Fix potential port conflict

This change has been tested by the promenade resiliency gate. This adds configuration for which ports to use for the tiller container in the bootstrap-armada pod, and changes the defaults to be outside of `net.ipv4.ip_local_port_range`, since the apiserver container in this pod dynamically selects ports in that range to connect to etcd, which can cause conflicts. See [0] for an example. By default, since we're no longer using the standard tiller ports, this does mean that we cannot connect to this tiller instance (before it's replaced by the chart-based instance) via the helm CLI, until it supports overriding the tiller port to connect to, however this should be relatively soon [1]. [0]: https://github.com/helm/helm/issues/4886 [1]: https://github.com/helm/helm/pull/5590 Change-Id: Ief11411f079db27489e6974c028f6b7a16bb67bf
2019-05-14 14:17:11 -05:00 · 2019-05-14 14:17:11 -05:00 · 7517d3161c
parent b4e34e12e1
commit 7517d3161c
3 changed files with 25 additions and 3 deletions
--- a/doc/source/configuration/genesis.rst
+++ b/doc/source/configuration/genesis.rst
@ -25,6 +25,9 @@ Here is a complete sample document:
      ip: 192.168.77.10
      armada:
        target_manifest: cluster-bootstrap
+      tiller:
+        listen: 24134
+        probe_listen: 24135
      labels:
        static:
          - calico-etcd=enabled
--- a/promenade/schemas/Genesis.yaml
+++ b/promenade/schemas/Genesis.yaml
@ -99,6 +99,14 @@ data:
        auxiliary_threshold:
          type: integer
      additionalProperties: false
+    tiller:
+      type: object
+      properties:
+        listen:
+          type: integer
+        probe_listen:
+          type: integer
+      additionalProperties: false

    files:
      type: array
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
@ -1,3 +1,9 @@
+{# By default, use tiller ports outside of `net.ipv4.ip_local_port_range` to
+   avoid conflicts with apiserver connections to etcd, see [0].
+   [0]: https://github.com/helm/helm/issues/4886
+#}
+{% set tiller_listen = config['Genesis:tiller.listen'] | default(24134) %}
+{% set tiller_probe_listen = config['Genesis:tiller.probe_listen'] | default(24135) %}
 ---
 apiVersion: v1
 kind: Pod
@ -17,6 +23,10 @@ spec:
      image: {{ config['Genesis:images.helm.tiller'] }}
      command:
        - /tiller
+        - -listen
+        - ":{{ tiller_listen }}"
+        - -probe-listen
+        - ":{{ tiller_probe_listen }}"
        - -logtostderr
        - -v
        - "5"
@ -25,7 +35,7 @@ spec:
        failureThreshold: 3
        httpGet:
          path: /liveness
-          port: 44135
+          port: {{ tiller_probe_listen }}
          scheme: HTTP
        initialDelaySeconds: 1
        periodSeconds: 10
@ -33,14 +43,14 @@ spec:
        timeoutSeconds: 1
      name: tiller
      ports:
-      - containerPort: 44134
+      - containerPort: {{ tiller_listen }}
        name: tiller
        protocol: TCP
      readinessProbe:
        failureThreshold: 3
        httpGet:
          path: /readiness
-          port: 44135
+          port: {{ tiller_probe_listen }}
          scheme: HTTP
        initialDelaySeconds: 1
        periodSeconds: 10
@ -65,6 +75,7 @@ spec:
                      apply \
                      --target-manifest {{ config.get_path('Genesis:armada.target_manifest', 'cluster-bootstrap') }} \
                      --tiller-host 127.0.0.1 \
+                      --tiller-port {{ tiller_listen }} \
                      /etc/genesis/armada/assets/manifest.yaml &>> "${ARMADA_LOGFILE}"; then
                  break
              fi