Add Helm support for Theia with ClickHouse PV

[yanjunz97]

This PR adds Helm chart for Theia and uses Helm templates instead of Kustomize to generate Theia manifest.

Signed-off-by: Yanjun Zhou zhouya@vmware.com

[antoninbas]

does it sometimes make sense to disable one of the ports to only use HTTP or TCP?

[yanjunz97]

I think the Flow Aggregator uses TCP to connect the ClickHouse while Grafana uses HTTP for connection. Thus it might not have a use case to disable one of them.

[yanjunz97]

This PR is converted to draft to add PV supports and some more customizations.

[yanjunz97]

Hi @antoninbas I have added the ClickHouse PV support and some more customizations in this PR. I also have several topics regarding Helm support in Theia to bring up. I would like to hear from your options on these topics.

1. Namespace
   It seems Helm has the convention to use --namespace and --create-namespace to deploy the chart in a specific Namespace. In the flow visibility case, it works when I use helm install. But when I try to generate the manifest with helm template, the creation of Namespace will not be included in the generated YAML file even if I use --create-namespace. I find here --create-namespace is ignored for helm template helm/helm#9813 shows Helm team does not plan to provide --create-namespace support for helm template.
   I come up with 2 solutions:

• Use the YAML file without a creation of flow-visibility Namespace, and add instructions to create Namespace flow-visibility before applying the flow-visibility.yml in docs. But I’m worry about whether it would be a problem as it may bring inconsistency comparing to our previous versions.
• Add a value createNamespace to values.yaml and set it to true when running the manifest generation script. This can produce a manifest with Namespace as previous. But it seems strange to expose this variable as a value to user.
  I’m not sure which solution to choose or whether there is a better solution.

2. ClickHouse Operator
   ClickHouse Operator is a CRD which should be installed before applying flow-visibility.yml as it defines the kind ClickHouseInstallation. I see there is a discussion about whether to put it into the crds dir at the issue [Helm chart] Should CRDs be placed in the special crds/ directory? antrea#3665. It seems there is no final conclusion on this topic; and ClickHouse Operator is slightly different from CRDs in Antrea:

• The ClickHouse Operator is provided by a third party instead of a CRD developed by us.
• It seems we cannot treat ClickHouse Operator as a regular templated resource as it must be installed before we try to deploy the ClickHouse server.
  I’m not sure whether it is better to put ClickHouse Operator into the crds dir?

3. Release and documentation
   It is mentioned in Add an Helm chart for Antrea antrea#3578 that we will have a future PR about the Helm chart release. And I see Helm provides chart-releaser-action at https://github.com/helm/chart-releaser-action. Do we plan to use it or just let user clone our repo first for now?

   There are a lot of instructions on how to modify the YAML file in our doc. IMO these should be removed when we introduce the Helm chart. But before we have the chart in the release, it seems we still need to keep it? Also after we have a chart in release, I’m not sure whether it is replicated to add instructions on how to modify the Helm values when we introduce each features in flow visibility docs, as we already have an auto-generated Helm doc.

also cc @salv-orlando @dreamtalen @heanlan @wsquan171

[antoninbas]

@yanjunz97

1. I know that the Nginx ingress controller uses a kustomize step after rendering the manifest with Helm to inject the Namespace resource: https://github.com/kubernetes/ingress-nginx/blob/main/hack/manifest-templates/common/kustomization.yaml. You could consider doing the same thing. Note that in the case of flow visibility, I think we should encourage the user to deploy with Helm directly, instead of applying a manifest kubectl apply -f. We should still provide a reference YAML manifest though for users who don't want to use Helm.
2. If you want to include the ClickHouse operator in the Theia Helm chart, you should really put the ClickHouseInstallation under the crds/ directory. Your use case is very different from the Antrea one, given that you actually need to create a CR for that CRD, as part of the Helm deployment. So you should follow Helm's best practices, and ignore the discussion in [Helm chart] Should CRDs be placed in the special crds/ directory? antrea#3665. BTW, if you package everything as one Helm chart, how do you plan to generate 2 distinct manifests for "manual" installation? If you have a single manifest with both the CRD and the corresponding CR, I think using kubectl apply may fail, as the CR may be "created" before the CRD has been registered.
3. We do plan to release the Antrea Helm chart properly (and not require users to clone the repo), but I am trying to figure out [Helm chart] Should CRDs be placed in the special crds/ directory? antrea#3665 first. We will have a chart repo for all the Antrea charts, including Theia. If Helm becomes your primary installation mechanism for Theia, I think the documentation should reflect that, with instructions on how to modify Helm values to customize the installation.

