Simple K8s API discovery method (#68)

* Simple K8s API discovery method
* Need to synchronize access to discovered
* Support for discovering nodes as well as services
* Add all tests for K8s API
* Update README

Co-Authored-By: "Gavin Heavyside" <[email protected]>

Author: relistan

README.md

@@ -165,7 +165,7 @@ Defaults are in bold at the end of the line:
    **info**
  * `SIDECAR_LOGGING_FORMAT`: Logging format to use (text, json) **text**
  * `SIDECAR_DISCOVERY`: Which discovery backends to use as a csv array
-   (static, docker) **`[ docker ]`**
+   (static, docker, kubernetes_api) **`[ docker ]`**
  * `SIDECAR_SEEDS`: csv array of IP addresses used to seed the cluster.
  * `SIDECAR_CLUSTER_NAME`: The name of the Sidecar cluster. Restricts membership
    to hosts with the same cluster name.
@@ -226,6 +226,13 @@ Defaults are in bold at the end of the line:
  * `ENVOY_GRPC_PORT`: The port for the Envoy API gRPC server **`7776`**
 
 
+ * `KUBE_API_IP`: The IP address at which to reach the Kubernetes API **`127.0.0.1`**
+ * `KUBE_API_PORT`: The port to use to contact the Kubernetes API **`8080`**
+ * `NAMESPACE`: The namespace against which we should do discovery **`default`**
+ * `KUBE_TIMEOUT`: How long until we time out calling the Kube API? **`3s`**
+ * `CREDS_PATH`: Where do we find the token file containing API auth credentials?
+   **`/var/run/secrets/kubernetes.io/serviceaccount`**
+
 ### Ports
 
 Sidecar requires both TCP and UDP protocols be open on the port configured via
@@ -235,14 +242,14 @@ protocol (Memberlist) runs on.
 
 ## Discovery
 
-Sidecar supports both Docker-based discovery and a discovery mechanism where
-you publish services into a JSON file locally, called "static". These can then
-be advertised as running services just like they would be from a Docker host.
-These are configured with the `SIDECAR_DISCOVERY` environment variable. Using
-both would look like:
+Sidecar supports Docker-based discovery, a discovery mechanism where you
+publish services into a JSON file locally, called "static", and from the
+Kubernetes API. These can then be advertised as running services just like they
+would be from a Docker host. These are configured with the `SIDECAR_DISCOVERY`
+environment variable. Using all of them would look like:
 
 ```bash
-export SIDECAR_DISCOVERY=static,docker
+export SIDECAR_DISCOVERY=static,docker,kubernetes_api
 ```
 
 Zero or more options may be supplied. Note that if nothing is in this section,
@@ -396,6 +403,20 @@ web UI.
 
 A further example is available in the `fixtures/` directory used by the tests.
 
+### Configuring Kubernetes API Discovery
+
+This method of discovery will enale you to bridge together an existing Sidecar
+cluster with a Kubernetes cluster that will make services availabel to the
+Sidecar cluster. It will announce all of the Kubernetes services that it finds
+available and map them to a port in the 30000+ range, with the expectation
+being that your have configured services to run with a NodePort in that range.
+
+This is most useful for transitioning services from one cluster to another. You
+can run one or more Sidecar instances per Kubernetes cluster and they will show
+up like services exported from other discovery mechanisms with the exception
+that version information is not passed. The environment variables for
+configuring the behavior of this discovery method are described above.
+
 Sidecar Events and Listeners
 ----------------------------
 

