Merge pull request #3800 from telepresenceio/thallgren/recursion-check-config

Make the DNS recursion check configurable and turn it off by default.

Author: thallgren

CHANGELOG.yml

@@ -90,6 +90,12 @@ items:
         body: >-
           The output of the `telepresence list` command will now include the workload kind (deployment, replicaset,
           statefulset, or rollout) in all entries.
+      - type: change
+        title: Make the DNS recursion check configurable and turn it off by default.
+        body: >-
+          Very few systems experience a DNS recursion lookup problem. It can only occur when the cluster runs locally
+          and the cluster's DNS is configured to somehow use DNS server that is started by Telepresence. The check
+          is therefore now configurable through the client setting `dns.recursionCheck`, and it is `false` by default.
       - type: change
         title: Trigger the mutating webhook with Kubernetes eviction objects instead of patching workloads.
         body: >-

docs/release-notes.md

@@ -72,6 +72,12 @@ namespaceSelector:
 The output of the `telepresence list` command will now include the workload kind (deployment, replicaset, statefulset, or rollout) in all entries.
 </div>
 
+## <div style="display:flex;"><img src="images/change.png" alt="change" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Make the DNS recursion check configurable and turn it off by default.</div></div>
+<div style="margin-left: 15px">
+
+Very few systems experience a DNS recursion lookup problem. It can only occur when the cluster runs locally and the cluster's DNS is configured to somehow use DNS server that is started by Telepresence. The check is therefore now configurable through the client setting `dns.recursionCheck`, and it is `false` by default.
+</div>
+
 ## <div style="display:flex;"><img src="images/change.png" alt="change" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Trigger the mutating webhook with Kubernetes eviction objects instead of patching workloads.</div></div>
 <div style="margin-left: 15px">
 

docs/release-notes.mdx

@@ -68,6 +68,10 @@ namespaceSelector:
 	<Title type="feature">List output includes workload kind.</Title>
 	<Body>The output of the `telepresence list` command will now include the workload kind (deployment, replicaset, statefulset, or rollout) in all entries.</Body>
 </Note>
+<Note>
+	<Title type="change">Make the DNS recursion check configurable and turn it off by default.</Title>
+	<Body>Very few systems experience a DNS recursion lookup problem. It can only occur when the cluster runs locally and the cluster's DNS is configured to somehow use DNS server that is started by Telepresence. The check is therefore now configurable through the client setting `dns.recursionCheck`, and it is `false` by default.</Body>
+</Note>
 <Note>
 	<Title type="change">Trigger the mutating webhook with Kubernetes eviction objects instead of patching workloads.</Title>
 	<Body>Instead of patching workloads, or scaling the workloads down to zero and up again, Telepresence will now create policy/v1 Eviction objects to trigger the mutating webhook. This causes a slight change in the traffic-manager RBAC. The `patch` permissions are no longer needed. Instead, the traffic-manager must be able to create "pod/eviction" objects.</Body>

integration_test/inject_policy_test.go

@@ -9,6 +9,8 @@ import (
 	"sync"
 	"time"
 
+	labels2 "k8s.io/apimachinery/pkg/labels"
+
 	"github.com/datawire/dlib/dlog"
 	"github.com/telepresenceio/telepresence/v2/integration_test/itest"
 	"github.com/telepresenceio/telepresence/v2/pkg/agentconfig"
@@ -105,14 +107,22 @@ func (is *installSuite) TestInjectPolicy() {
 }
 
 func (is *installSuite) applyMultipleServices(svcCount int) {
-	is.applyOrDeleteMultipleServices(svcCount, is.ApplyTemplate, true)
+	is.applyOrDeleteMultipleServices(svcCount, is.ApplyTemplate)
+	// And check that all pods receive a traffic-agent
+	is.Eventually(func() bool {
+		pods := itest.RunningPodsSelector(is.Context(), is.AppNamespace(), labels2.SelectorFromSet(map[string]string{
+			"multi-service-test": "inject",
+		}))
+		dlog.Infof(is.Context(), "pod count %d, expected %d", len(pods), svcCount)
+		return len(pods) == svcCount
+	}, 120*time.Second, 5*time.Second)
 }
 
 func (is *installSuite) deleteMultipleServices(svcCount int) {
-	is.applyOrDeleteMultipleServices(svcCount, is.DeleteTemplate, false)
+	is.applyOrDeleteMultipleServices(svcCount, is.DeleteTemplate)
 }
 
-func (is *installSuite) applyOrDeleteMultipleServices(svcCount int, applyOrDelete func(context.Context, string, any), wait bool) {
+func (is *installSuite) applyOrDeleteMultipleServices(svcCount int, applyOrDelete func(context.Context, string, any)) {
 	ctx := is.Context()
 	wg := sync.WaitGroup{}
 	wg.Add(svcCount)
@@ -128,10 +138,10 @@ func (is *installSuite) applyOrDeleteMultipleServices(svcCount int, applyOrDelet
 				Annotations: map[string]string{
 					agentconfig.InjectAnnotation: "enabled",
 				},
+				Labels: map[string]string{
+					"multi-service-test": "inject",
+				},
 			})
-			if wait {
-				is.NoError(is.RolloutStatusWait(ctx, "deploy/"+svc))
-			}
 		}()
 	}
 	wg.Wait()
@@ -181,6 +191,7 @@ func (is *installSuite) Test_MultiOnDemandInjectOnApply() {
 
 	// First install the traffic-manager
 	is.TelepresenceHelmInstallOK(ctx, false)
+	time.Sleep(3 * time.Second)
 	defer func() {
 		is.UninstallTrafficManager(ctx, is.ManagerNamespace())
 		is.Eventually(func() bool {

integration_test/injector_test.go

@@ -18,43 +18,12 @@ import (
 // injection of a traffic-agent.
 // See ticket https://github.com/telepresenceio/telepresence/issues/3441 for more info.
 func (s *singleServiceSuite) Test_InterceptOperationRestoredAfterFailingInject() {
-	if !s.ClientIsVersion(">2.21.x") {
-		s.T().Skip("Not part of compatibility tests.")
+	if s.ClientIsVersion("<2.22.0") && s.ManagerIsVersion(">=2.22.0") {
+		s.T().Skip("Not part of compatibility tests. Clients < 2.22.0 cannot uninstall agents with traffic-manager >= 2.22.0")
 	}
 	ctx := s.Context()
 	rq := s.Require()
 
-	// Create an intercept and ensure that it lists as intercepted
-	stdout := itest.TelepresenceOk(ctx, "intercept", s.ServiceName(), "--mount=false")
-	rq.Contains(stdout, "Using Deployment "+s.ServiceName())
-	rq.Eventually(func() bool {
-		stdout, _, err := itest.Telepresence(ctx, "list", "--intercepts")
-		return err == nil && regexp.MustCompile(s.ServiceName()+`\s*: intercepted`).MatchString(stdout)
-	}, 12*time.Second, 3*time.Second)
-
-	// Leave the intercept. We are now 100% sure that an agent is present in the
-	// pod.
-	itest.TelepresenceOk(ctx, "leave", s.ServiceName())
-
-	// Break the TLS by temporally disabling the agent-injector service. We do this by the port of the
-	// service that the webhook is calling.
-	portRestored := false
-	wh := "agent-injector-webhook-" + s.ManagerNamespace()
-	pmf := `{"webhooks":[{"name": "agent-injector-%s.getambassador.io", "clientConfig": {"service": {"name": "agent-injector", "port": %d}}}]}`
-	rq.NoError(itest.Kubectl(ctx, s.ManagerNamespace(), "patch", "mutatingwebhookconfiguration", wh,
-		"--patch", fmt.Sprintf(pmf, s.ManagerNamespace(), 8443)))
-
-	// Restore the webhook port when this test ends in case an error occurred that prevented it
-	defer func() {
-		if !portRestored {
-			s.NoError(itest.Kubectl(ctx, s.ManagerNamespace(), "patch", "mutatingwebhookconfiguration", wh,
-				"--patch", fmt.Sprintf(pmf, s.ManagerNamespace(), 443)))
-		}
-	}()
-
-	// Uninstall the agent.
-	itest.TelepresenceOk(ctx, "uninstall", s.ServiceName())
-
 	oneContainer := func() bool {
 		pods := itest.RunningPodNames(ctx, s.ServiceName(), s.AppNamespace())
 		if len(pods) != 1 {
@@ -80,11 +49,31 @@ func (s *singleServiceSuite) Test_InterceptOperationRestoredAfterFailingInject()
 		return false
 	}
 
-	// Verify that the pod has no agent
-	rq.Eventually(oneContainer, 30*time.Second, 3*time.Second)
+	// Ensure that agent is uninstalled.
+	so, se, err := itest.Telepresence(ctx, "uninstall", s.ServiceName())
+	// We don't care if it succeeds, but the output and error might be of interest when debugging.
+	dlog.Debugf(ctx, "stdout: %s, stderr %s, err: %v", so, se, err)
+
+	rq.Eventually(oneContainer, 60*time.Second, 3*time.Second)
+
+	// Break the TLS by temporally disabling the agent-injector service. We do this by the port of the
+	// service that the webhook is calling.
+	wh := "agent-injector-webhook-" + s.ManagerNamespace()
+	pmf := `{"webhooks":[{"name": "agent-injector-%s.getambassador.io", "clientConfig": {"service": {"name": "agent-injector", "port": %d}}}]}`
+	rq.NoError(itest.Kubectl(ctx, s.ManagerNamespace(), "patch", "mutatingwebhookconfiguration", wh,
+		"--patch", fmt.Sprintf(pmf, s.ManagerNamespace(), 8443)))
+	portRestored := false
+
+	// Restore the webhook port when this test ends in case an error occurred that prevented it
+	defer func() {
+		if !portRestored {
+			s.NoError(itest.Kubectl(ctx, s.ManagerNamespace(), "patch", "mutatingwebhookconfiguration", wh,
+				"--patch", fmt.Sprintf(pmf, s.ManagerNamespace(), 443)))
+		}
+	}()
 
 	// Now try to intercept. This attempt will timeout because the agent is never injected.
-	_, _, err := itest.Telepresence(ctx, "intercept", s.ServiceName(), "--mount=false")
+	_, _, err = itest.Telepresence(ctx, "intercept", s.ServiceName(), "--mount=false")
 	// Wait for the intercept call to return. It must return an error.
 	rq.Error(err)
 
@@ -97,7 +86,7 @@ func (s *singleServiceSuite) Test_InterceptOperationRestoredAfterFailingInject()
 	portRestored = true
 
 	// Verify that intercept works OK again.
-	stdout = itest.TelepresenceOk(ctx, "intercept", s.ServiceName(), "--mount=false")
+	stdout := itest.TelepresenceOk(ctx, "intercept", s.ServiceName(), "--mount=false")
 	rq.Contains(stdout, "Using Deployment "+s.ServiceName())
 	rq.Eventually(func() bool {
 		stdout, _, err := itest.Telepresence(ctx, "list", "--intercepts")

integration_test/install_test.go

@@ -66,6 +66,9 @@ func (is *installSuite) AmendSuiteContext(ctx context.Context) context.Context {
 }
 
 func (is *installSuite) Test_UpgradeRetainsValues() {
+	if is.ClientIsVersion("<2.22.0") && !is.ManagerVersion().EQ(is.ClientVersion()) {
+		is.T().Skip("Not part of compatibility tests. Client < 2.22.0 cannot handle helm --version flag.")
+	}
 	ctx := is.Context()
 	rq := is.Require()
 	is.TelepresenceHelmInstallOK(ctx, false, "--set", "logLevel=debug")
@@ -86,7 +89,7 @@ func (is *installSuite) Test_UpgradeRetainsValues() {
 	oldValues, err := getValues()
 	rq.NoError(err)
 	args := []string{"helm", "upgrade", "--namespace", is.ManagerNamespace()}
-	if !(is.ManagerVersion().EQ(is.ClientVersion()) || is.ManagerVersion().LT(version.Structured)) {
+	if !is.ManagerVersion().EQ(is.ClientVersion()) {
 		args = append(args, "--version", is.ManagerVersion().String())
 	}
 
@@ -130,6 +133,9 @@ func (is *installSuite) Test_UpgradeRetainsValues() {
 }
 
 func (is *installSuite) Test_HelmTemplateInstall() {
+	if !(is.ManagerVersion().EQ(version.Structured) && is.ClientVersion().EQ(version.Structured)) {
+		is.T().Skip("Not part of compatibility tests. PackageHelmChart assumes current version.")
+	}
 	ctx := is.Context()
 	require := is.Require()
 

integration_test/itest/cluster.go

@@ -29,6 +29,7 @@ import (
 	"github.com/stretchr/testify/require"
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/labels"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
@@ -52,7 +53,9 @@ import (
 )
 
 const (
-	TestUser = "telepresence-test-developer"
+	purposeLabel       = "tp-cli-testing"
+	AssignPurposeLabel = "purpose=" + purposeLabel
+	TestUser           = "telepresence-test-developer"
 )
 
 type Cluster interface {
@@ -285,7 +288,12 @@ func (s *cluster) Initialize(ctx context.Context) context.Context {
 	}
 
 	s.ensureQuit(ctx)
-	_ = Run(ctx, "kubectl", "delete", "ns", "-l", "purpose=tp-cli-testing")
+	s.ensureNoManager(ctx)
+	_ = Run(ctx, "kubectl", "delete", "ns", "-l", AssignPurposeLabel)
+	_ = Run(ctx, "kubectl", "delete", "-f", filepath.Join("testdata", "k8s", "client_rbac.yaml"))
+	_ = Run(ctx, "kubectl", "delete", "ns", "-l", AssignPurposeLabel)
+	_ = Run(ctx, "kubectl", "delete", "pv", "-l", AssignPurposeLabel)
+	_ = Run(ctx, "kubectl", "delete", "storageclass", "-l", AssignPurposeLabel)
 	return ctx
 }
 
@@ -345,9 +353,10 @@ func (s *cluster) tearDown(ctx context.Context) {
 	if s.kubeConfig != "" {
 		ctx = WithWorkingDir(ctx, GetOSSRoot(ctx))
 		_ = Run(ctx, "kubectl", "delete", "-f", filepath.Join("testdata", "k8s", "client_rbac.yaml"))
-		_ = Run(ctx, "kubectl", "delete", "--wait=false", "ns", "-l", "purpose=tp-cli-testing")
-		_ = Run(ctx, "kubectl", "delete", "--wait=false", "pv", "-l", "purpose=tp-cli-testing")
-		_ = Run(ctx, "kubectl", "delete", "--wait=false", "storageclass", "-l", "purpose=tp-cli-testing")
+		_ = Run(ctx, "kubectl", "delete", "--wait=false", "ns", "-l", AssignPurposeLabel)
+		_ = Run(ctx, "kubectl", "delete", "--wait=false", "pv", "-l", AssignPurposeLabel)
+		_ = Run(ctx, "kubectl", "delete", "--wait=false", "storageclass", "-l", AssignPurposeLabel)
+		_ = Run(ctx, "kubectl", "delete", "--wait=false", "mutatingwebhookconfigurations", "-l", AssignPurposeLabel)
 	}
 }
 
@@ -359,6 +368,22 @@ func (s *cluster) ensureQuit(ctx context.Context) {
 	_ = rmAsRoot(ctx, socket.RootDaemonPath(ctx))
 }
 
+func (s *cluster) ensureNoManager(ctx context.Context) {
+	out, err := Output(ctx, "helm", "list", "-A", "--output", "json")
+	t := getT(ctx)
+	require.NoError(t, err)
+	var es []map[string]any
+	err = json.Unmarshal([]byte(out), &es)
+	require.NoError(t, err)
+	ix := slices.IndexFunc(es, func(v map[string]any) bool {
+		return v["name"] == "traffic-manager"
+	})
+	if ix >= 0 {
+		e := es[ix]
+		t.Fatalf("%s is already installed in namespace %s. Please uninstall before testing.", e["chart"], e["namespace"])
+	}
+}
+
 // PodCreateTimeout will return a timeout suitable for operations that create pods.
 // This is longer when running against clusters that scale up nodes on demand for new pods.
 func PodCreateTimeout(c context.Context) time.Duration {
@@ -910,7 +935,7 @@ func CreateNamespaces(ctx context.Context, namespaces ...string) {
 		go func(ns string) {
 			defer wg.Done()
 			assert.NoError(t, Kubectl(ctx, "", "create", "namespace", ns), "failed to create namespace %q", ns)
-			assert.NoError(t, Kubectl(ctx, "", "label", "namespace", ns, "purpose="+purposeLabel, fmt.Sprintf("app.kubernetes.io/name=%s", ns)))
+			assert.NoError(t, Kubectl(ctx, "", "label", "namespace", ns, AssignPurposeLabel, fmt.Sprintf("app.kubernetes.io/name=%s", ns)))
 		}(ns)
 	}
 	wg.Wait()
@@ -1089,7 +1114,11 @@ func WithKubeConfig(ctx context.Context, cfg *api.Config) context.Context {
 }
 
