Add kubernetes support to docker/cli

[silvin-lubecki]

This PR introduces docker stack support for kubernetes in the docker cli using the docker compose controller embedded in docker4mac beta.

• Adds a new orchestrator config field, a new --orchestrator and a DOCKER_ORCHESTRATOR environment variable to switch between swarm and kubernetes orchestrators.

  {
    // […]
    "credsStore": "osxkeychain",
    "orchestrator": "kubernetes"
  }
  

• When in kubernetes mode:
  • adds a --namespace on stack subcommands to be able to point to the correct kubernetes namespace
  • adds a --kubeconfig flag to stack subcommands — and take KUBECONFIG environment variable into account — to be able to point to a kubernetes cluster using the kubernetes configuration file.
  • --filter on docker stack services are disabled.
  • orchestrator commands like secret, service, config, node will error out because they are not implemented yet (it's on the way, but won't be present in this PR)

This adds new kubernetes and swarm annotation to define if a command/flag is supported by one of the other (or both).

All of this is marked experimental (thus we depend on #758 for this one to get merged)

🦁

Signed-off-by: Vincent Demeester vincent@sbr.pm
Signed-off-by: Silvin Lubecki silvin.lubecki@docker.com

[codecov-io]

Codecov Report

Merging #721 into master will decrease coverage by 2.56%.
The diff coverage is 13.04%.

@@            Coverage Diff            @@
##           master    #721      +/-   ##
=========================================
- Coverage   53.46%   50.9%   -2.57%     
=========================================
  Files         218     237      +19     
  Lines       14642   15338     +696     
=========================================
- Hits         7829    7808      -21     
- Misses       6327    7028     +701     
- Partials      486     502      +16

[dnephin]

s/dockerOrchestrator/envVarDockerOrchestrator so it's obvious this is an environment variable key and not something else.

[dnephin]

This is going to break anyone that uses the --config flag because GetOrchestrator() is called from New...Comand which happens before flag parsing.

[dnephin]

This path is kind of overly long.

How about moving cli/command/stack/kubernetes to /kubernetes ? It's not really part of the command router, so it doesn't belong under cli/command.

(more on this here #721 (comment))

[dnephin]

What is client-gen ? It's strange that it only puts this comment in doc.go and not in every file.

Can we include the steps to re-generate these files in a go:generate comment, or in the Makefile?

[dnephin]

If possible could we have this tool write out the "this file is generated" comment to every file it generates, not just doc. There is actually a GO convention for this which it should use:

golang/go#13560 (comment)

^// Code generated .* DO NOT EDIT\.$

[dnephin]

https://github.com/docker/cli/blob/master/TESTING.md#guidelines

e2e tests are for commands. orchestrator is not a command. Please move one of these to e2e/system/version_test.go.

The rest should not be e2e tests. They test client-only logic, so they should be unit tests.

[dnephin]

I'm going to look into some of these dependencies, this still seems like a crazy number of dependencies for a client.

[dnephin]

I guess the k8s machinery dependencies are just bloated, so there isn't much we can do about this for now...

[dnephin]

Could this be in cli/command package, or are there issues with circular imports?

[dnephin]

I don't see how this can work if we want to be able to set the orchestrator from the config or a flag, and I think we should support both. This happens before flag parsing and config loading (which depends on flag parsing).

I think this branching needs to be done as part of the Run() of the commands.

The same commands exits for both orchestrators, so the implementation of the Run() can be switch and call the Run() for the correct orchestrator.

[dnephin]

For directory structure, how about this:

Move non-generated code out of the generated code tree:

git mv cli/command/stack/kubernetes/api/labels cli/command/stack/kubernetes/labels

Move generated code out of the cli/command tree

mkdir kubernetes
git mv cli/command/stack/kubernetes/api kubernetes/api

Add a README to the kubernetes/api package that explains:

• this is a client library for x
• this code is generated from a spec that is not available

[AkihiroSuda]

nil panic on default?

[AkihiroSuda]

(I meant it should not panic)

[AkihiroSuda]

"version_kubernetes": "v1beta1"?

[vdemeester]

@AkihiroSuda depends on what you wanna check here : the version of kubernetes, the version of the "k8s" native api or the version of our api extension — or all of those 😝.

[AkihiroSuda]

I think the version of the stack API extension is correct to check here. (And the stack API extension may provide info for minimum supported k8s version and so on)

[AkihiroSuda]

I guess you can drop support for DAB now

[AkihiroSuda]

How c can be nil?

[vdemeester]

It's generated code 😓

[AkihiroSuda]

you can remove comments

[dnephin]

Yes please, also would be good to keep this file sorted. Right now the diff is hard to read because some deps moved

[AkihiroSuda]

It might be helpful to add logrus.Warn("DOCKER_ORCHESTRATOR=kubernetes is not supported for this command") to docker service and docker node?

