Runtime resource discovery

[stefanmb]

WARNING: Some of this description is now obsolete (Jan26/2018)

What
This PR introduces automatic discovery of CustomResourceDefinitions (1.7+) and ThirdPartyResources (1.6) in a backwards compatible manner. Once this PR is implemented, the monitoring logic for these resources can be removed from kubernetes-deploy.

Motivation
Currently we are handling each resource type by adding a new subclass of KubernetesResource to handle its state (as per the documentation).

This approach makes sense for core resources, but is not scalable for CustomResourceDefinitions (and ThirdPartyResources) for multiple reasons:

• We are including logic to handle CRDs such as cloudsql and redis which are not open sourced.
• There is too tight a coupling between our buddy/controller framework (closed source) and k8s-deploy
• We cannot support 3rd party use cases unless they contribute a resource definition back to k8s-deploy - we cannot centralize all logic for all possible resources users may wish to implement.

The goals of the PR are:

• Automatically detect custom resources present in the cluster at deploy time
• Decouple the concern of determining a custom resource's status from k8s-deploy by enabling controllers to annotate resources with their respective statuses.
• Remain fully backward compatible so that controllers can be upgraded with annotation support incrementally, and the CloudSQL, Redis, etc subclasses of KubernetesResource can be removed one at a time.
• Support both TPR and CRD custom resources.

How
TODO

TODO
Update README file.

Review
cc: @Shopify/cloudplatform @KnVerey

[stefanmb]

Required for raw json support.

[stefanmb]

Required to parse out the custom status field.

[stefanmb]

This is thrown for Kubernetes < 1.7 - I am also open to either:

1. Eliminating this check and dropping support for < 1.7.
2. Making the check against the version number of the client/server.

[karanthukral]

Since we merged the server version check, maybe we can use that?

[KnVerey]

I think we should use a version check as Karan suggested. I also think that these discovery methods should be retried a couple times so we don't fail the deploy on server blips here.

[stefanmb]

Using a version check now.

[stefanmb]

I previously spoke about using meta-programming with @mkobetic. Since that time I've convinced myself this is the right approach.

We are modelling a class/instance relationship (resource definition vs resource instances). Each definition has specific properties shared by all instances (e.g. whether it's prunable, or its configured timeout). This information should be stored somewhere, since Ruby supports OOP it makes sense to generate classes that can contain the specific settings shared by all resources (instances).

[KnVerey]

DISCLAIMER: I've only worked with this kind of thing a couple times in the past, and I'm going to want to pull in another experienced Rubyist before we merge this PR.

Agreed, but I think we can take it a step further and make the generated classes "normal" rather than using class variables, by using class_eval. Here's a working example:

module ScratchPadEphemeral
  class DynamicParent
    require 'active_support/core_ext/class/subclasses'

    def self.define_child(child_name, child_type, some_bool)
      new_class = self.class_eval <<-STRING
        class #{child_name.capitalize} < DynamicParent
          def type
            '#{child_type}'
          end

          def some_bool
            #{some_bool}
          end
        end
      STRING
    end
  end
end

[35] pry(ScratchPadEphemeral):1> DynamicParent.define_child("foo", "test", true)
=> :some_bool
[36] pry(ScratchPadEphemeral):1> DynamicParent.define_child("bar", "test", false)
=> :some_bool
[37] pry(ScratchPadEphemeral):1> DynamicParent.subclasses
=> [ScratchPadEphemeral::DynamicParent::Bar, ScratchPadEphemeral::DynamicParent::Foo]
[38] pry(ScratchPadEphemeral):1> foo = DynamicParent::Foo.new
=> #<ScratchPadEphemeral::DynamicParent::Foo:0x007fd8e4106fe8>
[39] pry(ScratchPadEphemeral):1> foo.type
=> "test"
[40] pry(ScratchPadEphemeral):1> foo.some_bool
=> true

This should incidentally be more performant than define_method?, from what I've been told in the past.

[stefanmb]

Adopted this approach in the rewritten version, thanks.

[stefanmb]

We allow the CRD implementors to specify how the resources should be queried via arbitrary jsonpath to determine its status.

[stefanmb]

While we generate resource classes dynamically, we still need a way to map resource names to their classes.

[KnVerey]

It's very possible that I'm missing something, but I believe that if you use the class_eval technique I mentioned above, we can subclass from KubernetesResource as usual, and the existing lookup technique (KubernetesDeploy.const_defined?(definition["kind"])) should work.

[stefanmb]

This part has been re-written.

[stefanmb]

I've extracted this base class that represents a generic resource. This code is shared by several existing resources.

[KnVerey]

Hm, KubernetesResource (the superclass) is already kinda "generic resource", no? Should we simply change the defaults in that class to what you have here? Regardless, please extract this change to a separate PR. 😄

[stefanmb]

Removed.

[stefanmb]

This class allows k8s-deploy to monitor deployment of static custom resource definitions.

[stefanmb]

This class allows k8s-deploy to monitor deployment of static third party resource definitions.

[stefanmb]

This value cannot be memoized because we must refresh what CRD/TPRs are available on each invocation (even if it's during a single lifespan of ak8s-deploy process, for example if using this code as a library instead of a standalone executable during test).

[KnVerey]

Is that because we might have deployed CRDs? If we want to make that work, we should predeploy them before doing the discovery (or maybe just accept that this does not work for v1, since that'd be really complicated). Doing discovery every time we need to use the client sounds expensive. Alternatively, could we be using instances of this class and discarding them on every run?

[stefanmb]

Predeploying CRDs now, thanks.

[stefanmb]

Necessary when running without TPR support (k8s > 1.7) or without CRD support (k8s < 1.7).

[stefanmb]

This allows us to temporarily fall back to the custom classes in k8s-deploy if they are present for a given resource. This behaviour is useful for progressively moving the monitoring to the controllers and outside of this gem.

[KnVerey]

(irrelevant if we can make the instances direct subclasses of KubernetesResource, but...) Doesn't this end up covering the regular resources, i.e. is not temporary?

[stefanmb]

This is more explicit in the re-written version. If a matching (== kind) symbol exists in the k8s-deploy module it is used, otherwise a class is generated dynamically.

[stefanmb]

We may want to also override failure_message to read a custom message (and possibly fail fast), for example by introducing:

• (Optional) kubernetes-deploy.shopify.io/status-failed: The value that indicates unrecoverable failure.
• (Optional) kubernetes-deploy.shopify.io/status-failure-message-field: jsonpath query for detailed human-readable status message. Should be populated when status-failed is returned.

Any thoughts? @KnVerey

[ibawt]

instance vars that don't exist should still be falsey, just being explicit?

[stefanmb]

Just my Java/C#/C background. ;) Simplified, thanks!

[ibawt]

this is also a nop afaik

[ibawt]

unless you are resetting them

[stefanmb]

They should be reset each time we (re)discover.

[stefanmb]

cc: @kirs I'd like to hear your opinion on this PR as well please.

[stefanmb]

Rebased on master and addressed some cosmetic comments.

[devonboyer]

Kubernetes also uses yes for the value of a boolean annotation. These annotations are added to persistent volume claims once it is bound.

pv.kubernetes.io/bind-completed=yes
pv.kubernetes.io/bound-by-controller=yes

This should also look for yes.

[ibawt]

lets do ON, yes, true and 1 wdyt?

[devonboyer]

The value needs to be a string so "1" might get confusing.

[KnVerey]

FWIW this is what Rails (well, ActiveModel) does: https://github.com/rails/rails/blob/47eadb68bfcae1641b019e07e051aa39420685fb/activemodel/lib/active_model/type/boolean.rb#L17

[stefanmb]

Switched to ActiveModel, thanks!

[stefanmb]

This PR rebased pretty cleanly. I know you have a full plate, but when you get a chance I'd like to hear your thoughts @KnVerey, also with respect to #188 (comment).

[karanthukral]

LGTM!

👍 on the cleanup of the common code too

[karanthukral]

Since we merged the server version check, maybe we can use that?

[KnVerey]

I have a bunch of comments, but this is a great start. I'm really excited about this feature!

[KnVerey]

Only sync methods should make API calls. I really should look into adding a test to enforce that.

[stefanmb]

Removed.

[KnVerey]

Unless/until we support more powerful ordering, it's probably safer to assume that the custom resources need to go first, and pods (which are at the end of the constant list) need to be very last. This was true for all our own CRs.

[stefanmb]

Fixed, thanks.

[KnVerey]

I feel like this should be its own step in the "Initializing deploy" phase. It isn't resource discovery in the same sense as this method used to mean; this method should probably be renamed to something like "parse_templates" or "load_resource_from_file" or whatever, now that we have something that is "discovery" in the k8s api sense.

[stefanmb]

Moved to separate method, renamed existing method as suggested.

[KnVerey]

I think we should use a version check as Karan suggested. I also think that these discovery methods should be retried a couple times so we don't fail the deploy on server blips here.

[KnVerey]

These are basically another version check, right?

[stefanmb]

Removed.

[KnVerey]

(irrelevant if we can make the instances direct subclasses of KubernetesResource, but...) Doesn't this end up covering the regular resources, i.e. is not temporary?

[KnVerey]

This should assume discovery is has already been done. It would be very heavy to have it actually happen here.

[stefanmb]

Doing discovery once now, removed the call from here.

[KnVerey]

There are so many annotations here that I'm wondering if we should instead have a single one that contains JSON.

[stefanmb]

Removed timeout as it's been superseded by a different PR, collected the rest of the methods under metadata. I'm open to suggestions on the json field name.

[KnVerey]

Hm, KubernetesResource (the superclass) is already kinda "generic resource", no? Should we simply change the defaults in that class to what you have here? Regardless, please extract this change to a separate PR. 😄

[KnVerey]

Is it impossible/hard to do this with kubeclient?

[stefanmb]

Doing it with kubeclient now.

[stefanmb]

@KnVerey I've updated this branch with the latest approach, it's still a work in progress (+ need some more tests) so feel free to ignore it for now. I'll ping you for review once I feel it's ready.

Edit: That said, comments are always welcome, thank you.

[stefanmb]

The tests should exit if bundler fails.

[stefanmb]

This check is somewhat inelegant, but the GROUP and VERSION are now detected via discovery for most resources. If these fields are not present we can't query the API server, so we skip over them. This is not an issue if the user runs discovery first.

[KnVerey]

What does it mean for the "user" to run discovery? i.e. would it be a programming error in the gem if it doesn't happen before this is called? If so, can we detect (e.g. by setting an ivar when we do it) whether or not it has been done and raise an exception if not?

[stefanmb]

What does it mean for the "user" to run discovery?

It means invoking discover_resources at some point, normally before attempting to deploy.

I don't think we use k8s-deploy as a library anywhere, so I'm not sure what the normal entry point to it would be if used as a library.

If used normally as an executable discover_resources is executed as part of run in the deploy_task so this is a non-issue.

The other important part is that not all statically defined resources are supported on all k8s versions.

[stefanmb]

Overriding allows us to distinguish dynamically created resources (discovery) versus statically defined resources (static subclass of KubernetesResource).

[stefanmb]

Unfortunately for historic reasons not all resources are available under /apis/$NAME/$VERSION, so we have to look in two places.

[stefanmb]

For each group we'll attempt to detect resources under the preferred group version, but some resources are only available under newer (beta/alpha) versions, so we have to check those too.

[KnVerey]

Might be worth mentioning in a comment. My first thought in reading through the above was "why don't we check only the preferred version?" even though I should have known the answer.

[KnVerey]

Does this behave correctly when a resource exists in multiple GV, but not the preferred one? batch would be an example of this situation: its preferred version in 1.8 is batch/v1, but CronJob only exists in v1beta1 and v2alpha1. We'd want to make sure to pick the beta.

[stefanmb]

Yes, this code iterates through each version of each group.

Preference is given to the preferred version, if something is not present in the preferred version then it will be added based on the first version that it is encountered in.

