Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for choosing bind address #52

Merged
merged 3 commits into from
Jul 13, 2020

Conversation

mvazquezc
Copy link
Member

As of today, the operator will always use "0.0.0.0" as the binding address for the different services. When running on IPv6 environments that cause the services to fail since there are not IPv4 addresses available in the pod. With this change, the user will be able to choose which address is used when binding.

By default, if no value is provided for the address property in the spec, we will configure "0.0.0.0", otherwise, we will configure the address configured by the user.

Let me know what you think about the implementation, if it looks good to you I'll update the docs accordingly.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 7, 2020
@openshift-ci-robot
Copy link

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

pkg/apis/cincinnati/v1beta1/cincinnati_types.go Outdated Show resolved Hide resolved
pkg/apis/cincinnati/v1beta1/cincinnati_types.go Outdated Show resolved Hide resolved
Copy link
Member

@djzager djzager left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of thoughts.

@@ -25,6 +25,13 @@ type CincinnatiSpec struct {
// GraphDataImage is a container image that contains the Cincinnati graph
// data. The data is copied to /var/lib/cincinnati/graph-data.
GraphDataImage string `json:"graphDataImage"`

// IPv6 defines whether the services bind to "0.0.0.0" or to "::"
IPv6 bool `json:"ipv6,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#primitive-types

Think twice about bool fields. Many ideas start as boolean but eventually trend towards a small set of mutually exclusive options. Plan for future expansions by describing the policy options explicitly as a string type alias (e.g. TerminationMessagePolicy).

My gut feeling is that adding the Address to the spec is sufficient. That way we can default to '0.0.0.0' or force it to be defined.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first implementation was done in that way, then I changed it based on Ryan's suggestions, anyway I'd say a boolean makes sense, a user won't likely know which address is going to get the pod when created, and between defining a property with the bind-address or just setting a boolean to decide if the services listen on IPv6 or IPv4 I'd rather go with the second option, but again, I'm open to suggestions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand.

a user won't likely know which address is going to get the pod when created

Then why would we bother taking the Address on the spec?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, if you add the Address to the spec so users can choose which address the services bind to, they will likely end using "0.0.0.0" or "::", the IP address that the SDN will assign to the pod is not something you can know beforehand easily. That's why I thought a boolean makes more sense.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binding to "::" works on IPv4 and IPv6 clusters. I reverted the changes from the API types.

@@ -225,18 +225,24 @@ func (k *kubeResources) newPolicyEngineRoute(instance *cv1beta1.Cincinnati) *rou
}

func (k *kubeResources) newEnvConfig(instance *cv1beta1.Cincinnati) *corev1.ConfigMap {
// If IPv6 boolean property is not configured in the Spec
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the right thing to do, assuming we aren't going to write back these defualts to the api-server, is to put this logic in newKubeResources. However, I don't see handling of the scenario where someone defines the address to listen on.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added Address to the spec because the spec is used for rendering the template for one of the ConfigMaps, I didn't know if there is a better way to do that, but in this case, we only use that field for rendering the CM, I don't see any value on persisting its value in the api-server. Maybe there is a better solution?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binding to "::" works on IPv4 and IPv6 clusters. I reverted the changes from the API types.

@mhrivnak
Copy link
Member

mhrivnak commented Jul 7, 2020

Is there ever a circumstance where we wouldn't want it to bind to both if available? Seems like that would be a sensible default. Is there a way to make cincinnati itself do that?

@mvazquezc
Copy link
Member Author

Is there ever a circumstance where we wouldn't want it to bind to both if available? Seems like that would be a sensible default. Is there a way to make cincinnati itself do that?

When you say both, do you mean IPv4 and IPv6?

Dual stack is not supported yet, but in case you could have a pod with an IPv4 and an IPv6 address binding to one of the two will be enough for Cincinnati to work based on what I've seen.

In this case the tricky thing will be knowing if the cluster has dual-stack support.

@mhrivnak
Copy link
Member

mhrivnak commented Jul 7, 2020

Yes, I mean both ipv4 and ipv6. As an example, both nginx and httpd allow you to either specify just a port or *:<port> to listen on, and then they will listen on all addresses whether ipv4 or ipv6. Can we just enable Cincinnati to do that?

It seems a shame to add options to the operator's API if there's no user story other than "As a user, I want cincinnati to listen on all addresses." If we need to do something short-term in the operator to make this work on ipv6 while waiting for cincinnati to support dual-stack, maybe we can come up with something that doesn't involve adding to the API.

@rthallisey
Copy link
Contributor

Yes, I mean both ipv4 and ipv6. As an example, both nginx and httpd allow you to either specify just a port or *: to listen on, and then they will listen on all addresses whether ipv4 or ipv6. Can we just enable Cincinnati to do that?

I agree. Cincy is the only thing that's listening in this address space, so it would just make sense to support everything without exposing it.

I think we would need to change the default setting in both the operator and in Cincinnati. Setting the default to :: here should cover it on this end. I'll file a ticket on cincy as well.

@mvazquezc
Copy link
Member Author

Hey, as Ryan suggested. Binding to "::" works for IPv6 and IPv4 environments. I just reverted the changes on the API Types and edited the configmaps created by the controller.

@mvazquezc mvazquezc marked this pull request as ready for review July 9, 2020 10:46
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 9, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 13, 2020
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mvazquezc, rthallisey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 13, 2020
@mhrivnak
Copy link
Member

I'm surprised that :: includes ipv4 addresses, since it is ipv6 notation. But if it works, it works. It would be a good idea to test on a single-stack ipv4 system to be sure, but generally I think this is a lot better than adding API options.

@rthallisey
Copy link
Contributor

I was able to see it work on my local ipv4 env.

This was where I got the idea from originally: nodejs/node#9390. You can disable the duel-stack listening by configuring net.ipv6.bindv6only.

Without knowing more about what admins do with net.ipv6.bindv6only, it's hard for me to say if we'll run into an issue or not. I think for now, we can say this works as is, but I'll link this PR in the OTA duel stack jira card so it's on their radar when they do a more in depth analysis of this feature for 4.6.

@openshift-merge-robot openshift-merge-robot merged commit 0823dba into openshift:master Jul 13, 2020
PratikMahajan pushed a commit to PratikMahajan/cincinnati-operator that referenced this pull request Mar 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants