Allow existing resources to be "imported" into Crossplane to be managed #22
Comments
|
crossplane/crossplane#399 (comment) Per the comment above, I'm curious about how the ability to import an existing |
|
I don't recall any specific details of this debate. As for:
My $0.02, yes, absolutely. |
jbw976
changed the title
|
@negz opened a very related issue with crossplane/crossplane#497 that we've closed as a duplicate. As brought up in that issue, importing an existing resource such as a Kubernetes cluster could even be on-premises (bare-metal) resources. Overall, there seem to be many existing resources that once imported into Crossplane could easily be consumed by new resources in Crossplane. Examples:
|
|
Cross linking this to #21, which tracks the work we're doing around reclaim policies. I could imagine this "import" work could affect that design and work. I've been increasingly thinking about this as "attaching" and "detaching" external resources from management as a Crossplane managed resource. |
|
In #27 (inspired by a suggestion from @muvaf) I proposed a new I like that idea @muvaf. Perhaps we could expand on it with something like: spec:
# externalResourcePolicy controls how the managed resource's lifecycle
# relates to the lifecycle of its associated external resource.
externalResourcePolicy:
create: Attach # Valid values are Attach, Create, and AttachOrCreate.
update: Observe # Valid values are Observe, or Update.
delete: Detach # Valid values are Detach or Delete.This would allow: # The default policy. Returns an error if the named external resource already
# exists at creation time.
externalResourcePolicy:
create: Create
update: Update
delete: Delete# A "read only" policy, similar to a Terraform data source. Exposes the state
# of an existing external resource via the managed resource status object.
externalResourcePolicy:
create: Attach
update: Observe
delete: Detach# The ability to attach an existing external resource to Crossplane reconciliation.
externalResourcePolicy:
create: Attach
update: Update
delete: Delete# The equivalent of Crossplane's current reclaim policy implementation
externalResourcePolicy:
create: CreateOrAttach
update: Update
delete: Detach |
|
I think #45 makes it pretty easy to import a resource. Just tried with new CloudSQL controller that incorporated the late initialize pattern from https://github.com/crossplaneio/crossplane/blob/master/design/one-pager-managed-resource-api-design.md#high-fidelity All you have to do:
Then it will acquire the resource spec (into managed resource), bind it to the claim and propagate its credentials to claim's namespace. That goes for a resource (CloudSQL) that allows you to retrieve the credentials even after the creation though. So, for resources that send you the credentials only during creation there would be some manual steps getting them into managed resource's secret. I think putting |
|
We had some discussions regarding this in #87 I didn't want to block that PR, so, writing my answer here: In general, I believe following PVC/PV semantics is a good direction for Crossplane. However, we also need to see that there are valid cases where a cloud resource should be treated differently than how a volume is treated. For example, one can say that a volumes are generally used by 1 application, indeed in most of the cases 1 pod. So, it's safe to restrain its lifecycle management to 1 kubernetes cluster, hence volume controller. However, a cloud resource may be consumed by 1 application or N applications. Indeed, we can use it in N kubernetes clusters. It may not make sense for a volume to be consumed in that way but let's say a MySQL DB or Amazon SNS or X cloud resource should be able to be consumed by different environments. From #87 (comment)
I'm negative on this for two reasons;
What I'd like to see is to have an external policy field that decides what operations that Crossplane instance is allowed to conduct on the given resource. This doesn't exist in PVC/PV model but for aforementioned reasons, our use case drifts from that model. Though I don't think it should be as fine-grained as suggested in #22 (comment) Something even as simple as |
|
I'm going to close this. As @muvaf mentioned in #22 (comment) we have rudimentary support for bringing an existing external resource into Crossplane management thanks to the managed resource reconciler and the external name annotation. This currently requires the Crossplane user to submit a managed resource that matches the existing external resource configuration wise - at least any required fields. I think we can raise a new issue if we want to track improving that process. |
Is it necessary to set spec.forProvider to empty ? |
|
You have to fill in the mandatory/required fields in |
Overview
One of the key Crossplane functionality is support for provisioning and life-cycle management of the public cloud managed resources. Crossplane offers two modes of resource creation:
In either case, crossplane takes "full lifecycle" ownership of the created resource, and based on the specified Reclaim Policy, can delete managed resource upon the clean-up,
There are, however, use cases when the user would like to represent existing resources (i.e. resources provisioned outside the Crossplane) as Crossplane Resource instances. To achieve that, Crossplane must support resource import functionality.
Further Consideration
In order for Crossplane to provide resource import functionality following questions need to be addressed:
Resource Lifecycle
Will the crossplane become a "full" owner of the managed resource lifecycle.
Deletion
If crossplane imports a resource, can this resource be specified with ReclaimPolicy: Delete. Initial thinking, no, it cannot, i.e. all imported resources automatically get assigned (and hopefully at some point enforced) Reclaim Policy: Retain ("cannot delete something you didn't create")
Update
Can crossplane perform manage resource update, i.e. changing resource state/properties with the potential impact on any/all existing downstream resource consumers?
Cloud Provider compatibility
There should be a special concideration that the imported resource could be "fully" managed by the existing cloud provider (service account scopes/permissions, etc)
The text was updated successfully, but these errors were encountered: