
fa3bab2
Compare
|
/test-backport-1.13 |
giorio94
force-pushed
the
pr/v1.13-backport-2024-05-16-11-35
branch
from
fa3bab2
to
5d97515
Compare
|
/test-backport-1.13 |
[ upstream commit 2d07cfc ] [ backporter's notes: replaced cmp.Or usage, as not yet available in go 1.20. Additionally replaced tls.VersionName with a local implementation, as also not available in go 1.20. ] Troubleshooting etcd connectivity issues, regardless of whether to the Cilium kvstore or to a remote cluster, is a complex activity, as issues can concern network connectivity, TLS certificates mismatch, authn/authz policies and so on. As an effort to simplify this process, let's introduce a new utility responsible for performing a set of sanity checks, and outputting the result in a user-friendly way. This utility is intended to be then leveraged by dedicated CLI commands integrated with the various components. More in detail, this utility performs the following operations: * Asserts that the etcd configuration can be correctly parsed; * For each endpoint: - Outputs the DNS resolution; - Assert that the endpoint is reachable at the network level (i.e., that a TCP connection can be successfully established); - When https is enabled, asserts that a TLS connection can be correctly established to the endpoint (i.e., that the provided certificates are valid); the check includes both server and client (if enabled) authentication; additionally outputs TLS specific information; - Outputs the version of the endpoint, as returned by GET /version; * Outputs information regarding Root CAs and client certificates, if configured; additionally checks whether the client certificate is valid according to the root CAs; * Asserts that the etcd client can correctly establish a connection; * Asserts that the heartbeat key can be retrieved, as a basic authorization check. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 9654576 ] [ backporter's notes: moved the files to cilium/cmd, and performed minor adaptations as necessary; additionally dropped the custom dialer usage in the troubleshoot clustermesh command, as service name to IP address resolution was not necessary in clustermesh in Cilium v1.13, as KVStoreMesh was not yet available. ] Introduce two new cilium-dbg commands, namely "troubleshoot kvstore" and "troubleshoot clustermesh", responsible for running a set of sanity checks to help troubleshoot etcd connectivity issues, covering network connectivity, TLS authentication, authn/authz policies and so on. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 9156e23 ] [ backporter's notes: changed the cilium command from cilium-dbg to cilium. ] As useful to troubleshoot kvstore and clustermesh issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 4172c62 ] [ backporter's notes: dropped the reference to running the KVStoreMesh troubleshot command, as not relevant in Cilium v1.13. Additionally replaced cilium-dbg with cilium. ] Document the usage of the newly introduced troubleshoot command to investigate connectivity issues towards the clustermesh control plane (i.e., etcd) in remote clusters. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 189e8ba ] [ backporter's notes: dropped the cilium-dbg change, as not applicable to Cilium v1.14, and performed minor adaptations. ] Add a clarification note that the manual steps presented in the guide are mostly alternative to using the automatic tools described in the previous section. Additionally, drop the example errors from the TLS certificates step, as potentially misleading. Users shall leverage the troubleshoot command instead. Finally, let's fix a couple of typos. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 913e41b ] [ backporter's notes: dropped references to KVStoreMesh, as not available in Cilium v1.13, and to initial synchronization checks, as not exposed in Cilium v1.13. ] They apply only when Cilium is configured in kvstore mode, which is seldom the case these days. The lack of local information is also not clustermesh specific, and would imply other serious issues. Moreover, the given checks would not work, and lead to additional confusion when Cilium operates in CRD mode. Hence, let's just replace them with the suggestion of checking whether both Cilium agents and KVStoreMesh (if enabled) are correctly connected to all remote clusters, and the synchronization has completed. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
force-pushed
the
pr/v1.13-backport-2024-05-16-11-35
branch
from
5d97515
to
98e3b78
Compare
|
/test-backport-1.13 |
|
/test-1.18-4.19 Hit #30802 |
lmb
approved these changes
May 23, 2024
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ℹ️ Resolved minor conflicts detailed in the individual commit messages. Dropped 8c951b2 and 041321b, as not relevant in Cilium v1.13.
ℹ️ Resolved minor conflicts detailed in the individual commit messages. Dropped 952df8f as not relevant in Cilium v1.13.
Once this PR is merged, a GitHub action will update the labels of these PRs: