k8s-infra: server routing strategies & basic TLS #8822
Conversation
Signed-off-by: Guy Daich <guy.daich@sap.com>
|
Can one of the admins verify this patch? |
2 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
ci-build |
|
Build # 4475 - FAILED Please check console output at https://ci.codenvycorp.com/job/che-pullrequests-build/4475/ to view the results. |
Signed-off-by: Guy Daich <guy.daich@sap.com>
|
ci-build |
1 similar comment
|
ci-build |
|
Build # 4476 - FAILED Please check console output at https://ci.codenvycorp.com/job/che-pullrequests-build/4476/ to view the results. |
| @@ -36,6 +38,13 @@ | |||
| @Singleton | |||
| public class OpenShiftServersConverter implements ConfigurationProvisioner<OpenShiftEnvironment> { | |||
|
|
|||
| ExternalServerExposerStrategy openshiftExternalServerExposer; | |||
There was a problem hiding this comment.
Please make this field private and generify it with OpenShiftEnvironment.
| /** @author Guy Daich */ | ||
| public interface ExternalServerExposerStrategy<T extends KubernetesEnvironment> { | ||
|
|
||
| public void exposeExternalServers( |
There was a problem hiding this comment.
public access modifier can be removed here.
There was a problem hiding this comment.
@sleshchenko Strategy is used by the ServerConverter, in another package (k8s.server), and also implemented by OS infra, so should be public.
There was a problem hiding this comment.
Sure it should be public. IDE shows me warning that it is redundant because public access modifier is default one for interfaces methods.
| String machineName, Pod pod, Container container, OpenShiftEnvironment openShiftEnvironment) { | ||
| super(Collections.emptyMap(), machineName, pod, container, openShiftEnvironment); | ||
| this.openShiftEnvironment = openShiftEnvironment; | ||
| ExternalServerExposerStrategy OpenshiftExternalServerExposerStrategy, |
There was a problem hiding this comment.
Please generify this variable with OpenShiftEnvironment.
Also please rename this variable, it's quite unusual for java to name variable with first upper character.
| Container container, | ||
| OpenShiftEnvironment kubernetesEnvironment) { | ||
| super( | ||
| OpenshiftExternalServerExposerStrategy, machineName, pod, container, kubernetesEnvironment); | ||
| } | ||
|
|
||
| @Override | ||
| protected void exposeExternalServers( |
There was a problem hiding this comment.
Since KubernetesServerExposer#exposeExternalServers method implementation is the same as in OpenShiftServerExposer, looks like we can remove this overriding.
| @@ -91,95 +87,22 @@ | |||
| */ | |||
| public class OpenShiftServerExposer extends KubernetesServerExposer<OpenShiftEnvironment> { | |||
There was a problem hiding this comment.
This class looks like useless. The one possible reason to have it - defining docs for exposing external servers on OpenShift.
Maybe after adding java doc into OpenShiftExternalServerExposer this class can be removed. WDYT?
There was a problem hiding this comment.
I'll try consolidating it with k8s infra, by using k8s server converter in OpenShiftEnvironmentProvisioner, and move the docs like you suggest.
| @@ -44,3 +44,10 @@ data: | |||
| {{- else }} | |||
| CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"nginx.ingress.kubernetes.io/rewrite-target": "/","nginx.ingress.kubernetes.io/ssl-redirect": "false","nginx.ingress.kubernetes.io/proxy-connect-timeout": "3600","nginx.ingress.kubernetes.io/proxy-read-timeout": "3600"}' | |||
| {{- end }} | |||
| {{- if .Values.isHostBased }} | |||
| CHE_INFRA_KUBERNETES_SERVER_STRATEGY: "host" | |||
There was a problem hiding this comment.
Consider renaming var to CHE_INFRA_KUBERNETES_SERVER__STRATEGY. We have vars naming policy:
- dots in properties separate components (in case of env vars single underscores)
- underscores in properties separate words in a single component term (in case of env vars double underscores)
E.g.
che.component1.sub_component_2_mb -> CHE_COMPONENT1_SUB__COMPONENT__2__MB
where MB is unit of measurement in case when property is a number
|
|
||
| IngressRule ingressRule = ingressRuleBuilder.build(); | ||
|
|
||
| IngressSpec ingressSpec = new IngressSpecBuilder().withRules(ingressRule).build(); |
There was a problem hiding this comment.
@guydaichs Would you be willing to contribute unit tests for this class?
| import org.eclipse.che.api.core.model.workspace.config.ServerConfig; | ||
| import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; | ||
|
|
||
| /** @author Guy Daich */ |
There was a problem hiding this comment.
Could you add javadocs to this class and/or the method?
| import org.eclipse.che.api.core.model.workspace.config.ServerConfig; | ||
| import org.eclipse.che.workspace.infrastructure.kubernetes.Annotations; | ||
|
|
||
| /** @author Guy Daich */ |
There was a problem hiding this comment.
