Remove special support for ExternalName services

[briansmith]

After this was implemented we found that ExternalName services are
represented in DNS as CNAMEs, which means that the proxy's DNS
fallback logic can be used instead of doing DNS in the control
plane. Besides simplifying the controller, this will also increase
fidelity with the proxied pods' DNS configuration (improve
transparency).

Signed-off-by: Brian Smith brian@briansmith.org

[briansmith]

@klingerf In Slack discussion @olix0r mentioned the idea of using an ExternalName service to alias another service within the cluster, to test this. In the test framework we have, where can I find an example of creating a service completely internal to the cluster? The egress_test.go tests all reference services that make requests outside the cluster to httpbin.org.

[klingerf]

@briansmith Checkout the smoke test config that we use to verify that inject is working: https://github.com/runconduit/conduit/blob/master/test/testdata/smoke_test.yaml

[klingerf]

Nice cleanup! I just had one question about removing support for resolving IPs.

[klingerf]

Would you mind removing this TODO as well as part of this branch?

[briansmith]

Would you mind removing this TODO as well as part of this branch?

I am going to remove it, and other similar things, in a separate PR.

[klingerf]

You're removing the original comment from which this comment was copied (line 51, k8s_resolver.go) as part of this branch. I think it makes sense to also remove this comment simultaneously.

[klingerf]

Did you mean to remove the echoIpV4Resolver as part of this branch? That seems unrelated to removing external name support. I'm not sure what the proxy uses the ip resolver for, but functionally, if the path to be resolved is an ipv4 address, this resolver sends it back as an Add event. On master, it looks like this:

$ bin/go-run controller/script/destination-client -path 1.2.3.4:80
INFO[0000] Add:                                         
INFO[0000] metric_labels: map[]                         
INFO[0000] - 1.2.3.4:80 - map[]                         
INFO[0000]                                              

Whereas on this branch, I get:

$ bin/go-run controller/script/destination-client -path 1.2.3.4:80
FATA[0000] rpc error: code = Unknown desc = resolver [&{k8sDNSZoneLabels:[] endpointsWatcher:0xc4201b0420}] found error resolving host [1.2.3.4] port[80]: DNS name cannot only contain digits and hyphens: 1.2.3.4

[briansmith]

Did you mean to remove the echoIpV4Resolver as part of this branch?

I should have removed it in an earlier branch. The proxy never sends IP addresses to the controller any more. I think even in 0.3.1 it was that way.

[klingerf]

Ok, in that case can you also remove the echoIpV4Resolver struct and associated methods and tests? I think that controller/destination/resolver_test.go can go away entirely.

[briansmith]

Ok, in that case can you also remove the echoIpV4Resolver struct and associated methods and tests? I think that controller/destination/resolver_test.go can go away entirely.

Done.

[klingerf]

⭐️ Great, thanks for updating.

[olix0r]

I believe there may be a correctness issue with this branch. I'll reproduce the issue and describe here.

[olix0r]

:; bin/root-tag 
git-b227bd20

1. Clean up

:; kubectl delete ns emojivoto conduit bot && watch kubectl get ns                               

2. Install conduit and emojivoto

...
:; bin/conduit install -v $(bin/root-tag) |kubectl apply -f -
...
:; bin/conduit inject -v $(bin/root-tag) ../emojivoto.yml |kubectl apply -f -     
...

3. Install two clients: one that uses an ingress.

:; cat ../bot{,-ingress}.yml |bin/conduit inject -v $(bin/root-tag) - |kubectl apply -f -
namespace "bot" created
deployment "voter" created
namespace "bot" configured
service "emojivoto" created
deployment "absentee-voter" created

4. Confirm that the normal voter is able to contact emojivoto directly:

:; kubectl -n bot exec -c vote-bot voter-75859db8f9-sgg9l  -i -t bash
root@voter-75859db8f9-sgg9l:/# curl -vso /dev/null web-svc.emojivoto.svc.cluster.local
* Rebuilt URL to: web-svc.emojivoto.svc.cluster.local/
* Hostname was NOT found in DNS cache
*   Trying 10.111.130.124...
* Connected to web-svc.emojivoto.svc.cluster.local (10.111.130.124) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: web-svc.emojivoto.svc.cluster.local
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: text/html
< date: Tue, 17 Apr 2018 17:23:56 GMT
< content-length: 560
< 
{ [data not shown]
* Connection #0 to host web-svc.emojivoto.svc.cluster.local left intact

5. Confirm the absentee-voter pod is able to resolve the ExternalName, emojivoto.

:; kubectl -n bot exec -c vote-bot absentee-voter-84c6dbc745-4mhwk  -i -t bash
root@absentee-voter-84c6dbc745-4mhwk:/# dig +showsearch emojivoto

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> +showsearch emojivoto
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16995
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;emojivoto.bot.svc.cluster.local. IN	A

;; ANSWER SECTION:
emojivoto.bot.svc.cluster.local. 30 IN	CNAME	web-svc.emojivoto.svc.cluster.local.
web-svc.emojivoto.svc.cluster.local. 30	IN A	10.111.130.124

;; Query time: 6 msec
;; SERVER: 10.96.0.10#53(10.96.0.10)
;; WHEN: Tue Apr 17 17:25:34 UTC 2018
;; MSG SIZE  rcvd: 97

6. The absentee-voter pod is not able to contact emojivoto:

root@absentee-voter-84c6dbc745-4mhwk:/# curl -vso /dev/null emojivoto
* Rebuilt URL to: emojivoto/
* Hostname was NOT found in DNS cache
*   Trying 10.111.130.124...
* Connected to emojivoto (10.111.130.124) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: emojivoto
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< content-length: 0
< Date: Tue, 17 Apr 2018 17:26:59 GMT
< 
* Connection #0 to host emojivoto left intact

Configs are here

[olix0r]

appears to cause some connectivity issues in a test i ran

[briansmith]

Thanks @olix0r for providing detailed testing instructions. Sorry I didn't indicate when I submitted the PR that it wasn't yet working.

The problem is that the abstract_ns/ns_dns_tokio/domain crates don't support CNAME entries. There are other limitations of those crates, e.g. they don't support /etc/hosts either.

I have a PR that switches the DNS resolution in the proxy from the ns_dns_tokio crate to Trust-DNS. However, that PR can't be submitted until some bugs I found in Trust-DNS are fixed. I am working with the Trust-DNS maintainer on those now; I'm planning to review the PRs for the fixes when they are ready. Then I will submit a PR to switch to Trust-DNS and then we can continue with this PR.

[briansmith]

@olix0r Please review (approve) this again. I verified that your example works now, with no changes to this PR, after #834 was merged.

[olix0r]

thanks!