config/config.go

@@ -39,20 +39,22 @@ type ServicesConfig struct {
 }
 
 type SidecarConfig struct {
-	ExcludeIPs           []string      `envconfig:"EXCLUDE_IPS" default:"192.168.168.168"`
-	Discovery            []string      `envconfig:"DISCOVERY" default:"docker"`
-	StatsAddr            string        `envconfig:"STATS_ADDR"`
-	PushPullInterval     time.Duration `envconfig:"PUSH_PULL_INTERVAL" default:"20s"`
-	GossipMessages       int           `envconfig:"GOSSIP_MESSAGES" default:"15"`
-	GossipInterval       time.Duration `envconfig:"GOSSIP_INTERVAL" default:"200ms"`
-	HandoffQueueDepth    int           `envconfig:"HANDOFF_QUEUE_DEPTH" default:"1024"`
-	LoggingFormat        string        `envconfig:"LOGGING_FORMAT"`
-	LoggingLevel         string        `envconfig:"LOGGING_LEVEL" default:"info"`
-	DefaultCheckEndpoint string        `envconfig:"DEFAULT_CHECK_ENDPOINT" default:"/version"`
-	Seeds                []string      `envconfig:"SEEDS"`
-	ClusterName          string        `envconfig:"CLUSTER_NAME" default:"default"`
-	AdvertiseIP          string        `envconfig:"ADVERTISE_IP"`
-	BindPort             int           `envconfig:"BIND_PORT" default:"7946"`
+	ExcludeIPs             []string      `envconfig:"EXCLUDE_IPS" default:"192.168.168.168"`
+	Discovery              []string      `envconfig:"DISCOVERY" default:"docker"`
+	StatsAddr              string        `envconfig:"STATS_ADDR"`
+	PushPullInterval       time.Duration `envconfig:"PUSH_PULL_INTERVAL" default:"20s"`
+	GossipMessages         int           `envconfig:"GOSSIP_MESSAGES" default:"15"`
+	GossipInterval         time.Duration `envconfig:"GOSSIP_INTERVAL" default:"200ms"`
+	HandoffQueueDepth      int           `envconfig:"HANDOFF_QUEUE_DEPTH" default:"1024"`
+	LoggingFormat          string        `envconfig:"LOGGING_FORMAT"`
+	LoggingLevel           string        `envconfig:"LOGGING_LEVEL" default:"info"`
+	DefaultCheckEndpoint   string        `envconfig:"DEFAULT_CHECK_ENDPOINT" default:"/version"`
+	Seeds                  []string      `envconfig:"SEEDS"`
+	ClusterName            string        `envconfig:"CLUSTER_NAME" default:"default"`
+	AdvertiseIP            string        `envconfig:"ADVERTISE_IP"`
+	BindPort               int           `envconfig:"BIND_PORT" default:"7946"`
+	Debug                  bool          `envconfig:"DEBUG" default:"false"`
+	DiscoverySleepInterval time.Duration `envconfig:"DISCOVERY_SLEEP_INTERVAL" default:"1s"`
 }
 
 type DockerConfig struct {
@@ -63,10 +65,19 @@ type StaticConfig struct {
 	ConfigFile string `envconfig:"CONFIG_FILE" default:"static.json"`
 }
 
+type K8sAPIConfig struct {
+	KubeAPIIP   string        `envconfig:"KUBE_API_IP" default:"127.0.0.1"`
+	KubeAPIPort int           `envconfig:"KUBE_API_PORT" default:"8080"`
+	Namespace   string        `envconfig:"NAMESPACE" default:"default"`
+	KubeTimeout time.Duration `envconfig:"KUBE_TIMEOUT" default:"3s"`
+	CredsPath   string        `envconfig:"CREDS_PATH" default:"/var/run/secrets/kubernetes.io/serviceaccount"`
+}
+
 type Config struct {
 	Sidecar         SidecarConfig      // SIDECAR_
 	DockerDiscovery DockerConfig       // DOCKER_
 	StaticDiscovery StaticConfig       // STATIC_
+	K8sAPIDiscovery K8sAPIConfig       // K8S_
 	Services        ServicesConfig     // SERVICES_
 	HAproxy         HAproxyConfig      // HAPROXY_
 	Envoy           EnvoyConfig        // ENVOY_
@@ -80,6 +91,7 @@ func ParseConfig() *Config {
 		envconfig.Process("sidecar", &config.Sidecar),
 		envconfig.Process("docker", &config.DockerDiscovery),
 		envconfig.Process("static", &config.StaticDiscovery),
+		envconfig.Process("k8s", &config.K8sAPIDiscovery),
 		envconfig.Process("services", &config.Services),
 		envconfig.Process("haproxy", &config.HAproxy),
 		envconfig.Process("envoy", &config.Envoy),