Could you add javadocs to this class?
There was a problem hiding this comment.
Could you please merge two java docs here. I mean
/**
* Doc...
*
* @author
*/
| @Inject | ||
| public IngressHostExternalServerExposer( | ||
| @Named("infra.kubernetes.ingress.annotations") Map<String, String> ingressAnnotations, | ||
| @Named("che.domain") String domain) { |
There was a problem hiding this comment.
Can you elaborate if che.domain is a new variable? Does it differ from che.host?
There was a problem hiding this comment.
In host-based routing, we assume that che-master and all workspaces are accessed through different sub-domains of the same domain. For example:
- Che-server would be available at this address:
master.che.my-k8s.com - The workspace agent of a specific workspace would be available at this address:
server-4401-serverofflzacl-dev-machine.che.my-k8s.com - The user app for the same workspace would be available at this address:
server-8080-serverofflzacl-dev-machine.che.my-k8s.com - Other workspaces and corresponding agents
In the example above che.host is master.che.my-k8s.com, whereas che.domain is che.my-k8s.com.
We chose this approach for several reasons:
- In certain landscapes you might want to serve more than one che-master. This is especially true in continuous integration scenarios, staging environments, etc. In this case
che.domaincould beche-test.my-k8s.com,che-prod.my-k8s.comand so on. - For TLS, we would want to issue a single wildcard certificate for each Che deployment. E.g.
*.che.my-k8s.com.
We could consider not setting the CHE_HOST environment variable upon deployment of che-master, and instead setting it programmatically based on CHE_DOMAIN, but we don't know what effect this would have on the Docker- and OpenShift-based Che infrastructures.
There was a problem hiding this comment.
I see. Thank you for the detailed explanation!
From what I see it is used by k8s infra only. So shouldn't we rename it to something k8s infra specific, e.g. che.infra.kubernetes.che_domain?
There was a problem hiding this comment.
I understand the reason why you decided to add it. But can you change the name to be compliant with the naming of other properties? For example che.infra.kubernetes.ingress.domain.
There was a problem hiding this comment.
@garagatyi - agreed. I'll fix it.
| @@ -114,6 +102,21 @@ | |||
| * servicePort: [8080|web-app] ---->> Service.spec.ports[0].[port|name] | |||
| * </pre> | |||
| * | |||
| * <pre> | |||
| * Host-Based Ingress exposing service's port: | |||
There was a problem hiding this comment.
Maybe it worth to move examples to different strategies and add {@see StrategyInterfaceClass} link to the class? WDYT @sleshchenko @guydaichs ?
There was a problem hiding this comment.
@garagatyi I think it would be better to move examples to different strategies.
| * @author Sergii Leshchenko | ||
| * @author Alexander Garagatyi | ||
| */ | ||
| public class OpenShiftExternalServerExposer |
There was a problem hiding this comment.
Could you add javadocs to this class?
benoitf
added
status/code-review
|
ci-test |
|
ci-test build report: |
slemeur
removed
the
kind/epic
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Eyal Barlev <perspectivus@gmail.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
Signed-off-by: Guy Daich <guy.daich@sap.com>
* Add sample values files * Fix merge issues Signed-off-by: Guy Daich <guy.daich@sap.com>
* rename TLS default value in che.env * remove openshift server exposer (consolidated with k8s) Signed-off-by: Guy Daich <guy.daich@sap.com>
guydc
changed the title
|
@sleshchenko @garagatyi I reworked this PR, and added some functionality to support TLS. Can you review? |
Signed-off-by: Guy Daich <guy.daich@sap.com>
|
|
||
| #### Default Host |
There was a problem hiding this comment.
Shouldn't Default Host be at the same level than Single User and Multi User (a section of Deployment Options)? Same for TLS Enabled.
|
|
||
| * Master: `https://che-<che-namespace>.your-domain/` | ||
| * Keycloak: `https://che-<che-namespace>.your-domain/auth/` | ||
| * Workspaces servers: `https://<che-namespace>.your-domain/<path-to-server>` |
There was a problem hiding this comment.
Workspaces servers should be in the format https://che- too (with the che- prefix) or am I missing something?
| @@ -433,6 +433,10 @@ CHE_SINGLE_PORT=false | |||
| ##### Kubernetes Infrastructure ##### | |||
| ##### ##### | |||
| # | |||
|
|
|||
| # Create routes with Transport Layer Security (TLS) enabled | |||
There was a problem hiding this comment.
Previously Routes here meant Routes OpenShift objects. Do you think it is OK to leave the same comment for Kubernetes infrastructure?
| @@ -447,7 +447,7 @@ che.infra.kubernetes.client.http.connection_pool.keep_alive_min=5 | |||
| che.infra.openshift.project= | |||
|
|
|||
| # Create routes with Transport Layer Security (TLS) enabled | |||
| che.infra.openshift.tls_enabled=false | |||
| che.infra.kubernetes.tls_enabled=false | |||
There was a problem hiding this comment.