[vieux]

@vdemeester once the CI is green, could we maybe split the PR in 3 commits: vendor, generated code and actual new code ?

[n4ss]

First step of review on this big PR.

Congrats for the work 👏

[n4ss]

nit: dockerEnvOrchestrator?

[dnephin]

ping

[n4ss]

I would store these hardcoded accepted values in const variables and refer to them in tests.

[n4ss]

We should make sure we specify the precedence in:
environment variable > config file > default

[n4ss]

Also if makes a typo on "kubernetes" or "k8s", it will default to swarm without any warning/failure. Should we fail (as the user might want to use kubernetes) or at least have a warning that the environment variable value was invalid?

[n4ss]

It'd probably be cleaner to have those flags in a stackOptions struct

[vdemeester]

Can't do that one, given how cobra works, we can just use PersistentFlags().Changed("namespace") for those.

[n4ss]

nit-typo: specifics

[n4ss]

We have stack and stacks variables where one is not the subset of the other, it's kinda confusing.

[vdemeester]

😝

[n4ss]

You also may want to rename in to stackObject or something more explicit.

[n4ss]

Also the Get call might fail for other reasons than the stack.Name not being referenced. Worth adding a test on the error value before trying a stacks.Create?

[n4ss]

same as before for the os.Getwd()

[n4ss]

Should we have some form of checking of key presence in the successive maps?

[n4ss]

We should have length checking here too.

[vdemeester]

Well, it comes from os.Environ so.. it will always have the = I think. That said, this whole file should go away in a follow up

[chris-crone]

@thaJeztah I believe @silvin-lubecki and I found the issue with secrets: you cannot have a kube secret with an underscore.

kubectl create secret generic my_secret --from-literal=file=toto
The Secret "my_secret" is invalid: metadata.name: Invalid value: "my_secret": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

If you change your example to mysecret it will work as expected.

The underlying issue is that we weren't checking for returned errors when creating the secret. Silvin will push a fix for this.

[thaJeztah]

oh, awesome! was just running this PR again for another test 👍

[silvin-lubecki]

PTAL @thaJeztah, just fixed it.

[thaJeztah]

Is it correct that we don't namespace services from a stack?

Deploy the stack as "foobar";

$ docker stack deploy -c docker-compose.yml foobar
Stack foobar was created
Waiting for the stack to be stable and running...
 - Service db has one container running
 - Service web has one container running
Stack foobar is stable and running

Deployg the stack as "foobar2":

$ docker stack deploy -c docker-compose.yml foobar2
service db already present in stack named foobar

We should have a solution for that, because multiple stacks will have the same service names (and this is the reason (when using docker-compose or swarmkit service-names are prefixed with their stack-name).

[thaJeztah]

Hm, we also need to find a solution for re-deploying a stack that uses secrets. Secrets are immutable, but when using swarmkit, docker detects that if the content didn't change, and in that case skips creating/updating the secret (and only produces an error if the secret/config changed);

$ docker stack deploy -c docker-compose.yml foobar
secrets "mysecret" already exists

[vdemeester]

@thaJeztah we should create issues for those to discuss them and keep track of updates on it 👼

[silvin-lubecki]

@thaJeztah you can use the namespace flag:

--namespace string    Kubernetes namespace to use (default "default")

[thaJeztah]

@silvin-lubecki yes; probably something we should do by default (e.g., create a namespace com.docker.stacks.<name-of-stack>, or whatever convention 😄)

@vdemeester I'll create an issue 👍

[thaJeztah]

Regarding seccomp being set to unconfined by default (see my "some interesting bits" #721 (comment)); this was changed upstream in kubernetes in kubernetes/kubernetes#21790. As explained in kubernetes/kubernetes#20870, the reason for this was that the default seccomp profile was more restrictive, and blocked certain actions, even if (e.g.) --cap-add SYS_ADMIN was used (see moby/moby#20245).

However, with moby/moby#22554, I don't think this is still a problem, so we may want to change this behavior and, for Docker 1.12 and up, enable the default seccomp profile

I'll open an issue for that as well

[silvin-lubecki]

@thaJeztah yes we thought about that too, but as we wanted to keep it simple, we decided to put everything in default namespace. Depending the feedbacks we will receive, we may change it in a further PR?

[dnephin]

I don't think we should add the namespace flag and ignore the stack positional argument. We should use the stack positional argument as the namespace and remove the flag.

[thaJeztah]

opened #776 and #777

[dnephin]

I guess we can fix the remaining issues in a follow up

LGTM

[thaJeztah]

LGTM as well; it's a preview, so let's get this out so that people can play with it 👍

[thaJeztah]

🎉

[mdlinville]

When I created the YAML files for 18.01 after this patch was applied, the one for docker config showed that swarm: false which I think is incorrect. This is kind of serious.