[Search] Implement gRPC and mTLS #527
Conversation
MCK 1.6.0 Release NotesNew Features
Bug Fixes
|
fealebenpae force-pushed the fealebenpae/search-grpc branch from 5cc67a1 to 3ec055e Compare 
| | ||
| serviceBuilder.AddPort(&corev1.ServicePort{ | ||
| Name: "mongot", | ||
| Name: "mongot-wireproto", |
There was a problem hiding this comment.
could we add service port only if we force wireproto?
| }, | ||
| } | ||
| if search.IsWireprotoForced() { | ||
| config.Server.Wireproto = &mongot.ConfigWireproto{ |
There was a problem hiding this comment.
so this is not mutually exclusive with grpc?
There was a problem hiding this comment.
mongot can run both at the same time. I opted to always enable the gRPC server and only conditionally enable the wireproto server if the annotation is present - the annotation also controls whether the mongot address we generate in mongod's config uses grpc or wireproto. We could only enable one at a time, but to be honest I don't know whether we should: the wireproto endpoint will go away eventually and gRPC will be the only one left.
| }, | ||
| }, | ||
| TLS: &mongot.ConfigWireprotoTLS{ | ||
| Mode: mongot.ConfigTLSModeDisabled, |
There was a problem hiding this comment.
why TLS disabled in wireproto?
There was a problem hiding this comment.
Wireproto and Grpc always start out with TLS disabled in createMongotConfig(). The mongot config modifications in ensureIngressTlsConfig() and ensureEgressTlsConfig() populate the TLS config structures.
| | ||
| | ||
| @mark.e2e_search_community_tls | ||
| def test_validate_tls_connections(mdbc: MongoDBCommunity, mdbs: MongoDBSearch, namespace: str, issuer_ca_filepath: str): |
There was a problem hiding this comment.
we don't attempt to validate connections here anymore?
There was a problem hiding this comment.
I wasn't able to find a simple way to call the gRPC service in mongot from Python that didn't involve a lot of boilerplate, so I opted to remove this altogether.
| DataPath: searchcontroller.MongotDataPath, | ||
| }, | ||
| Server: mongot.ConfigServer{ | ||
| Wireproto: &mongot.ConfigWireproto{ |
There was a problem hiding this comment.
Should we still keep a wireproto test as long as it is possible to enabled it?
| } | ||
| | ||
| r.watch.AddWatchedResourceIfNotAdded(searchSource.KeyfileSecretName(), mdbSearch.Namespace, watch.Secret, mdbSearch.NamespacedName()) | ||
| if mdbSearch.IsWireprotoForced() { |
There was a problem hiding this comment.
Instead of all these if statements, would it make sense to abstract the wireproto stuff away in a struct and then it's also easier to just remove it.
| "searchIndexManagementHostAndPort": mongotHostAndPort(search), | ||
| "skipAuthenticationToSearchIndexManagementServer": false, | ||
| "searchTLSMode": string(searchTLSMode), | ||
| "useGrpcForSearch": !search.IsWireprotoForced(), |
There was a problem hiding this comment.
What is the meaning of this, don't we always enable this by default?
There was a problem hiding this comment.
The server doesn't enable useGrpcForSearch by default, no. We enable it only when the force-wireproto annotation is not set, but in essenceuseGrpcForSearch will be turned on by default, unless the annotation requests otherwise.
…grpc # Conflicts: # controllers/searchcontroller/mongodbsearch_reconcile_helper.go
3 participants
Summary
Proof of Work
Checklist
skip-changeloglabel if not needed