-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A draft one-pager around resource usage #564
Conversation
@lukeweber @bassam @ichekrygin @prasek I'd like to expedite the feedback process on this one pager. There's some pretty fundamental changes proposed (e.g. making resource classes and managed resources cluster scoped). Would it help to setup a call to discuss? |
@negz would love to be included on call if it happens |
* Does the resource usage concept hold up given the subtle implementation | ||
differences between the multiple managed resources that may satisfy a resource | ||
claim? | ||
* Should "sub-managed-resources" such as databases and users be automatically |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do managed sub-resources warrant another design document? I am interested in the possibility that resource claims may need to be resolved beyond cloud provider APIs. A MySQL User claim could be resolved through a provider API or through MySQL commands (requiring either a shared MySQL claim or direct access to the secret). Sub-resources that require parent resource claims may affect the design of how non-root MySQL credentials are bound, for example, and could affect this overall design.
This comment is a bit off-topic, responding only to one the Open Questions.
The overall draft is compelling to me, but I worry about added complexity. I would hope that your other Open Question about merging the constructs could be realized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do managed sub-resources warrant another design document?
Quite possibly. They're related to this document and also likely related to any proposals around security connectivity, given a subset of hypothetical security and connectivity resources (e.g. Azure and GCP firewall rules) fall within the set of resources that could potentially be created in order to 'solve' a usage.
A MySQL User claim could be resolved through a provider API or through MySQL commands (requiring either a shared MySQL claim or direct access to the secret).
Exactly. If we begin to model users and databases it will vary from provider to provider as to whether we can do so simply via API calls (e.g. GCP), or whether we'll need to use SQL client libraries (e.g. AWS, Azure). We might consider whether such resources that are implemented using (for example) SQL client libraries belong in the same binary as resources implemented using cloud provider client libraries.
Sub-resources that require parent resource claims may affect the design of how non-root MySQL credentials are bound, for example, and could affect this overall design.
I imagine the credentials would be read from the 'parent' managed resource, with a relationship formed between the parent and child managed resources (e.g. PostgreSQLInstance
and PostgreSQLUser
) by the resource claim that spawns them (presuming they're spawned by one claim and not two separate ones). A variant of this pattern exists in the Azure storage container controller, which treats the container's associated storage account resource as its 'provider' (instead of a provider.azure.crossplane.io
) for credential purposes.
The overall draft is compelling to me, but I worry about added complexity.
Agreed. If others find the broad direction compelling we should determine how to reach the goal iteratively. At the very least I believe we could make the foundational changes (e.g. cluster scoped managed resources, classes, and secrets) first, then introduce some resource usage (or reworked resource claim?) construct in a future change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed offline that the existing KubernetesCluster
to KubernetesApplication
/ KubernetesApplicationResource
relationship may serve as a design model for how secrets (cluster credentials) and virtual resources (Kubernetes applications, MySQL users and databases outside of GCP) are treated throughout this project. Both represent managed resources that are not controlled by a Cloud provider managed API, but rather an independent API accessed using the parent resources' Kubernetes secret.
@negz you were able to read more into my conjecture. Would it be beneficial to log your thoughts here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@displague I broadly agree with the thoughts you've captured here. Nothing more to add right now.
@bassam You mentioned you wanted to discuss this design. Should we setup some time to do so in person, or would you prefer to leave feedback on this PR? |
I synced with @bassam today to help sanity check this proposal. Some notes:
I've updated the one pager to reflect everything except for point 4, which needs more thought. |
Signed-off-by: Nic Cope <negz@rk0n.org>
We've made no progress on this PR in several months, so I am going to close it. |
Update CODE_GENERATION.md setup funcs with rate limiter
Description of your changes
This PR seeks review of an initial draft of a one-pager (four-pager?) around the concept of a "resource usage", i.e. an association between a resource claim and a Kubernetes object consuming said claim. This is an early draft, in which I expect there to be a lot of holes, but I'd like to further the conversation around this concept.
Checklist
I have:
make reviewable
to ensure this PR is ready for review.clusterrole.yaml
to include any new types.