[salv-orlando]

There seem to be some changes not related to helm charts - can we have distinct PRs for those?

[salv-orlando]

these changes make a lot of sense, but I'd create separate PRs for those

[yanjunz97]

Thanks! I remove it from this PR.

[salv-orlando]

This also seems a change not related to helm charts.

[yanjunz97]

This is related to the ClickHouse PV support. PV support is also added into this PR as

• There are only a few customization variables before we add PV support
• PV support contents have been reviewed at Antrea side. Adding PV to this PR mainly requires reviews on the Helm related contents.

[yanjunz97]

Thanks @antoninbas ! This PR is updated and ready for review now. Here is the update on the topic we have discussed above.

1. I have updated the scripts to use Kustomize to inject the Namespace.
2. For the ClickHouse Operator, I put it into the crds dir. It seems if we do not add the --include-crds option when running helm template, the contents in crds dir will not be included into the generated YAML file. Thus we still have two distinct yaml files, one in the crds dir and the flow-visibility.yml generated by the script. Users can still use the same way as before to manually deploy the flow visibility contents.
3. The instructions on how to modify the YAML file will be replaced by Helm instructions in a future PR when we release the Helm chart.

[yanjunz97]

2. For the ClickHouse Operator, I put it into the crds dir. It seems if we do not add the --include-crds option when running helm template, the contents in crds dir will not be included into the generated YAML file. Thus we still have two distinct yaml files, one in the crds dir and the flow-visibility.yml generated by the script. Users can still use the same way as before to manually deploy the flow visibility contents.

I kind of think that moving ch op install bundle into crd sub dir is a bit hacky. it's not technically just a crd yml, and if in the future we need to introduce crd for Theia we'll eventually have to use the --include-crds switch. is the main goal of putting it under crd for having one single helm install command?

Thanks @wsquan171 for pointing out this. Yes, by putting it under crds, we can support a single helm install command for the whole product. As stated in Helm docs, I think the purpose of crds dir is mainly for the installation of CRD declaration before using the resource, which is pretty much similar to our case IMO. And I'm worry about it would be confusing if users have to use kubectl apply and helm install at the same time to deploy Theia.

But I also understand your concern about what if we add our own CRDs. I think these CRDs are under the similar conditions mentioned in the Antrea issue antrea-io/antrea#3665 . These CRDs are kept as Template in Antrea chart now.

Basically there are two strategies to treat the ClickHouse Operator:

• Remove ClickHouse Operator from Theia Chart and state it as a prerequisite of Theia.
• Keep as it is and revisit the topic when we have our own CRDs and there is an update of the placement CRDs on the Antrea chart.

I'd also like to have @antoninbas option on this.

[heanlan]

A general comment on all of the original configuration instructions: If we keep all these original configuration instructions for users who don't to use Helm, can we write it explicitly in the doc, with something like: for all of the configurations, option 1 - with Helm, edit values.yaml, option 2 - without Helm, edit flow-visibility.yml directly.

Otherwise it seems a bit confusing to me, if we recommend using Helm to template yaml, and we also recommend making a series of configurations directly on flow-visibility.yml in the meanwhile.

[yanjunz97]

I make an update on the document, hope it clearer now.

[yanjunz97]

Hi @antoninbas Could you take another look at this PR?

[antoninbas]

I think this whole section can be a bit confusing, because it conflates some things, like PV type & storage class provisioner, and doesn't clearly distinguish between manual volume provisioning and dynamic volume provisioning.

It seems that there is also no option for users to provide a custom PersistentVolume (if they don't want to use dynamic provisioning).

storage:
  size: "8Gi"
  createPersistentVolume:
    # can be set to "Local" or "NFS"
    type: ""
    local:
      path: "/data"
    nfs:
      host: ""
      path: ""
  # ignored if persistentVolume.type is non-empty
  persistentVolumeClaimSpec: {}
    # storageClassName: ""
    # volumeName: 

By default, memory storage is used.

To use a local volume created by us, one can set:

storage.createPersistentVolume.type = "Local"

To use a custom PersistentVolume, one can set:

storage.persistentVolumeClaimSpec:
  storageClassName: ""
  volumeName: "<my-pv>"

To dynamically provision a PersistentVolume, one can set:

storage.persistentVolumeClaimSpec
  storageClassName: <"my-storage-class">

Let me know what you think of that solution

[yanjunz97]

I think PersistentVolumeClaim does not accept PV name as a specification. As introduced in K8S doc, I think it means

• If storageClassName is specified, PVC will look for PV in the cluster with that class
• If storageClassName is set to "", PVC will look for PV with no class

From my experience, if users don't want to use dynamic provisioning, they could set StorageClass to "" or create a StorageClass with kubernetes.io/no-provisioner as provisioner, and make sure the corresponding PV is created manually.

We can still adopt the solution, with the storage.persistentVolumeClaimSpec only expecting storageClassName. Memory storage will be used when storage.createPersistentVolume.type is "" and storage.persistentVolumeClaimSpec is empty. But I'm not sure whether this change is still good enough as it might still not clearly distinguish between manual volume provisioning and dynamic volume provisioning.

[antoninbas]

There are 3 cases for storageClassName: set, omitted and set to empty
I do think it is possible to manually bind to a PV with the volumeName field: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#reserving-a-persistentvolume

[yanjunz97]

I missed this. Thanks! The storage section is refactored now.

[salv-orlando]

Code LGTM.

Due to operations done in this PR on Grafana's clickhouse queries - mostly replacing namespace name with variable, I suggest to merge PR #12 , and then rebase this one.

[salv-orlando]

I think we need to update these before we release?

[yanjunz97]

Yes. I think we will need to update these in the release branch.

[salv-orlando]

As PR #12 is making some changes to query, we might want to merge that one, rebase this PR, and then make sure {{ .Release.Namespace }} is used in every query in place of flow-visibility

[ziyouw]

Should we support small intervals, such as second? Seems it is hard to do anything if the ttl is set at second level.

[yanjunz97]

These are units supported by ClickHouse. I think keeping it may be useful for users who prefer to use the small units like 3600 SECOND instead of 1 HOUR.

[ziyouw]

For DAY, WEEK, MONTH, QUARTER, YEAR, we do not have any mapping here?

[yanjunz97]

This map is only used to set merge_with_ttl_timeout. This value only requires to be set when TTL is under merge_with_ttl_timeout default value, 14400 (seconds). TTL does not need map as Interval is supported by the ClickHouse.

[yanjunz97]

Code LGTM.

Due to operations done in this PR on Grafana's clickhouse queries - mostly replacing namespace name with variable, I suggest to merge PR #12 , and then rebase this one.

Thanks @salv-orlando This PR is rebased now. Would you like to take another look?

[salv-orlando]

PR LGTM!

[antoninbas]

some minor comments, otherwise LGTM

[antoninbas]

you don't seem to be using this anywhere?

[yanjunz97]

Removed unused tmp dir. Thanks!

[antoninbas]

nit: why the empty line?

[yanjunz97]

Removed.

[antoninbas]

Suggested change

	# Add flow-visibility Namespace resource by Kustomize
	# Add flow-visibility Namespace resource with Kustomize

[yanjunz97]

Updated.

[antoninbas]

I assume that these 2 fields will be stored in the same secret, and not 2 separate secrets?
I suggest changing this to:

# -- Credentials to connect to ClickHouse. They will be stored in a secret.
connectionSecret:
    username : "clickhouse_operator"
    password: "clickhouse_operator_password"

[yanjunz97]

Yes. They are in one secret. Updated the value.

[antoninbas]

same comment as above

[yanjunz97]

Updated.

[antoninbas]

login to Grafana

[yanjunz97]

Updated. Thanks!