Please consider adding the corresponding alias in https://github.com/eclipse/che/blob/master/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che_aliases.properties
| */ | ||
| public class IngressTlsProvisioner implements ConfigurationProvisioner<KubernetesEnvironment> { | ||
|
|
||
| protected final boolean isTlsEnabled; |
There was a problem hiding this comment.
Do you mind making these fields private?
|
|
||
| @Inject | ||
| public MultiHostIngressExternalServerExposer( | ||
| @Named("infra.kubernetes.ingress.annotations") Map<String, String> ingressAnnotations, |
There was a problem hiding this comment.
Looks like it is named infra.kubernetes.ingress.annotations by mistake.
I think it's good time to rename it to che.infra.kubernetes.ingress.annotations. @garagatyi WDYT?
There was a problem hiding this comment.
It was done on purpose. I didn't use che. prefix to make it clear that it is not injectable from properties and should be provided by a special provider instead. The reason is that we inject it as a property in a different format and that property gets converted into this injection on Che start.
So -1 to rename it.
| import org.eclipse.che.api.core.model.workspace.config.ServerConfig; | ||
| import org.eclipse.che.workspace.infrastructure.kubernetes.Annotations; | ||
|
|
||
| /** @author Guy Daich */ |
There was a problem hiding this comment.
Could you please merge two java docs here. I mean
/**
* Doc...
*
* @author
*/
| public MultiHostIngressExternalServerExposer( | ||
| @Named("infra.kubernetes.ingress.annotations") Map<String, String> ingressAnnotations, | ||
| @Named("che.infra.kubernetes.ingress.domain") String domain) { | ||
| if (ingressAnnotations == null) { |
There was a problem hiding this comment.
Previously this check was placed in one class, now in three classes. Maybe it makes sense to move it in IngressAnnotationsProvider
There was a problem hiding this comment.
We have such provider and it provides this binding. We can either inject provider instead of a map here or not check the map for nullability since it is injected as a not nullable dependency.
I think injecting of Provider instead of binding it to a map would make code clearer.
I had to do this in the first place. @guydaichs @sleshchenko WDYT?
There was a problem hiding this comment.
moved check to provider.
| @@ -130,24 +104,19 @@ | |||
| public static final int SERVER_UNIQUE_PART_SIZE = 8; | |||
| public static final String SERVER_PREFIX = "server"; | |||
|
|
|||
| private final Map<String, String> ingressAnnotations; | |||
| protected final ExternalServerExposerStrategy kubernetesExternalServerExposerStrategy; | |||
There was a problem hiding this comment.
Could you generify this field with <T> to avoid unchecked call here https://github.com/eclipse/che/pull/8822/files#diff-ff394ec17243637d9571b51b4aa23b99R206
| @Inject | ||
| public IngressTlsProvisioner( | ||
| @Named("che.infra.kubernetes.tls_enabled") boolean isTlsEnabled, | ||
| @Named("che.infra.kubernetes.tls_secret") String tlsSecretName) { |
There was a problem hiding this comment.
I'd say that new configuration properties should be added to che.properties with default values and docs.
| } | ||
|
|
||
| @Override | ||
| public void exposeExternalServers( |
There was a problem hiding this comment.
Looks like three strategies classes have very similar code with ingress builders. Maybe it would be better (maybe not) to create abstract IngressExternalServerExposerStrategy with a protected method like #createIngress(String name, @Nullable String host, String path, ...)
There was a problem hiding this comment.
Like the idea to reduce the amount of the code and not repeat yourself but it depends on how simple would be the code. @guydaichs up to you to decide whether it is better or not
There was a problem hiding this comment.
created AbstractIngressExternalServerExposerStrategy, where shared logic resides.
There was a problem hiding this comment.
Sorry that you have faced such a strict PR review process but there are reasons for that:
- you are changing components that are in a core of new architecture and our previous core was a mess because we had not enough review. So we are trying to do our best now to keep it clear and maintainable.
- your PRs quality is good and we treat you as a person who wants to commit clean solution that doesn't need to be sanitized by maintainers after the merge.
We have such reviews usually for PRs on a maintainers level or with significant changes to the core components.
| // when working in single-host mode, nginx controller wil reuse the che-master secret | ||
| // https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/extensions/v1beta1/types.go | ||
| if (!isNullOrEmpty(tlsSecretName)) { | ||
| ingressTLSBuilder.withSecretName(tlsSecretName); |
There was a problem hiding this comment.
Not sure I got it right but it seems that is called twice - both in any case and when the secret name is neither null nor empty. Shouldn't we delete first call of this method?