The order of the version list returned by the API server is oldest version to newest version, so the old(er) version will be found first.

e.g.

kubectl get --raw /apis/batch | jq .
{
  "kind": "APIGroup",
  "apiVersion": "v1",
  "name": "batch",
  "versions": [
    {
      "groupVersion": "batch/v1",
      "version": "v1"
    },
    {
      "groupVersion": "batch/v1beta1",
      "version": "v1beta1"
    }
  ],
  "preferredVersion": {
    "groupVersion": "batch/v1",
    "version": "v1"
  },
  "serverAddressByClientCIDRs": null
}

In this case CronJob will be encountered first in v1beta1 and associated with that version.

[stefanmb]

We provide these values in code for statically defined classes. They can also be provided dynamically by annotations to CRDs.

[KnVerey]

We should delete this class, actually... we 🔥 this CR a while ago.

[stefanmb]

The HPA was previously defined only as a string in the prune list, we now need an actual class backing it.

[stefanmb]

Extracted from the previous static predeploy dependency list. Note that this is a partial order (the previous list by definition was a total order).

[KnVerey]

What about the fact that this can depend on custom resources, such as cloudsql/redis?

[stefanmb]

Then we'll need some way to specify such custom dependencies in the pod spec.

Alternatively we could optionally specify something like PREDEPLOY_DEPENDENTS on resources, so for e.g. CloudSQL could specify that it is a dependency of Pod which is its dependent.

[stefanmb]

These tests affect global resources (CRD) so they are not parallel-friendly.

[stefanmb]

I did not want to hardcode a particular total order here because that's not important. What's important is that the result is in any valid toplogical sort order, which may not be unique.

[stefanmb]

@KnVerey Could I ask you to have another look? A lot has changed since the initial version. All tests are currently passing.

[KnVerey]

I only did one pass and didn't make it through the tests, but this is looking great! Can you let me know when you have time to sit down and walk me through some of it IRL? Some things I'd like to discuss:

• jq vs jsonpath
• timeouts/failures for dynamic resources
• dynamic classes for core resources
• the predeploy graph (I think I'm forgetting something about why we need to do this)
• any performance implications

[KnVerey]

It'd be more conventional to make these methods private rather than prefixing to suggest they should be. Couldn't the prune_whitelist be private too?

[stefanmb]

Sure, was just following the previous examples in the file.

[KnVerey]

What does it mean for the "user" to run discovery? i.e. would it be a programming error in the gem if it doesn't happen before this is called? If so, can we detect (e.g. by setting an ivar when we do it) whether or not it has been done and raise an exception if not?

[KnVerey]

Lazily likely means in the middle of the mutating part of the deploy. Since they can fail, I'm thinking it would be better to build them eagerly, during the "Initializing deploy" stage... I'd suggest making prune_whitelist a simple attr_reader and setting them explicitly here.

[stefanmb]

predeploy_sequence and prune_whitelist are local computations only without any API calls, they should never fail.

[KnVerey]

Might be worth mentioning in a comment. My first thought in reading through the above was "why don't we check only the preferred version?" even though I should have known the answer.

[KnVerey]

Does this behave correctly when a resource exists in multiple GV, but not the preferred one? batch would be an example of this situation: its preferred version in 1.8 is batch/v1, but CronJob only exists in v1beta1 and v2alpha1. We'd want to make sure to pick the beta.

[KnVerey]

There's actually a more sophisticated success condition available for this; check out waitCRDReady in cloudbuddies.

[KnVerey]

Might make sense to look at the NamesAccepted condition here (see waitCRDReady in cloudbuddies)

[KnVerey]

I wouldn't insist on this, but it could be helpful if you extracted these new class additions into a separate PR. Making sure each one has appropriate checks and test coverage is not really related to this PR.

[stefanmb]

As a prerequisite PR? Without the new classes this PR won't work.

[KnVerey]

What about the fact that this can depend on custom resources, such as cloudsql/redis?

[KnVerey]

Am I reading correctly that this is solely for the purpose of determining which GV to use in the prune whitelist for the statically defined classes?

[stefanmb]

Maybe the chain of calls here is unclear. In order to discover groups (including for the statically defined classes) we have to discover everything based on what the API server returns, i.e. discover_groups requires discover_kinds which performs all discovery.

But yes, discover_groups itself is responsible for populating info in the static classes.

[airhorns]

@stefanmb this would be so awesome to get in for all of us without all the *Buddies nowadays!!! <3<3