Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update peering establishment to maybe use gateways #14981

Merged
merged 8 commits into from Oct 14, 2022
Merged

Update peering establishment to maybe use gateways #14981

merged 8 commits into from Oct 14, 2022

Conversation

freddygv
Copy link
Contributor

OSS Backport of ENT-3244

Description

When peering through mesh gateways we expect outbound dials to peer
servers to flow through the local mesh gateway addresses.

Now when establishing a peering we get a list of dial addresses as a
ring buffer that includes local mesh gateway addresses if the local DC
is configured to peer through mesh gateways. The ring buffer includes
the mesh gateway addresses first, but also includes the remote server
addresses as a fallback.

This fallback is present because it's possible that direct egress from
the servers may be allowed. If not allowed then the leader will cycle
back to a mesh gateway address through the ring.

When attempting to dial the remote servers we retry up to a fixed
timeout. If using mesh gateways we also have an initial wait in
order to allow for the mesh gateways to configure themselves.

Note that if we encounter a permission denied error we do not retry
since that error indicates that the secret in the peering token is
invalid.

Testing & Reproduction steps

  • Unit tests, integration tests

Links

NET-719

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern

@freddygv
Update peering establishment to maybe use gateways
e69bc72 
When peering through mesh gateways we expect outbound dials to peer
servers to flow through the local mesh gateway addresses.

Now when establishing a peering we get a list of dial addresses as a
ring buffer that includes local mesh gateway addresses if the local DC
is configured to peer through mesh gateways. The ring buffer includes
the mesh gateway addresses first, but also includes the remote server
addresses as a fallback.

This fallback is present because it's possible that direct egress from
the servers may be allowed. If not allowed then the leader will cycle
back to a mesh gateway address through the ring.

When attempting to dial the remote servers we retry up to a fixed
timeout. If using mesh gateways we also have an initial wait in
order to allow for the mesh gateways to configure themselves.

Note that if we encounter a permission denied error we do not retry
since that error indicates that the secret in the peering token is
invalid.
@freddygv
Update leader routine to maybe use gateways
2c99a21
@freddygv
Add integ test for peering through gateways
472a8e8
@freddygv
Fix CA init error code
96fdd37
@freddygv
Lint
573aa40
@freddygv
Add changelog entry
f48d7fb
@freddygv freddygv requested a review from a team October 13, 2022 22:04
@freddygv
Use split wildcard partition name
bf51021 
This way OSS avoids passing a non-empty label, which will be rejected in
OSS consul.
@freddygv
Use split var in tests
c77123a
@DanStough DanStough self-requested a review October 14, 2022 14:10
@freddygv freddygv merged commit 24d0c88 into main Oct 14, 2022
@freddygv freddygv deleted the peering/dial-through-gateways branch October 14, 2022 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanStough DanStough DanStough approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@freddygv @DanStough