infrahq / helm-charts Goto Github PK

In some cases the infra connector pod is deployed on a node that may be removed while downscaling a cluster with cluster autoscaler. If possible Infra should include default annotations or taints to avoid scheduling this pod on nodes that are prone to being removed, as this may incur temporary downtime

We can have more than one connector pod running, but have no control over where this is placed in the cluster. We should have the option to define antiaffinity rules to ensure that the pods are on separate nodes, and ideally separate zones from each other.

If I find some time, I'm willing to contribute this change.

I tried increasing the log level to debug using the commented block in values.yaml but the logger never got set to debug.
https://github.com/infrahq/helm-charts/blob/main/charts/infra-server/values.yaml#L93

The output from kubectl describe pods -n infra-server infra-server-6cd74df587-6rlcf suggest that the log level gets set via the --log-level command arg instead.

Containers:
  server:
    Container ID:  containerd://9888f8cdc463554b5a8188644e977e3d6932d9a4a5406355b413bc0d9cc0fda5
    Image:         infrahq/infra:0.21.0
    Image ID:      docker.io/infrahq/infra@sha256:4ad59e72091ef27c733a197157f55d463f1b5908f11004abed143fab1969d889
    Ports:         8080/TCP, 8443/TCP, 9090/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Args:
      server
      -f
      /etc/infrahq/infra.yaml
      --log-level
      info
    State:          Running
      Started:      Fri, 14 Apr 2023 10:13:54 +0200
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:http/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Readiness:      http-get http://:http/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      INFRA_LOG_LEVEL:           debug
      INFRA_SERVER_DB_PASSWORD:  <set to the key 'password' in secret 'infra-server-postgres'>  Optional: false

Is your feature request related to a problem? Please describe.

When working in self-hosted environment, we route all traffic through ingress controller. The nodes are unaccessible on NodePort nor LoadBalancer provisioner is available. Setting service type to ClusterIP makes the destination point to internal cluster IP.

Describe the solution you'd like

Allow for configuring custom destination address, eg. infrahq.cluster.domain:443.

Describe alternatives you've considered

Installing LoadBalancer provisioner, exposing NodePort

Environment Details

$ infra version
 Client: 0.21.0

$ kubectl version
Client Version: v1.28.2
Server Version: v1.28.0

Self-hosted cluster

Additional context

Probably already possible via endpointAdds (https://github.com/infrahq/infra/blob/main/dev/connector.yaml#L12C1-L12C1) just not exposed in values.yaml

The configuration for an external database as explained in the README does not seem to work:

---
config:
  dbHost: postgres.example.com
  dbPort: 5432
  dbName: mydatabase
  dbUsername: myusername
  dbPassword: env:POSTGRES_DB_PASSWORD

server:
  env:
    - name: POSTGRES_DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: mypassword

Starting the server with an accordingly prepared secret does not work (bad credentials). This does not occur when inserting the password into the values.yaml directly:

config:
  ...
  dbPassword: <somePassword>

It seems the server does not evaluate the prefix env: in order to use the mentioned environment variable instead of a string literal.

As of Kubernetes 1.24, service accounts no longer create token secrets by default, causing connector install to fail.