helm: let clustermesh-apiserver etcd listen on all IP addresses

[giorio94]

Currently, the sidecar etcd instance of the clustermesh-apiserver is explicitly configured to listen for client connections on localhost and the primary Pod IP (as reported by status.podIP). To this end, the Pod IP was enclosed in brackets, as that historically used to work properly both in case of IPv4 and IPv6 addresses. However, this is no longer the case starting from etcd v3.6.6, which is compiled using 1.24.10, in turn implementing a stricter validation forbidding to enclose IPv4 addresses in brackets [1,2], as not RFC compliant.

In order to bypass this problem, let's change the lister-client-urls parameter to listen on all IP addresses; this has the advantage of not requiring the brackets enclosing, and also enables listening on the secondary Pod IP address, if any. We configure 0.0.0.0 (rather than [::]) as the go implementation of Listen already automatically selects the IP family as appropriate [3]. Similarly, we also change listen-metrics-urls to listen on all IP addresses, hence including both localhost and possible secondary Pod IPs. Again, this is not expected to have any negative consequence.

Slightly trickier is the advertise-client-urls setting, which is supposed to advertise the addresses that clients can use to reach this replica. Yet, its value doesn't strictly matter in this context, given that the etcd cluster is composed of a single replica, and clients directly connect to it via the address provided as part of their configuration. Additionally, the provided values appear to be used only when auto synchronization is enabled [4,5], which is not in this case. Still, even advertising the pod IP was not fully correct there, as not directly reachable from remote clusters. Hence, let's just configure localhost instead, as a placeholder, given that the parameter is always required to be supplied.

Related: #42804 (comment)

[1]: https://go-review.googlesource.com/c/go/+/709838
[2]: https://go-review.googlesource.com/c/go/+/712142
[3]: https://cs.opensource.google/go/go/+/master:src/net/ipsock_posix.go;l=83-157?q=ipsock_posi
[4]:

cilium/vendor/go.etcd.io/etcd/client/v3/client.go

Lines 210 to 228 in f268660

	func (c *Client) autoSync() {
	if c.cfg.AutoSyncInterval == time.Duration(0) {
	return
	}
	for {
	select {
	case <-c.ctx.Done():
	return
	case <-time.After(c.cfg.AutoSyncInterval):
	ctx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
	err := c.Sync(ctx)
	cancel()
	if err != nil && !errors.Is(err, c.ctx.Err()) {
	c.lg.Info("Auto sync endpoints failed.", zap.Error(err))
	}
	}
	}
	}

[5]:

cilium/vendor/go.etcd.io/etcd/client/v3/client.go

Lines 186 to 208 in f268660

	// Sync synchronizes client's endpoints with the known endpoints from the etcd membership.
	func (c *Client) Sync(ctx context.Context) error {
	mresp, err := c.MemberList(ctx)
	if err != nil {
	return err
	}
	var eps []string
	for _, m := range mresp.Members {
	if len(m.Name) != 0 && !m.IsLearner {
	eps = append(eps, m.ClientURLs...)
	}
	}
	// The linearizable `MemberList` returned successfully, so the
	// endpoints shouldn't be empty.
	verify.Verify(func() {
	if len(eps) == 0 {
	panic("empty endpoints returned from etcd cluster")
	}
	})
	c.SetEndpoints(eps...)
	c.lg.Debug("set etcd endpoints by autoSync", zap.Strings("endpoints", eps))
	return nil
	}

Change the sidecar etcd instance of the Cluster Mesh API Server listen on all IP addresses

[giorio94]

/ci-clustermesh

[giorio94]

/test

[marseel]

Taking into account that we will be facing the same issue of upgrading the Etcd on other minor versions (1.18,1.17,1.16) I would like to propose:

• Backport this PR to 1.18 to ensure that we use latest Etcd version on 1.18
• It will allow us to build up confidence that this change does not break anything 1.18
• Backport it in two-three months to 1.17 and 1.16

This will ensure that we are keeping Etcd version up to date on other minor versions as well. In case of any CVE, we would need to upgrade Etcd on other minor versions anyway. This sounds like reasonable trade off to make. WDYT?

[giorio94]

Taking into account that we will be facing the same issue of upgrading the Etcd on other minor versions (1.18,1.17,1.16) I would like to propose:

* Backport this PR to 1.18 to ensure that we use latest Etcd version on 1.18

* It will allow us to build up confidence that this change does not break anything 1.18

* Backport it in two-three months to 1.17 and 1.16

This will ensure that we are keeping Etcd version up to date on other minor versions as well. In case of any CVE, we would need to upgrade Etcd on other minor versions anyway. This sounds like reasonable trade off to make. WDYT?

As chatted offline, this plan makes total sense to me. Thanks!

[giorio94]

Backport it in two-three months to 1.17 and 1.16

PR updating the renovate configuration to not bump etcd in v1.16 and v1.17: #42847