RFC: Enable gitops usage on management clusters #2
Conversation
|
Comment by @webwurst in the internal issue: I like the idea and think it is also the right time to explore that area. People are becoming more aware of GitOps and eventually customers will ask for it. The development teams behind Flux and ArgoCD gathered to exchange experiences from production usage. Finally they decided to follow separated paths, but hopefully for good reasons. As the result there is Flux2 based on GitOps Toolkit which can also be used in your own golang tools or operators. Gerald put out a first preview of a possible flux-app in our playground-catalog. Challenge at the moment is that it did not reach v1.0 yet and there are multiple releases per week to catch up with ;) Halo provides this "as is" for the current cycle since we are focusing on Loki. But I guess we are happy for PRs and discussions. Trying out Flux1 earlier didn't make much sense since there were discussions about a re-write and breaking changes and finally the deprecation note last autumn. |
| We currently give customers access to the management clusters but do not support them in utilizing this access effectively in terms of git ops related management (e.g. for apps). | ||
|
|
||
| Context: | ||
| Some customers might be interested in utilizing mainstream git ops tooling in order to manage their apps across clusters and installations. |
There was a problem hiding this comment.
Main question for me:
What does it help our customers achieve? Is it, "Manage stacks of apps on fleets of clusters" and challenges related to that?
(If it is, then this is the thing Batman wants to help customers achieve. And I'd like to explore this opportunity to take this next step in that direction.)
There was a problem hiding this comment.
I would say this is one approach which could achieve the goal of "Manage stacks of apps on fleets of clusters".
I would appreciate Batman input & opinions here :)
There was a problem hiding this comment.
@cokiengchiara Yes this tooling would help customers to manage the app CRs and user values configmaps and secrets for their apps. With stacks of apps on fleets of clusters that becomes more complex.
There is a lot of content out there on the benefits the GitOps approach provides. I don't want to repeat that but maybe https://www.gitops.tech/ helps as an overview / starting point.
There was a problem hiding this comment.
I agree with "Manage stacks (or fleets) of apps on fleets of clusters", and to be clear that means it is not just app CRs that get managed, but all kinds of YAML that a customer can and should create on the MCs. So I would generalize this a bit in two directions:
- it's not about apps, it's about the Management API (MAPI)
- it's not about gitops per se, it is about enabling tooling against the MAPI that needs "an agent" in the MC and cannot just externally work against the MAPI.
| ## Open Questions | ||
|
|
||
| ### 1. General direction | ||
| 1.1 We would like to allow our customers to choose their management tooling freely. Do we want to support some tools with e.g. a managed app first though? |
There was a problem hiding this comment.
We want to let customers choose their tooling freely but I think we need some validation so only a subset of apps can be installed in management clusters.
Starting with a managed app first makes sense to me. Especially if its a tool we choose to use ourselves.
There was a problem hiding this comment.
I agree that managed apps makes sense. It's also a question of how much freedom we give customers / how much we allow them to "fuck up".
There was a problem hiding this comment.
It could be that we limit this for the beginning to there's this selection of apps (at the get go 1) that you can install on your MC using our interface. very controlled.
Later, it could be extended to having nicely isolated namespaces in the MC where we can give a certain amount of more freedom, but even there because of the limits of isolation we need to be very careful and we might never get there completely.
There was a problem hiding this comment.
because it's not only about "fuckign up" it might also be that there's cases of actual multi-tenancy within an MC, where there's an untrusted org
| 1.2 Do we own the gitops tooling or is it purely owned by the customer? | ||
|
|
||
| ### 2. Technical issues | ||
| 2.1 How does the setup for an in-cluster agent look like? Currently customers will struggle setting up an in-cluster agent with appropriate permissions. |
There was a problem hiding this comment.
In the app CR the customer just needs to set .spec.kubeConfig.inCluster to true.
We should also make our kubeconfigs work with GitOps tooling. They don't currently work with Flux because of how we name the secrets we generate in cluster-operator.
There was a problem hiding this comment.
Sorry this was bad phrasing on my part:
This more refers to the initial agent set-up (at least as long as we don't have a managed app). We will currently struggle to not give the agent full permissions to all namespaces, right?
There was a problem hiding this comment.
This more refers to the initial agent set-up (at least as long as we don't have a managed app). We will currently struggle to not give the agent full permissions to all namespaces, right?
Ah got it. Yes I think we'll need to restrict the permissions. Taking Flux as an example AIUI there are multi tenancy patterns with a system Flux for platform admins and then multiple Flux's for teams.
My proposal would be we follow that approach and offer a managed app with the locked down setup. This is another argument for offering managed apps for this IMO.
| ### 2. Technical issues | ||
| 2.1 How does the setup for an in-cluster agent look like? Currently customers will struggle setting up an in-cluster agent with appropriate permissions. | ||
|
|
||
| 2.2 How do we ensure security requirements when customer interaction increases? |
There was a problem hiding this comment.