discovery/fixtures/bad-fixture/token

@@ -0,0 +1 @@
+this would be a token

discovery/fixtures/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiQCCQCKqd63pT0THjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJn
+YjEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xFjAUBgNVBAoMDUNv
+bW11bml0eS5jb20xFjAUBgNVBAMMDWNvbW11bml0eS5jb20wIBcNMjIxMTIyMTEy
+MzQ1WhgPMzAyMjAzMjUxMTIzNDVaMF8xCzAJBgNVBAYTAmdiMQ8wDQYDVQQIDAZM
+b25kb24xDzANBgNVBAcMBkxvbmRvbjEWMBQGA1UECgwNQ29tbXVuaXR5LmNvbTEW
+MBQGA1UEAwwNY29tbXVuaXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKO3y1q/ELzfZ4vaLptkxy45RNLSgGwE63J6kXSjfsyGLoOg4ZHaqbWX
+y/7EsLeHKI1kzj9qV0ygaexbTgAfTKBQZoXxHgMuGMCQRy/SSlNHwG4W7IkJ+bFf
+hja2KDleY26ROq1vbTODu50408Mm50c5ynU05Qcu/jDGcHkM6dkb93T7aKzWLAgf
+aKxtAnYuHq2MvI+y3E0Qeqo78aaoRYw6L2WSn6xGQoKjStdCb1vRb5xX8Ed8kUDf
+cWY6EhsA3dUb+5vBEIhwnzkojJyeCteG//mWrd52ntMoFooEKvcXrFZj70kVJgYo
+V7yDNv6SraIxfXIDlsyY+w8wtGDmNX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+L4UyZ2IwGq0HFhephmEHc+3NX2tpEIyjKaDdd2VnDKDNgJfXRjzaV4PxrPzlsN3H
+unrpRGLzjIy+PVUjhKOpoMzZDdGAXSu6Zpi4wlZ8PdFJbD+CM7WEQGJNytbO6nkW
+r5RvlWGFrR52DB5XqyVTwfGr4ugI0C0H0dyfJOVn67m6gqZnntJ9dAHCFPbRKFxo
+JrO2Rdx1ZimxVKkK+Gs7bqjmx1Mj4GBm/NOGVwdMBDGWb57dFXnh93xxFnruQ1QR
+lXu6dYfcmewOyLDc5WmFXzsGzhSDjPmHi7BjpTbRaQ4h32J0Rv9/9R3mivC7nflt
+lztQHTUAk1+on3ARvoERWQ==
+-----END CERTIFICATE-----