 func RunningPods(ctx context.Context, svc, ns string) []core.Pod {
-	out, err := KubectlOut(ctx, ns, "get", "pods", "-o", "json", "--field-selector", "status.phase==Running", "-l", "app="+svc)
+	return RunningPodsSelector(ctx, ns, labels.SelectorFromSet(map[string]string{"app": svc}))
+}
+
+func RunningPodsSelector(ctx context.Context, ns string, selector labels.Selector) []core.Pod {
+	out, err := KubectlOut(ctx, ns, "get", "pods", "-o", "json", "--field-selector", "status.phase==Running", "-l", selector.String())
 	if err != nil {
 		getT(ctx).Log(err.Error())
 		return nil

integration_test/itest/helm.go

@@ -310,6 +310,9 @@ func (s *cluster) TelepresenceHelmInstall(ctx context.Context, upgrade bool, set
 		// Give the manager time to perform rollouts, listen to telepresence-agents configmap, etc.
 		time.Sleep(2 * time.Second)
 	}
+	if err != nil {
+		return "", err
+	}
 	return logFileName, nil
 }
 

integration_test/itest/namespace.go

@@ -96,8 +96,6 @@ func WithNamespacePair(ctx context.Context, suffix string, f func(NamespacePair)
 	})
 }
 
-const purposeLabel = "tp-cli-testing"
-
 func (s *nsPair) setup(ctx context.Context) bool {
 	CreateNamespaces(ctx, s.AppNamespace(), s.Namespace)
 	t := getT(ctx)

integration_test/itest/template.go

@@ -29,6 +29,7 @@ type ServicePort struct {
 type Generic struct {
 	Name           string
 	Annotations    map[string]string
+	Labels         map[string]string
 	Environment    []core.EnvVar
 	TargetPort     string
 	ServicePorts   []ServicePort

integration_test/multiple_intercepts_test.go

@@ -68,6 +68,17 @@ func (s *multipleInterceptsSuite) TearDownSuite() {
 			cancel()
 		}
 	}
+	// Ensure that we have OK statuses on our services after leaving the intercept.
+	s.Eventually(func() bool {
+		stdout := itest.TelepresenceOk(ctx, "-n", s.AppNamespace(), "list")
+		for i := 0; i < s.ServiceCount(); i++ {
+			rx := regexp.MustCompile(fmt.Sprintf(`%s-%d\s*: ready to (engage|intercept)`, s.Name(), i))
+			if !rx.MatchString(stdout) {
+				return false
+			}
+		}
+		return true
+	}, 30*time.Second, 2*time.Second)
 }
 
 func (s *multipleInterceptsSuite) Test_Intercepts() {

integration_test/multiple_services_test.go

@@ -49,9 +49,9 @@ func (s *multipleServicesSuite) Test_LargeRequest() {
 		s.TelepresenceConnect(s.Context())
 	}()
 
-	const sendSize = 1024 * 1024 * 16
+	const sendSize = 1024 * 1024 * 12
 	const varyMax = 1024 * 1024 * 4 // vary last 4Mi
-	const concurrentRequests = 100
+	const concurrentRequests = 64
 
 	tb := [sendSize + varyMax]byte{}
 	tb[0] = '!'

integration_test/testdata/k8s/generic.goyaml

@@ -41,6 +41,9 @@ spec:
     metadata:
       labels:
         app: {{ .Name }}
+{{- with .Labels }}
+  {{- toYaml . | nindent 8 }}
+{{- end}}
 {{- with .Annotations }}
       annotations:
   {{- toYaml . | nindent 8 }}