Skip to content

Commit

Permalink
[NET-5704] feat(control-plane): v2 only register services for injecte…
Browse files Browse the repository at this point in the history 
…d pods (#3039)

feat(control-plane): v2 only register services for injected pods

Rather than indiscriminately registering any service that is not
excluded due to NS allow/deny-listing, selectively register services
that target injected pods (i.e. in alignment with the mesh webhook).

Do not deregister services that already exist when endpoints are empty;
rather, predicate registration on pod injection and deletion on service
deletion from Kubernetes. In the future, we can layer on explicit
allow/deny annotations for services as needed.

This is already implemented by existing workload selector logic that
filters on mesh-inject status; this change removes TODOs, updates
comments, and adds tests for the desired behavior.
  • Loading branch information
@zalimeni
zalimeni authored Oct 5, 2023
1 parent 31cef6f commit d5f55f5
Show file tree
Hide file tree
Showing 2 changed files with 294 additions and 99 deletions.
9 changes: 4 additions & 5 deletions control-plane/connect-inject/controllers/endpointsv2/endpoints_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,16 +102,15 @@ func (r *Controller) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
return ctrl.Result{}, err
}

// If we don't have at least one mesh-injected pod targeted by the service, do not register the service.
//TODO(NET-5704): Register service with mesh port added if global flag for inject is true,
// even if Endpoints are empty or have no mesh pod, iff. the service has a selector.
// This should ensure that we don't target kube or consul (system) services.
// If we don't have at least one mesh-injected pod selected by the service, don't register.
// Note that we only _delete_ services when they're deleted from K8s, not when endpoints or
// workload selectors are empty. This ensures that failover can occur normally when targeting
// the existing VIP (ClusterIP) assigned to the service.
if consulSvc.Workloads == nil {
return ctrl.Result{}, nil
}

// Register the service in Consul.
//TODO(NET-5704): Check service-enable label here on service/deployments/other pod owners
if err = r.registerService(ctx, resourceClient, service, consulSvc); err != nil {
// We could be racing with the namespace controller.
// Requeue (which includes backoff) to try again.
Expand Down
Loading

0 comments on commit d5f55f5

Please sign in to comment.