There was a problem hiding this comment.
Refactor mistake. fixed.
| } | ||
|
|
||
| IngressTLS ingressTLS = ingressTLSBuilder.build(); | ||
| List<IngressTLS> ingressTLSList = new ArrayList<>(Arrays.asList(ingressTLS)); |
There was a problem hiding this comment.
I think some IDE might show warning because of usage of Arrays.asList instead of Collections.singletonList here. Consider the last variant.
| @@ -447,7 +447,7 @@ che.infra.kubernetes.client.http.connection_pool.keep_alive_min=5 | |||
| che.infra.openshift.project= | |||
|
|
|||
| # Create routes with Transport Layer Security (TLS) enabled | |||
| che.infra.openshift.tls_enabled=false | |||
| che.infra.kubernetes.tls_enabled=false | |||
| @@ -433,6 +433,10 @@ CHE_SINGLE_PORT=false | |||
| ##### Kubernetes Infrastructure ##### | |||
| ##### ##### | |||
| # | |||
|
|
|||
| # Create routes with Transport Layer Security (TLS) enabled | |||
| @Inject | ||
| public IngressTlsProvisioner( | ||
| @Named("che.infra.kubernetes.tls_enabled") boolean isTlsEnabled, | ||
| @Named("che.infra.kubernetes.tls_secret") String tlsSecretName) { |
|
|
||
| @Inject | ||
| public MultiHostIngressExternalServerExposer( | ||
| @Named("infra.kubernetes.ingress.annotations") Map<String, String> ingressAnnotations, |
There was a problem hiding this comment.
It was done on purpose. I didn't use che. prefix to make it clear that it is not injectable from properties and should be provided by a special provider instead. The reason is that we inject it as a property in a different format and that property gets converted into this injection on Che start.
So -1 to rename it.
| public MultiHostIngressExternalServerExposer( | ||
| @Named("infra.kubernetes.ingress.annotations") Map<String, String> ingressAnnotations, | ||
| @Named("che.infra.kubernetes.ingress.domain") String domain) { | ||
| if (ingressAnnotations == null) { |
There was a problem hiding this comment.
We have such provider and it provides this binding. We can either inject provider instead of a map here or not check the map for nullability since it is injected as a not nullable dependency.
I think injecting of Provider instead of binding it to a map would make code clearer.
I had to do this in the first place. @guydaichs @sleshchenko WDYT?
| } | ||
|
|
||
| @Override | ||
| public void exposeExternalServers( |
There was a problem hiding this comment.
Like the idea to reduce the amount of the code and not repeat yourself but it depends on how simple would be the code. @guydaichs up to you to decide whether it is better or not
| Map<String, ServerConfigImpl> ingressServers = | ||
| Annotations.newDeserializer(ingress.getMetadata().getAnnotations()).servers(); | ||
| assertEquals(ingressServers.get("http-server").getProtocol(), "https"); | ||
| assertEquals(ingressServers.get("ws-server").getProtocol(), "wss"); |
There was a problem hiding this comment.
Looks like there are 3 things that can be covered in addition:
- secret name if it is neither null nor empty
- secret name if it is null
- secret name if it is empty
| * | ||
| * @author Sergii Leshchenko | ||
| */ | ||
| public class OpenShiftServerExposerTest { |
There was a problem hiding this comment.
I don't quite understand why these tests should be removed. @guydaichs can you elaborate on that?
There was a problem hiding this comment.
You're right. OpenshiftServerExposer doesn't exist as a class, but openshift server exposure logic in KubernetesServerExposer should still be tested. I adapted the test class.
|
@l0rd @garagatyi @sleshchenko : Thanks for the thorough review and meaningful comments. I'll make the required changes and let you know. |
|
@guydaichs I'm sorry but I've merged PR that moves deployment files to another folder. This has affected your PR. I think that the easiest way to adapt your PR is to rebase it against master and then move files that would be left from |
|
@guydaichs If you need assistance with the changes caused by my PR I can do required changes in your branch. |
|
Opened a fresh PR: #9329. |
Signed-off-by: Guy Daich guy.daich@sap.com
What does this PR do?
Introduce an External Server Exposer Strategy, responsible for exposing service ports associated with external servers, making them accessible from outside the cluster.
Move server exposure to shared k8s infra level:
Provide three options for exposing external (and secondary) servers in k8s infra:
Add basic TLS support:
Add Ingress TLS provisioning.
Update Docs:
Test PR
Follow instructions to set up minikube, helm, tiller, cert-manager.
Follow specific instructions for single/multi-user, default-host installation on minikube.
Routing strategies tested locally on minikube & minishift.
What issues does this PR fix or reference?
This PR fixes #8694.
This PR is part of kubernetes infrastructure epic #5908.
Release Notes
Docs PR
Currently, documented only in the Che Kubernetes Helm deployment instructions.