rpk: use redpanda.admin if rpk.admin_api is nil #6955
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
twmb
previously approved these changes
Oct 26, 2022
jcsp
reviewed
Oct 26, 2022
src/go/rpk/pkg/config/params.go
Outdated
| defer func() { r.AdminAPI.Addresses = addrs }() | ||
| if len(addrs) == 0 && len(c.Redpanda.AdminAPI) > 0 { | ||
| for _, adminAPI := range c.Redpanda.AdminAPI { | ||
| addrs = append(addrs, net.JoinHostPort(adminAPI.Address, strconv.Itoa(adminAPI.Port))) |
There was a problem hiding this comment.
This should probably have a preference about what listener to use.
The admin API can have mTLS on a per-listener basis: if someone has configured an insecure listener on 127.0.0.1, then that is probably the one that rpk wants to use.
There was a problem hiding this comment.
If we want to go this route, we can use https://pkg.go.dev/net#IP.IsPrivate and sort that one first.
There was a problem hiding this comment.
r-vasquez
force-pushed
the
discover-admin-api-in-redpanda
branch
from
f537704
to
1e169a5
Compare
|
r-vasquez
force-pushed
the
discover-admin-api-in-redpanda
branch
2 times, most recently
from
8d6c0f3
to
250cd13
Compare
jcsp
reviewed
Oct 26, 2022
src/go/rpk/pkg/config/params.go
Outdated
| if len(addrs) == 0 && len(c.Redpanda.AdminAPI) > 0 { | ||
| // We want to order the admin API addresses by: | ||
| // localhost -> loobpack -> private -> public. | ||
| var localhost, loopback, private, public []string |
There was a problem hiding this comment.
The address order looks right, I would recommend also ordering non-mTLS endpoints first
There was a problem hiding this comment.
addressed -- non-TLS is sorted first, and if we see any non-TLS, we avoid TLS listeners entirely
twmb
reviewed
Oct 27, 2022
twmb
reviewed
Oct 27, 2022
jcsp
previously approved these changes
Oct 27, 2022
twmb
force-pushed
the
discover-admin-api-in-redpanda
branch
2 times, most recently
from
b8e99b9
to
f551082
Compare
Previously rpk will use rpk.admin_api.addresses to communicate with admin API, if that field isn't set, rpk will use the default 127.0.0.1:9644 That's a problem if we are running in non-default port or address, now, rpk will use redpanda.admin _if_ rpk.admin_api.addresses is not set
jcsp
previously approved these changes
Oct 28, 2022
twmb
force-pushed
the
discover-admin-api-in-redpanda
branch
from
ee8ceb0
to
fe0f808
Compare
The prior commits introduce behavior to use redpanda.admin if rpk.admin_api is empty. We previously had this same behavior for rpk.kafka_api, but this only used redpanda.kafka_api[0]. We abstract the logic from the previous commit (and have a authn => no authn helper) to make using the prior commit just as simple for brokers. We also do *not* use TLS listeners if we have any non-TLS listeners: rpk likely cannot fill client certs, and they may not be on the host. The expected behavior is that a person ssh's into the node and then runs rpk; localhost non-TLS communication will work. The new abstraction is well setup for when we add support for pandaproxy and schemaregistry to rpk, both of which use the same types. This adds testing for all this behavior as well.
Improving on the prior commit, we also now prefer tls over mtls. *If* we have to use tls, we are more likely able to communicate with brokers that do not require client certs (because we cannot setup client certs).
admin api's PrometheusMetrics actually requires one host to send to (i.e. you must pick the one host you want metrics from). Our tests previously passed because rpk.admin_api was empty and then we used the default 127.0.0.1:9644. The tests now failed because redpanda.admin was non-empty and we picked all three brokers in it. Because we favor the most-likely-accessible host first, we can just pick the first host in the config.
See embedded comment. A server listening on 0.0.0.0 is not an IP we can dial, but it does result in us being able to dial 127.0.0.1.
|
Failure: #6745 |
twmb
approved these changes
Oct 28, 2022
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cover letter
Previously rpk will use rpk.admin_api.addresses to communicate with admin API, if that field isn't set, rpk will use the default 127.0.0.1:9644
That's a problem if we are running in non-default port or address, now, rpk will use redpanda.admin if rpk.admin_api.addresses is not set
Fixes #2752, Fixes #6860
Backport Required
UX changes
Let's say you have this config file:
Running
rpk cluster healthwill give you an error like this::The above happened because rpk will use the default host:port instead of using the one set in
redpanda.adminproperty, now, rpk will useredpanda.admin (1.2.3.4:9645)in this same scenario.Release notes
Improvements
redpanda.adminin the redpanda.yaml file ifrpk.admin_api.addressesis empty.redpanda.kafka_apiin the redpanda.yaml file ifrpk.kafka_api.brokersis empty