There is a multi tenancy problem with chart CRs and their related configmaps and secrets.
These are currently stored in the giantswarm namespace. Before enabling customers to create apps in management clusters I think we should move this to their organization or cluster namespace.
| We currently give customers access to the management clusters but do not support them in utilizing this access effectively in terms of git ops related management (e.g. for apps). | ||
|
|
||
| Context: | ||
| Some customers might be interested in utilizing mainstream git ops tooling in order to manage their apps across clusters and installations. |
There was a problem hiding this comment.
@cokiengchiara Yes this tooling would help customers to manage the app CRs and user values configmaps and secrets for their apps. With stacks of apps on fleets of clusters that becomes more complex.
There is a lot of content out there on the benefits the GitOps approach provides. I don't want to repeat that but maybe https://www.gitops.tech/ helps as an overview / starting point.
|
I think the primary interface should remain the Management API and App CRD to not force an option on customers. But I like the idea and I don't see this as blocking that. Allowing customers to choose their own GitOps tooling could make using app platform easier and unblock more complex use cases. I liked the demo Halo did with Flux. Especially using SOPS to encrypt the secrets which is a complex area. Argo could also be interesting especially its workflow engine. This could also enable customers to use these tools directly rather than App Platform if they work better for their use case. |
|
There are also some notes (since quite some time) in our brain storm doc: https://docs.google.com/document/d/1-zgREXVmnu2Rd7QLnrKO15MJWSkWS9_yBWkzFZsSRNw/edit#heading=h.c80optp1pse7 |
|
Few more comments from me:
All in all, as MVP, 1 opinionated tool, deployed on-demand by us and only configured by customers makes a lot of sense to me. |
| ### 1. General direction | ||
| 1.1 We would like to allow our customers to choose their management tooling freely. Do we want to support some tools with e.g. a managed app first though? | ||
|
|
||
| 1.2 Do we own the gitops tooling or is it purely owned by the customer? |
There was a problem hiding this comment.
I would say this could be similar to other managed apps, they might start in a low support level and move up if we feel confident, some might never be mananged
|
|
||
| 2.2 How do we ensure security requirements when customer interaction increases? | ||
|
|
||
| 2.3 Do we foresee issues when introducing gitops tooling to already existing resources? |
There was a problem hiding this comment.
depends how invasive the tooling is, like does it delete and recreate resources or does it "adopt" and apply/update
There was a problem hiding this comment.
Yes! This needs to be checked for each GitOps tool separately if resources changed by happa or gsctl will be changed back to the state the GitOps tool knows.
Random idea: At least flux applies labels to ressourced managed by it, so we could display (for example) clusters installed through the GitOps tool as read-only
| 2.3 Do we foresee issues when introducing gitops tooling to already existing resources? | ||
|
|
||
| ### 3. Guidance | ||
| 3.1 How do we support customers in making sensible decision in terms of tooling choice with gitops? |
There was a problem hiding this comment.
@piontec was proposing a SPIKE within balo looking at the alternatives and forming a first opnion, as currently GS has no or only very low informed opinions it feels
| ### 3. Guidance | ||
| 3.1 How do we support customers in making sensible decision in terms of tooling choice with gitops? | ||
|
|
||
| 3.2 Do we aid customers with repository structure for their gitops approach? |
There was a problem hiding this comment.
if this is sth we believe should be used, we could or rather should accompany the offering with docs as well as tutorials or workshops that educate the users. This is really nice in the context of moving Room 1 customer to Room 2 for example.
|
|
||
| 3.2 Do we aid customers with repository structure for their gitops approach? | ||
|
|
||
| 3.3 Do we offer customers to give us shared access to their repository for additional review? |
There was a problem hiding this comment.
Interesting Q, for me especially interesting if we could find a mutual interest there, as we already often have this between us and customers, where we also hate up waking up because of misconfiguration so we have an incentive to help out and avoid bad config. Also, interesting how that would play into our new Solutions Engineering approaches. cc @giantswarm/se
There was a problem hiding this comment.
If we publish some guidelines (previous point) I do think it is fine checking current existing or future repo structure and whole design as part of SE consultancy work
There was a problem hiding this comment.
I think this could be a really nice opportunity, especially thinking of moving Room 1 customers towards Room 2.
I could also see sense in making our approach staged from "very restrictive/controlled" MVP towards more "freedom", but I'd leave that open to future evaluation as there could be benefits to a more free approach that save initial efforts on our side and do not open up the pandoras box of security.
…structure for RFCs.
|
Please make sure to pull the changes before making new modifications. I've renamed the folder and markdown as we agreed on a slightly different structure for RFCs. |
|
@snizhana-dynnyk do we have roadmap issues towards implementing the ideas here now? |
|
There is a roadmap issue now. Merging here. |
Please discuss the comment publicly here. We want to find some alignment on our approach.