Add the option to patch consul to expose TCP DNS via `hostPort` and enable in gstg (!409) · Merge requests · GitLab.com / GitLab Infrastructure Team / Kubernetes Workloads / GitLab Helmfiles

Graeme Gillies requested to merge ggillies/consul-add-hostPort-dns into master May 06, 2021

Part of gitlab-org/gitlab#271575 (closed)

Through investigation of this issue, what we wished to attempted to do was configure our application to only talk to the consul pod running on the same node as the webservice/sidekiq pod itself. In order to rule out traffic to consul going to pods that were on nodes being scaled down.

We attempted this intially using a NodePort service, but forgot the critical factor that NodePort services still sit on ClusterIPs, and thus even if you talk to the NodePort on the same host you are running your pod on, it will still be routed to a random pod anywhere.

The correct solution for this is to expose the port we are interested in (DNS TCP) using the hostPort option on the pod spec itself. This is usually frowned upon, as once you use hostPorts, you can't run multiple copies of the same pod on the node (due to 2 processes trying to listen on the same port), but as consul is a daemonset, we don't have this problem (and it's already using hostPorts for other ports).

The chart does not allow us to configure this option, so we will leverage helmfile built in patching functionality to add what we need.

Add the option to patch consul to expose TCP DNS via `hostPort` and enable in gstg

Merge request reports