-
Notifications
You must be signed in to change notification settings - Fork 579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rpk: use redpanda.admin if rpk.admin_api is nil #6955
rpk: use redpanda.admin if rpk.admin_api is nil #6955
Conversation
src/go/rpk/pkg/config/params.go
Outdated
defer func() { r.AdminAPI.Addresses = addrs }() | ||
if len(addrs) == 0 && len(c.Redpanda.AdminAPI) > 0 { | ||
for _, adminAPI := range c.Redpanda.AdminAPI { | ||
addrs = append(addrs, net.JoinHostPort(adminAPI.Address, strconv.Itoa(adminAPI.Port))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably have a preference about what listener to use.
The admin API can have mTLS on a per-listener basis: if someone has configured an insecure listener on 127.0.0.1, then that is probably the one that rpk wants to use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to go this route, we can use https://pkg.go.dev/net#IP.IsPrivate and sort that one first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f537704
to
1e169a5
Compare
|
8d6c0f3
to
250cd13
Compare
src/go/rpk/pkg/config/params.go
Outdated
if len(addrs) == 0 && len(c.Redpanda.AdminAPI) > 0 { | ||
// We want to order the admin API addresses by: | ||
// localhost -> loobpack -> private -> public. | ||
var localhost, loopback, private, public []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The address order looks right, I would recommend also ordering non-mTLS endpoints first
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed -- non-TLS is sorted first, and if we see any non-TLS, we avoid TLS listeners entirely
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, looks like there is a go linter complaining though
b8e99b9
to
f551082
Compare
Previously rpk will use rpk.admin_api.addresses to communicate with admin API, if that field isn't set, rpk will use the default 127.0.0.1:9644 That's a problem if we are running in non-default port or address, now, rpk will use redpanda.admin _if_ rpk.admin_api.addresses is not set
ee8ceb0
to
fe0f808
Compare
The prior commits introduce behavior to use redpanda.admin if rpk.admin_api is empty. We previously had this same behavior for rpk.kafka_api, but this only used redpanda.kafka_api[0]. We abstract the logic from the previous commit (and have a authn => no authn helper) to make using the prior commit just as simple for brokers. We also do *not* use TLS listeners if we have any non-TLS listeners: rpk likely cannot fill client certs, and they may not be on the host. The expected behavior is that a person ssh's into the node and then runs rpk; localhost non-TLS communication will work. The new abstraction is well setup for when we add support for pandaproxy and schemaregistry to rpk, both of which use the same types. This adds testing for all this behavior as well.
Improving on the prior commit, we also now prefer tls over mtls. *If* we have to use tls, we are more likely able to communicate with brokers that do not require client certs (because we cannot setup client certs).
admin api's PrometheusMetrics actually requires one host to send to (i.e. you must pick the one host you want metrics from). Our tests previously passed because rpk.admin_api was empty and then we used the default 127.0.0.1:9644. The tests now failed because redpanda.admin was non-empty and we picked all three brokers in it. Because we favor the most-likely-accessible host first, we can just pick the first host in the config.
See embedded comment. A server listening on 0.0.0.0 is not an IP we can dial, but it does result in us being able to dial 127.0.0.1.
Failure: #6745 |
Cover letter
Previously rpk will use rpk.admin_api.addresses to communicate with admin API, if that field isn't set, rpk will use the default 127.0.0.1:9644
That's a problem if we are running in non-default port or address, now, rpk will use redpanda.admin if rpk.admin_api.addresses is not set
Fixes #2752, Fixes #6860
Backport Required
UX changes
Let's say you have this config file:
Running
rpk cluster health
will give you an error like this::The above happened because rpk will use the default host:port instead of using the one set in
redpanda.admin
property, now, rpk will useredpanda.admin (1.2.3.4:9645)
in this same scenario.Release notes
Improvements
redpanda.admin
in the redpanda.yaml file ifrpk.admin_api.addresses
is empty.redpanda.kafka_api
in the redpanda.yaml file ifrpk.kafka_api.brokers
is empty