consul-k8s icon indicating copy to clipboard operation
consul-k8s copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Append random suffix to global.name value to avoid collisions across client K8s clusters

Open david-yu opened this issue 3 years ago • 0 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Is your feature request related to a problem? Please describe.

Currently when deploying Consul K8s on client K8s clusters within the same datacenter, a unique global.name value must be used for each Consul K8s installation. Otherwise, as described in Single Consul Datacenter in Multiple Kubernetes clusters, the Helm chart will use the same prefix for all ACL resources that it creates, such as tokens and auth methods, across all clusters. If the global.name values are the same on all K8s clusters, the Helm installation in subsequent clusters will clobber existing ACL resources.

An example is shown below for the bootstrap acl token when global.name is set to consul

consul-723xd-consul-bootstrap-acl-token

instead of

consul-consul-bootstrap-acl-token

Feature Description

It would be possible to avoid such collisions by appending a suffix to the global.name value for all ACL resources it creates. If the resource name needs to a valid DNS name then it would have a max char limit of 63 (examples are shown here: Which kubernetes identifiers have to be at most 63 characters? then perhaps a different strategy to avoid collisions would be required (i.e. completely randomized global.name values)

Use Case(s)

Service Mesh for multi-K8s. Currently the workaround is to ensure manually that global.name is unique on each Consul K8s install on K8s.

Contributions

david-yu avatar Dec 07 '21 23:12 david-yu