enable_aggregation: Set the default to true #76
Conversation
|
Yes waiting on it. I would like others to put their comments here. |
|
@surajssd I'm not familiar with cert-manager latest upgrade, but are you sure it is mandatory? I know you and @invidian worked on this, but I think @invidian mentioned it was optional (like, you can use cert-manager without aggregation). Can you confirm, @invidian ? I think aggregation should be enabled by default, intuitively, because you can't use HPA without it and that is quite common. But if there is an easy way to enable aggregation on a running cluster (I know we don't support it without cluster re-creation right now, unless maybe the daemonsets are editted manually) we might be able to default to disabled and enable "on demand". But I'd like to research a little on the pros/cons before switching this at the project level default mode. Do you have any ideas on the trade-offs? |
Good point from architecture point of view.
It is recommended to have webhooks enabled for additional verification etc, but they are not required. |
|
So is it agreed upon that we need aggregation enabled by default? |
surajssd
force-pushed
the
surajssd/enable-aggregation
branch
from
a039ee6
to
17e43e7
Compare
|
@surajssd there is knob for this already. Why would we change the default without knowing the trade-offs we are doing when switching the default? Is changing the default urgent for some reason I'm missing that we can't evaluate that decision carefully? Like I said in my previous comment, I guess this might be the right call. But can't we do a little research on the pros/cons of this change and the trade-offs that it implies? (this might be relevant security-wise, right?). I'd prefer to do an informed decision (but my opinion is not final, so ignore me if you want). I won't stop you if you thik this is needed ASAP, of course. |
invidian
force-pushed
the
surajssd/enable-aggregation
branch
from
17e43e7
to
26a649c
Compare
Will merge today if there is no objections. |
|
@invidian not sure. The confromance test has been run recently (some months after that patch was merged) and they run okay AFAIK. And, IIUC, we didn't enable api aggregation: https://github.com/kinvolk/lokomotive-kubernetes/tree/master/docs/conformance (look at the terraform code). Maybe conformance test were run using something older than that commit? Having a quick look, it was run using sonobuoy 0.16.2 (was recent by the time). There are newer releases, though: https://github.com/vmware-tanzu/sonobuoy/releases. Haven't had enough time to see how the conformance tests are really run, so not sure what could be the cause of conformance test passing with API aggregation disabled. Maybe that PR is unrelated? Really not sure, nor have the time to check that now :-/ IMHO, if the reason to merge this is that conformance test need it, then we need to check that conformance test fail without this and work with this. Again, I guess this is what we probably might end up doing (as I mentioned here: #76 (comment)) but I'd like to understand the reasoning and a minimal trade-off that this change implies. Needed due to pass conformance test seems good enough for me, but if it is actually needed ;) |
|
We can wait until we upgrade to 1.17 then. I'm pretty sure conformance tests will fail then without aggregation enabled. |
AFAIK conformance tests fail w/o aggregation since v1.14 (see e.g. poseidon/typhoon#436), so if they didn't fail for us: did we run old tests or not run them at all? |
|
Thanks for the input @schu! From the issue you linked:
Speaking from experience, having aggregation disabled is a PITA. Also, if conformance test requires it to be enabled, it must not be that insecure I think... I also couldn't find any good arguments against it except the one mentioned in the issue. The k8s documentation also does NOT warn about it.
|
As expected, Lokomotive without aggregation enabled is not complaint. Cluster deployed from 89c3a65. |
|
@invidian oh, cool. Thanks! If you have it still handy wanna check if they pass (or at least that doesn't faiil) with this enabled? Or have you checked that too setting the var, instead of relying on defaults? If you don't have it handy, no problem. |
There was a problem hiding this comment.
LGTM, thanks for the good work! :-D
It will be good to confirm that this fixes the conformance test (at least that test) as expected and update the commit with the new reasoning.
Do you have the test environment created still and is easy to test again with the setting enabled? Or is it too late now?
Also, would you mind creating an issue to investigate the other conformance test that failed in your run?
|
Will rebase and do all that @rata, thanks for LGTM. |
invidian
force-pushed
the
surajssd/enable-aggregation
branch
from
26a649c
to
830a777
Compare
Done, see 830a777.
I've tested it this morning. With aggregation enabled, the fail is gone.
No, so I created #124. |
Thanks!
Rock! :D
Thanks again! |
invidian
force-pushed
the
surajssd/enable-aggregation
branch
from
830a777
to
f691935
Compare
Aggregation layer is now a requirement when running conformance tests, so it should be enabled by default. Additionally, with usage of the latest cert-manager it is obligatory to enable api aggregation on the apiserver. This commit changes the behavior of the installer to enable aggregation by default. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io> Signed-off-by: Mateusz Gozdek <mateusz@kinvolk.io>
invidian
force-pushed
the
surajssd/enable-aggregation
branch
from
f691935
to
8066b76
Compare
|
Resolved conflicts. |
With usage of the latest cert-manager it is obligatory to enable api
aggregation on the apiserver.
This commit changes the default behavior of the installer to always
enable aggregation.