Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane #32336
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6ea0617 to
ca28045
Compare
|
/test |
This was referenced May 3, 2024
We shouldn't import testing code into production code, as it can lead to unexpected side effects due to e.g., init functions. Let's address this by hard-coding the "PolicyEnforcement" constant, rather than importing it. This is consistent with the same usage as part of the "config" command. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
ca28045 to
c0ce4d3
Compare
|
/test |
It is intended to be used by CLI tools to retrieve the configuration files of all remote clusters in a given directory, to be used, e.g., for troubleshooting purposes. While being there, let's also replace the path package with the filepath one, which is more appropriate in this context, and it would allow to theoretically handle Windows paths as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Troubleshooting etcd connectivity issues, regardless of whether to the
Cilium kvstore or to a remote cluster, is a complex activity, as issues
can concern network connectivity, TLS certificates mismatch, authn/authz
policies and so on.
As an effort to simplify this process, let's introduce a new utility
responsible for performing a set of sanity checks, and outputting the
result in a user-friendly way. This utility is intended to be then
leveraged by dedicated CLI commands integrated with the various
components. More in detail, this utility performs the following
operations:
* Asserts that the etcd configuration can be correctly parsed;
* For each endpoint:
- Outputs the DNS resolution;
- Assert that the endpoint is reachable at the network level (i.e.,
that a TCP connection can be successfully established);
- When https is enabled, asserts that a TLS connection can be correctly
established to the endpoint (i.e., that the provided certificates
are valid); the check includes both server and client (if enabled)
authentication; additionally outputs TLS specific information;
- Outputs the version of the endpoint, as returned by GET /version;
* Outputs information regarding Root CAs and client certificates, if
configured; additionally checks whether the client certificate is
valid according to the root CAs;
* Asserts that the etcd client can correctly establish a connection;
* Asserts that the heartbeat key can be retrieved, as a basic
authorization check.
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Introduce two new cilium-dbg commands, namely "troubleshoot kvstore" and "troubleshoot clustermesh", responsible for running a set of sanity checks to help troubleshoot etcd connectivity issues, covering network connectivity, TLS authentication, authn/authz policies and so on. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
As useful to troubleshoot kvstore and clustermesh issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Extend the clustermesh-apiserver binary with a new clustermesh-dbg troubleshoot subcommand, responsible for running a set of sanity checks to help troubleshoot etcd connectivity issues, covering network connectivity, TLS authentication, authn/authz policies and so on. The command can be invoked through something along the lines of: $ kubectl exec -it -n kube-system deploy/clustermesh-apiserver -c apiserver \ -- clustermesh-apiserver clustermesh-dbg troubleshoot Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Introduce a new troubleshoot subcommand to "clustermesh-apiserver kvstoremesh-dbg", responsible for running a set of sanity checks to help troubleshoot etcd connectivity issues, covering network connectivity, TLS authentication, authn/authz policies and so on. The command can be invoked through something along the lines of: $ kubectl exec -it -n kube-system deploy/clustermesh-apiserver -c kvstoremesh \ -- clustermesh-apiserver kvstoremesh-dbg troubleshoot [--include-local] Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
c0ce4d3 to
041321b
Compare
|
/test |
thorn3r
approved these changes
May 8, 2024
This was referenced Jun 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Troubleshooting etcd connectivity issues, regardless of whether to the Cilium kvstore or to a remote cluster, is a complex activity, as issues can concern network connectivity, TLS certificates mismatch, authn/authz policies and so on.
As an effort to simplify this process, let's introduce new CLI commands part of the Cilium agent, clustermesh-apiserver and kvstoremesh responsible for performing a set of sanity checks, and outputting the result in a user-friendly way:
cilium troubleshoot kvstore: troubleshoot connectivity towards the Cilium etcd kvstore;cilium troubleshoot clustermesh [clusters...]: troubleshoot connectivity towards remote clusters (the check can be optionally limited to the specified cluster names);kubectl exec -it -n kube-system deploy/clustermesh-apiserver -c apiserver -- clustermesh-apiserver clustermesh-dbg troubleshoot: troubleshoot the clutermesh-apiserver connectivity to the local etcd kvstore;kubectl exec -it -n kube-system deploy/clustermesh-apiserver -c kvstoremesh -- clustermesh-apiserver kvstoremesh-dbg troubleshoot [--include-local] [clusters...]: troubleshoot the kvstoremesh connectivity to the local etcd kvstore and remote clusters (the check can be optionally limited to the specified cluster names);Example output of
cilium troubleshoot clustermeshin case of success is:Failure examples (providing only the relevant snippet for brevity) include:
I've marked this PR for backport to all stable branches as it qualifies as
Debug tool improvements, and it doesn't introduce risks considering that it includes CLI changes only.Documentation changes and the collection of clustermesh-apiserver information as part of the sysdump will be addressed in follow-up PRs.
Fixes: #30937