Remove usage of ES ConfigMap and PublicCertSecret #2954
Conversation
and adding UTs along the way to protect its usage
| @@ -227,10 +225,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { | |||
| } | |||
| } | |||
|
|
|||
| if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { | |||
There was a problem hiding this comment.
I see you removed the Watch here, but the code below still uses the configmap.
Josh: Apparently I can modify other people's comments?
There was a problem hiding this comment.
Ah you're right, this is the controller that writes it but I removed the watch since I didn't see any reads. I suppose we want to rectify any changes made to it as quickly as possible. I'll add some tests for these cases.
There was a problem hiding this comment.
Josh: Apparently I can modify other people's comments?
😆
pkg/render/fluentd.go
Outdated
| VolumeMounts: c.eksLogForwarderVolumeMounts(), | ||
| } | ||
|
|
||
| initContainer.Env = append(initContainer.Env, envVars...) |
There was a problem hiding this comment.
I don't understand this - this is appending envVars onto envVars, is it not?
pkg/render/intrusion_detection.go
Outdated
| c.cfg.ESClusterConfig.Replicas(), c.cfg.ESClusterConfig.Shards()) | ||
| container := c.intrusionDetectionControllerContainer() | ||
|
|
||
| envVars := []corev1.EnvVar{ |
There was a problem hiding this comment.
I don't think there's any need to keep these appended separately from the other env vars defined in intrustionDetectionControllerContainer()
There was a problem hiding this comment.
Agreed and this was a change I already had in my next set of changes to be pushed while I was fixing some issues I found once I loaded my images into a cluster.
| }, | ||
| } | ||
|
|
||
| container.Env = append(container.Env, envVars...) |
There was a problem hiding this comment.
I think throughout we should clean up this split env declaration - it's a bit confusing the way this is laid out here.
- Define envVars
- Create a container with a separate set of hard-coded env vars
- Append the previously created env vars to the container's env.
We should just be able to define all of the env vars in one place.
There was a problem hiding this comment.
Agreed that's what I have in my current iteration.
pkg/render/manager.go
Outdated
| relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName()), | ||
| } | ||
|
|
||
| env = append(env, esEnvVars...) |
There was a problem hiding this comment.
We don't need to define the intermediate variable
env = append(env, []corev1.EnvVar{
relasticsearch.ElasticCAEnvVar(c.SupportedOSType()),
. . .
})
Josh-Tigera
added
docs-not-required
release-note-not-required
and removed
docs-pr-required
release-note-required
labels
| if isManagedCluster { | ||
| if esClusterConfig.ClusterName() == render.DefaultElasticsearchClusterName { | ||
| err = fmt.Errorf("Elasticsearch cluster name must be non-default value in managed clusters") | ||
| r.status.SetDegraded(operatorv1.InvalidConfigurationError, "", err, reqLogger) |
There was a problem hiding this comment.
This is an interesting new assertion - any background on this one? It seems safe to me, but curious what prompted you to add it!
I do think we need a user-facing message in the SetDegraded call instead of "" though.
Also, this isn't the Elasticsearch cluster name. Rather this is the just the name of this managed cluster (which is primarily used by our elastic log ingestion pipeline).
There was a problem hiding this comment.
This came from when I initially completely removed this configmap entirely and then we talked about how it's still needed so that we can differentiate managed vs management entries in elasticsearch indices eg. *-cluster for management vs *-<managedcluster.name> for managed clusters. I added a corresponding test in intrusion_detection_controller.go for this specific case as well. I can update the msg to contain user-facing information as well as correct the wording about what the field is actually used for.
| @@ -422,16 +425,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec | |||
| return reconcile.Result{}, err | |||
| } | |||
|
|
|||
| esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) | |||
There was a problem hiding this comment.
From what I can tell, intrusion-detection-controller is one of the few managed cluster components that still talks directly to elasticsearch via es-gateway.
It does talk to Linseed in most codepaths, but when searching for security events it seems it still talks to ES.
| return reconcile.Result{}, nil | ||
| var clusterConfig *relasticsearch.ClusterConfig | ||
| // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking | ||
| // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. |
There was a problem hiding this comment.
We should probably make kibnanEnabled public and use the same implementation everywhere that we need to check if Kibana is enabled, so that they don't get out of sync.
| @@ -566,6 +560,12 @@ var _ = Describe("Manager controller tests", func() { | |||
| }) | |||
|
|
|||
| Context("image reconciliation", func() { | |||
| BeforeEach(func() { | |||
| Expect(c.Create( | |||
There was a problem hiding this comment.
This can be a single line - no need to split it up.
Alternatively, we could keep this in the main BeforeEach and then any tests that need something different can just call Update in their BeforeEach to modify the installation.
pkg/render/fluentd.go
Outdated
| relasticsearch.ElasticUserEnvVar(ElasticsearchEksLogForwarderUserSecret), | ||
| relasticsearch.ElasticPasswordEnvVar(ElasticsearchEksLogForwarderUserSecret), | ||
| relasticsearch.ElasticSchemeEnvVar(esScheme), | ||
| relasticsearch.ElasticHostEnvVar(esHost), |
There was a problem hiding this comment.
One to keep an eye on - once @vara2504 is done with her work for EKS log forwarder, we can remove most (all?) of these.
There was a problem hiding this comment.
Vara sent me her PRs and these have in fact been completely removed from fluentd-docker and replaced with their Linseed counterparts.
pkg/render/fluentd_test.go
Outdated
| @@ -884,6 +895,15 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { | |||
| })) | |||
|
|
|||
| Expect(envs).To(ContainElement(corev1.EnvVar{Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"})) | |||
| Expect(envs).To(ContainElements([]corev1.EnvVar{ | |||
There was a problem hiding this comment.
Probably want the reverse check as well to catch any cases where there are unexpected env vars. And maybe a length check to catch bugs like the one above where we added env vars twice.
e.g.,
expected := []corev1.EnvVar{...}
Expect(envs).Should(ContainElements(expected))
Expect(expected).Should(ContainElements(envs))
Expect(envs).Should(HaveLength(len(expected))Also, we can merge the assertion on the line right above this.
There was a problem hiding this comment.
I've replaced all my checks from Should(ContainElements to To(Equal so that we're more precisely checking the env variables
There was a problem hiding this comment.
That's probably OK, but I specifically didn't suggest that approach because I believe it's more finicky and vulnerable to changes of variable ordering, which we don't actually care about so much.
Josh-Tigera
added
release-note-not-required
enterprise
|
@Josh-Tigera a few conflicts to resolve, though |
These resources are no longer used now that Linseed has taken over this functionality
This has a companion commit in Calico Enterprise here
Description
For PR author
- [ ] If changing pkg/apis/, runmake gen-files- [ ] If changing versions, runmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.