discovery/fixtures/token

@@ -0,0 +1 @@
+this would be a token

discovery/kubernetes_api_discovery.go

@@ -0,0 +1,147 @@
+package discovery
+
+import (
+	"encoding/json"
+	"sync"
+	"time"
+
+	"github.com/NinesStack/sidecar/service"
+	"github.com/relistan/go-director"
+	log "github.com/sirupsen/logrus"
+)
+
+// A K8sAPIDiscoverer is a discovery mechanism that assumes that a K8s cluster
+// with be fronted by a load balancer and that all the ports exposed will match
+// up on both the load balancer and the backing pods. It relies on an underlying
+// command to run the discovery. This is normally `kubectl`.
+type K8sAPIDiscoverer struct {
+	Namespace string
+
+	Command K8sDiscoveryAdapter
+
+	discoveredSvcs  *K8sServices
+	discoveredNodes *K8sNodes
+	lock            sync.RWMutex
+}
+
+// NewK8sAPIDiscoverer returns a properly configured K8sAPIDiscoverer
+func NewK8sAPIDiscoverer(kubeHost string, kubePort int, namespace string, timeout time.Duration, credsPath string) *K8sAPIDiscoverer {
+
+	cmd := NewKubeAPIDiscoveryCommand(kubeHost, kubePort, namespace, timeout, credsPath)
+
+	return &K8sAPIDiscoverer{
+		discoveredSvcs:  &K8sServices{},
+		discoveredNodes: &K8sNodes{},
+		Namespace:       namespace,
+		Command:         cmd,
+	}
+}
+
+// Services implements part of the Discoverer interface and looks at the last
+// cached data from the Command (`kubectl`) and returns services in a format
+// that Sidecar can manage.
+func (k *K8sAPIDiscoverer) Services() []service.Service {
+	k.lock.RLock()
+	defer k.lock.RUnlock()
+
+	// Enumerate all the K8s nodes we discovered, and for each one, emit all the
+	// services that we separately discovered. This means we will attempt to hit
+	// the NodePort for each of the nodes when looking for this service.
+	var services []service.Service
+	for _, node := range k.discoveredNodes.Items {
+		hostname, ip := getIPHostForNode(&node)
+
+		for _, item := range k.discoveredSvcs.Items {
+			svc := service.Service{
+				ID:        item.Metadata.UID,
+				Name:      item.Metadata.Labels.ServiceName,
+				Image:     item.Metadata.Labels.ServiceName + ":kubernetes-hosted",
+				Created:   item.Metadata.CreationTimestamp,
+				Hostname:  hostname,
+				ProxyMode: "http",
+				Status:    service.ALIVE,
+				Updated:   time.Now().UTC(),
+			}
+			for _, port := range item.Spec.Ports {
+				svc.Ports = append(svc.Ports, service.Port{
+					Type:        "tcp",
+					Port:        int64(port.NodePort),
+					ServicePort: int64(port.Port),
+					IP:          ip,
+				})
+			}
+			services = append(services, svc)
+		}
+	}
+
+	return services
+}
+
+func getIPHostForNode(node *K8sNode) (hostname string, ip string) {
+	for _, address := range node.Status.Addresses {
+		if address.Type == "InternalIP" {
+			ip = address.Address
+		}
+
+		if address.Type == "Hostname" {
+			hostname = address.Address
+		}
+	}
+
+	return hostname, ip
+}
+
+// HealthCheck implements part of the Discoverer interface and returns the
+// built-in AlwaysSuccessful check, on the assumption that the underlying load
+// balancer we are pointing to will have already health checked the service.
+func (k *K8sAPIDiscoverer) HealthCheck(svc *service.Service) (string, string) {
+	return "AlwaysSuccessful", ""
+}
+
+// Listeners implements part of the Discoverer interface and always returns
+// an empty list because it doesn't make sense in this context.
+func (k *K8sAPIDiscoverer) Listeners() []ChangeListener {
+	return []ChangeListener{}
+}
+
+// Run is part of the Discoverer interface and calls the Command in a loop,
+// which is injected as a Looper.
+func (k *K8sAPIDiscoverer) Run(looper director.Looper) {
+	looper.Loop(func() error {
+		data, err := k.getServices()
+		if err != nil {
+			log.Errorf("Failed to unmarshal services json: %s, %s", err, string(data))
+		}
+
+		data, err = k.getNodes()
+		if err != nil {
+			log.Errorf("Failed to unmarshal nodes json: %s, %s", err, string(data))
+		}
+
+		return nil
+	})
+}
+
+func (k *K8sAPIDiscoverer) getServices() ([]byte, error) {
+	data, err := k.Command.GetServices()
+	if err != nil {
+		log.Errorf("Failed to invoke K8s API discovery: %s", err)
+	}
+
+	k.lock.Lock()
+	err = json.Unmarshal(data, &k.discoveredSvcs)
+	k.lock.Unlock()
+	return data, err
+}
+
+func (k *K8sAPIDiscoverer) getNodes() ([]byte, error) {
+	data, err := k.Command.GetNodes()
+	if err != nil {
+		log.Errorf("Failed to invoke K8s API discovery: %s", err)
+	}
+
+	k.lock.Lock()
+	err = json.Unmarshal(data, &k.discoveredNodes)
+	k.lock.Unlock()
+	return data, err
+}