enable private service connect #476
Conversation
gardener-robot
added
kind/api-change
gardener-robot-ci-2
added
reviewed/ok-to-test
There was a problem hiding this comment.
As discussed in a private conversation.
At validation time we might not know the Seed (only if the .spec.seedName is set manually in the Shoot resource and not by the gardener-scheduler) which means we cannot reliable validate if cidrs are not clashing.
So I suggest to add an additional check in the configvalidator of the Infrastructure controller to ensure that cidrs are ok. At this point in time the Seed is known and we can early abort (before creating any infrastructure) if the cidrs are clashing.
pkg/apis/gcp/types_infrastructure.go
Outdated
|
|
||
| // PrivateServiceConnect holds the configuration for Private Service Connect endpoints. | ||
| type PrivateServiceConnect struct { | ||
| Enabled bool |
|
|
||
| // PrivateServiceConnect holds the configuration for Private Service Connect endpoints. | ||
| type PrivateServiceConnect struct { | ||
| Enabled bool `json:"enabled"` |
| @@ -145,6 +148,19 @@ func ComputeTerraformerTemplateValues( | |||
| "outputKeys": outputKeys, | |||
| } | |||
|
|
|||
| if config.Networks.PrivateServiceConnect != nil && config.Networks.PrivateServiceConnect.Enabled { | |||
There was a problem hiding this comment.
Why do we need the config.Networks.PrivateServiceConnect.Enabled flag at all? Would it not sufficient to enable a private service connect if the endpoint ip is given?
There was a problem hiding this comment.
It would be sufficient but I went for a more explicit enablement. How about this check: if PSC struct it not nil, then both are true:
- we consider PSC enabled
- endpointIP must not be empty (enforced via validation).
| // There is an issue currently that TF will always delete and recreate the address during infrastructure reconciliation | ||
| // because it cannot handle the labels properly. |
There was a problem hiding this comment.
What does this mean for us? Will it always be recreated?
There was a problem hiding this comment.
Yes it is recreated in every infra reconciliation. The reason is that between the terraform and the GCP API the labels value is oscillating between an empty map and a nil value. This makes TF believe that the resource is changed and it recreates it which may interrupt open connections.
I tried all the combinations e.g. specifying the labels as empty map, not specifying them at all and none of them stopped this behavior. Also it is not possible to initialise the map with any kind of value because it is prohibited by the GCP API for endpoints used in PSC
| @@ -62,6 +66,9 @@ networks: | |||
| # natIPNames: | |||
| # - name: manualnat1 | |||
| # - name: manualnat2 | |||
| # privateServiceConnect: | |||
| # enabled: true | |||
| # endpointIP: 10.252.0.0 | |||
There was a problem hiding this comment.
General question will be multiple google services accessible via the same endpoint ip? Or do we need for each service we want to connect privately an own endpoint?
There was a problem hiding this comment.
All services should be accessible by the endpoint. For some you may need to create a private DNS zone so that clients can be configured to use them properly
| // - Seed's service CIDRs | ||
| // - The VPC CIDR (the sub of the subnet CIDRs used by workers) | ||
| // - The static ranges used by reverse VPN (192.168.123.0/24) | ||
| func ValidatePrivateServiceConnect(fldPath *field.Path, infra *apisgcp.InfrastructureConfig, ranges []cidrvalidation.CIDR) field.ErrorList { |
There was a problem hiding this comment.
I guess it is sufficient to pass the PrivateServiceConnect instead of the entire infra. Also the is enabled check is not necessary as we already checked before if private service connect shall be used.
kon-angelo
force-pushed
the
enh/private-service-connect
branch
from
a378d33
to
d5d13bf
Compare
gardener-robot
added
the
size/xl
gardener-robot-ci-2
added
reviewed/ok-to-test
gardener-robot
removed
the
size/l
kon-angelo
force-pushed
the
enh/private-service-connect
branch
from
d5d13bf
to
d58dad3
Compare
gardener-robot-ci-2
added
reviewed/ok-to-test
|
/test |
|
Testrun: e2e-xwznd +---------------------+---------------------+-----------+----------+ | NAME | STEP | PHASE | DURATION | +---------------------+---------------------+-----------+----------+ | bastion-test | bastion-test | Succeeded | 9m9s | | infrastructure-test | infrastructure-test | Failed | 13m5s | +---------------------+---------------------+-----------+----------+ |
|
After discussion we decided to close the PR for now as we are not sure it will have the expected results. We will try to bring #489 first and then consider again about PSC. |
gardener-robot
added
the
status/closed
|
Do we have any timeline to completion of the PSC feature? A ticket is already opened for this feature from our side. |
How to categorize this PR?
/area control-plane
/kind enhancement
/platform gcp
What this PR does / why we need it:
Allows user to configure PrivateServiceConnect for their VPC. The user needs to specify an IP for the endpoint and to enable the service.
Important notes:
default/kubernetesservice routing)ToDos:
Gotchas:
The endpoint and fwd-rule created for PSC have very strict requirements for their options. Due to an unknown condition (likely bug in Terraform provider-gcp) the fwd-rule will be deleted and recreated on infrastructure reconciliation. This may cause issues with open connections to services. The reason for that is that the
labelsfield of fwd-rule has to be empty (specifically for PSC rules) which TF interprets as nil. However the GCP API stores it as "empty" and when TF reads it back during reconciliation it marks it as a different value that thenilstored in state. Hence it recreates the resource.Because of the seed restriction that this feature imposes we need to wary of transitions during shoot scheduling, which is why we introduce the
shoots/bindingsubresource in the admission controller. We what that:spec.seedNameon creation we can validate the endpointIP against only the shoot ranges. We also need to prevent scheduler from assigning it to a seed that it may have collisions during update.spec.seedName, check that it can host this endpoint otherwise prevent creation.We can also think about leveraging
configValidator(aka the runtime check before infrastructure reconciliation). However because this is too late in the process, the shoot may already have been scheduled in an incompatible seed.Introduce private service connect
Which issue(s) this PR fixes:
Fixes #465
Special notes for your reviewer:
Release note: