Comments (11)
marcofranssen
commented on August 22, 2024
Spire-controller-manager can't be separated unfortunately as it needs access to the spire-server.sock.
We might do a trick to run it just on one of the replicas until spire-controller-manager has another way of connecting to the server.sock or maybe we can do a trick with a nodeSelector to always run it on the same node as one of the spire-server instances 🤔 .
from helm-charts.
drewwells
commented on August 22, 2024
Create a leader election so only one operates.
from helm-charts.
marcofranssen
commented on August 22, 2024
Could you file an issue for that on the spire-controller-manager repo and reference it here?
from helm-charts.
kfox1111
commented on August 22, 2024
Statefulset can support HA. So, that part isnt strictly needed.
External db should work with one of the ha database charts/operators.
While not ideal, I believe the controller-manager already does locking in its current config.
So, I think its possible today to build a usable HA configuration with the chart as is.
from helm-charts.
drewwells
commented on August 22, 2024
If you change replica > 1 today, spire server stops working. We need better HA support. In general, spire-server needs to move towards stateless operation without bagge of a controller or sqlite. Moving to a deployment w/replicaset encourages that.
from helm-charts.
kfox1111
commented on August 22, 2024
Could you please provide some more detail? how does things stop working?
from helm-charts.
drewwells
commented on August 22, 2024
A integration test would be a better way to prove it does work. I don't know the details, but replica>1 caused outage on our cluster.
from helm-charts.
kfox1111
commented on August 22, 2024
+1 to more tests...
But I'm not seeing brokenness. More details please:
$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-787d4945fb-ssw2p 1/1 Running 0 2m59s
kube-system etcd-minikube 1/1 Running 0 3m11s
kube-system kube-apiserver-minikube 1/1 Running 0 3m13s
kube-system kube-controller-manager-minikube 1/1 Running 0 3m12s
kube-system kube-proxy-45r5k 1/1 Running 0 2m59s
kube-system kube-scheduler-minikube 1/1 Running 0 3m12s
kube-system storage-provisioner 1/1 Running 0 3m11s
mysql mysql-0 1/1 Running 0 2m41s
spire-system spire-agent-47tvn 1/1 Running 0 105s
spire-system spire-server-0 2/2 Running 0 105s
spire-system spire-server-1 2/2 Running 0 78s
spire-system spire-server-2 2/2 Running 0 67s
spire-system spire-server-test-connection 0/1 Completed 0 44s
spire-system spire-spiffe-csi-driver-xsn8d 2/2 Running 0 105s
spire-system spire-spiffe-oidc-discovery-provider-c679d5556-mmqnf 2/2 Running 0 105s
spire-system spire-spiffe-oidc-discovery-provider-test-connection 0/3 Completed 0 37s
spire-system spire-spiffe-oidc-discovery-provider-test-keys 0/1 Completed 0 33s
NOTES:
Installed spire…
+ helm test --namespace spire-system spire
NAME: spire
LAST DEPLOYED: Mon Aug 28 14:07:47 2023
NAMESPACE: spire-system
STATUS: deployed
REVISION: 1
TEST SUITE: spire-spiffe-oidc-discovery-provider-test-connection
Last Started: Mon Aug 28 14:08:55 2023
Last Completed: Mon Aug 28 14:08:59 2023
Phase: Succeeded
TEST SUITE: spire-spiffe-oidc-discovery-provider-test-keys
Last Started: Mon Aug 28 14:08:59 2023
Last Completed: Mon Aug 28 14:09:22 2023
Phase: Succeeded
TEST SUITE: spire-server-test-connection
Last Started: Mon Aug 28 14:08:48 2023
Last Completed: Mon Aug 28 14:08:55 2023
Phase: Succeeded
from helm-charts.
marcofranssen
commented on August 22, 2024
@drewwells Could you have a look at either the postgres or the mysql example?
Using that example you should be able to increase the number of replicas.
Please let us know if that works. Hopefully that helps figuring out the difference with your current attempt. Based on that we might find a way to prevent the misconfiguration in this chart.
from helm-charts.
drewwells
commented on August 22, 2024
Regardless of database, my concern is running multiple spire-controller-managers. The first comment noted that a spire-controller-manager ticket was needed here. Unless there are plans to build consensus across multiple stateful pods like etcd can do, we should drop the statefulset and use a deployment.
from helm-charts.
kfox1111
commented on August 22, 2024
The spire-controller-manager itself takes a Kubernetes lock to prevent multiple from acting at once. So, I believe that part is working today.
The statefulset is currently required to persist the intermediate CA's for the individual server. If the statefulset members are spread across multiple nodes using antiaffinity, it should still be HA.
from helm-charts.
Related Issues (20)
- cert manager upstream has inconsistent casing
- pre-delete failure
- spire-server + tests selector HOT 1
- oidc is invalid when jwtIssuer includes protocol
- ClusterSPIFFEID CR is included when CRD is found in the chart HOT 10
- Poorly named property in upstream-spire-agent / spire-agent HOT 3
- Create a second kind of tiered deployment that has the upstream agent co-deployed in the spire-server Pod
- Cannot control deployment of sub charts in error avoiding patterns
- FAQ
- Uninstalling CSI Driver orphans all pods using the csidriver HOT 10
- ACTION REQUIRED: Changes to pulling Chainguard Images HOT 7
- No use of example.org HOT 1
- Setup and document the weekly meeting recordings. HOT 1
- spire-oidc does not start if federatesWith contains a down federated endpoint HOT 7
- New image has to be added to update-tags script
- Upgrade tests
- We should review the migration of the PR for the Getting Started Documentation into the helm-charts project. HOT 1
- New documentation tool does not combine the docs from dependency charts in README.md
- 1.8 -> 1.9 changes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.