kops get --full should not be used for kops create

[justinsb]

As discussed on slack:

If you want to see the complete spec, you also pass --full ... but ...
We just discovered that some people are doing a get with --full and then feeding this back into kops create -f
I am not sure if anyone else is doing this. Things will not go well.
Here's what happens ... you see every field as populated, and then kops will assume you want to actively specify those fields.
So - for example - kops sets a bunch of flags for you based on the networking or kubernetes version you are using
That is the difference between the default and the --full spec
The --full spec is after the inference
The problem is e.g. if you upgrade kubernetes, if a flag changed, we will assume you want to override the flag value, and we won't use the new logic
So you'll end up passing deprecated flags, for example

I'm wondering if other people may have also fallen into this trap. I can see two ways around it:

• the "carrot" - provide a single command to export everything (nodes & igs). kops get -oyaml. I want this anyway 🙂
• the "stick" - add an annotation to anything exported with kops get --full so that it cannot be directly used in kops create -f. We would log an explanation, and if you really want to do it, you could just remove the annotation.

[chrislovecnm]

Low hanging fruit is put in nasty warning message

kops get cluster $CLUSTER_NAME --full -o yaml
# WARNING - THIS IS FOR DIAGNOSTIC ONLY - USE AT YOU OWN RISK FOR CLUSTER CREATION
# ONLY USE REQUIRED AND MODIFIED ELEMENTS
# kop get cluster -o yaml will display the required elements.

[goraxe]

Some folks are even more sneaky and grab the config directly from the state bucket and feed that back into kops. How about a validate mode, which can be fed a set of config and emit some warnings / errors. That can be worked into our CI/CD system. I want a stage in there anyway which does some validity checks to make sure noone is trying to delete the master instance group or other mistakes.

[chrislovecnm]

@goraxe grabbing it out of the STATE_STORE can cause all kinds of problems :(

A linter built into kops would be awesome. We have issues around helm functionality as well. Contributions are always appreciated!

[goraxe]

@chrislovecnm gotta love users right? I was kinda aware I was violating a backend. It was a result of some fairly nasty shell script and makesfiles being wrapped around kops and needing to come up with a process for managing changes to clusters a little better. I'm more of a fan of revisioned config then revisioned nested scripts wiring through env variables. Especially when needing to review said changes. The lower the cognitive friction the better. Now I'm aware there could be issues I will slim things down to the minimum set we require.

I will see what I can do on the contributions front, my current manager seems pretty keen for some of the things we are building to be opened up. I also try to participate in opensource communities which I'm working with, just need signoffs from certain folks etc. May also come from a different identity more associated with $work ... depends a little on legal, policy, etc.

[chrislovecnm]

@goraxe we always appreciate the help! FYI - we have developer office hours ever other Friday. See the Readme for the details.

I think multiple issues are causing this problem

1. We do not have a way to way to run a single command and get a full yaml - we need a get command that outputs a yaml - clusterspec and ig.
2. We are missing good docs for our API - we need to figure out if we can leverage the swagger doc gen that code now has.
3. People have requested a helm like functionality - really cool idea
4. We need to warn users that they are doing something that is dangerous "--full"

I did it, number 4, and I really should know better.... I write this code..

How do you think we can make kops more awesome?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[chrislovecnm]

We have a warning now

/close