-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster / InstanceGroup File Assets #3090
Conversation
Hi @gambol99. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/assign @justinsb |
nodeup/pkg/model/file_assets.go
Outdated
} | ||
|
||
// @check if the directory structure exist or create it | ||
if err := os.MkdirAll(filepath.Dir(asset.Path), 0755); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just realized i could use instead
c.AddTask(&nodetasks.File{
Path: filepath.Dir(asset.Path),
Type: nodetasks.FileType_Directory,
Mode: s("0700"),
Owner: s("root"),
Group: s("root"),
})
12f863f
to
9d11c92
Compare
8652865
to
2a0c10d
Compare
So not saying "no" here, but the long term direction is towards immutable infrastructure and OS independence, and I worry that this is setting us up for something we don't really want to encourage. Would you mind describing some of the use-cases (you can always let me know privately if they are sensitive). Hooks are still early, but they are likely to be a better way IMO, and it does seem that we can do anything in them! For example, rather than do iptables-restore, the hook could install your rules even when we swap out iptables. Or a daemonset could not apply the iptables rules, but also continue to synchronize them even if they somehow got out of sync - and also makes it easier to update the ruleset because you can then use kubernetes to manage it. That said I recognize that just dropping a file is the path of least resistance, and we don't want to make things unnecessarily hard for you (or anyone!) |
@gambol99 PR needs rebase |
this also permit's us to use a token webhook and place the config on box without having to go via an external hook |
a1539c0
to
2d5a4d2
Compare
hey @justinsb ... is there any other chances you want made to this? ... |
docs/cluster_spec.md
Outdated
@@ -249,6 +249,43 @@ spec: | |||
image: busybox | |||
``` | |||
|
|||
### fileAssets | |||
|
|||
FileAssets permit you to place inline file content into the cluster and instanceGroup specification, which can be consumed on the nodes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be much more comfortable if this was marked as an alpha feature or similar.
nodeup/pkg/model/file_assets.go
Outdated
return fmt.Errorf("The file asset is invalid, name: %s, error: %q", asset.Name, err) | ||
} | ||
// @check if the file asset applys to us. If no roles applied we assume its applied to all roles | ||
// @todo: use the containsRole when the hooks PR is merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we merged containsRole
:-)
pkg/apis/kops/v1alpha1/cluster.go
Outdated
// Path is the location this file should reside | ||
Path string `json:"path,omitempty"` | ||
// Mode is unix filemode for the file - defaults to 0400 | ||
Mode string `json:"mode,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need the mode? I'm more worried about execute permissions and noexec than anything else here...
// Name is a shortened reference to the asset | ||
Name string `json:"name,omitempty"` | ||
// Path is the location this file should reside | ||
Path string `json:"path,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be OK with putting the assets all into the same directory i.e. dropping this field? I'm thinking then we don't have to worry about immutable base images, and we also could in theory deliver the assets via another mechanism, i.e. just like configmap in a pod.
pkg/apis/kops/v1alpha1/cluster.go
Outdated
// Content is the contents of the file | ||
Content string `json:"content,omitempty"` | ||
// Templated indicates the content is templated | ||
Templated bool `json:"templated,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do want to allow Templated, we have to be really careful - it ties us to a particular version of the API objects. So we should be specifying the API version somehow. But I think I would rather not include Templated at all, and push people to hooks, because our experience of go templating is that they rapidly become unmaintainable.
pkg/apis/kops/instancegroup.go
Outdated
@@ -94,6 +94,8 @@ type InstanceGroupSpec struct { | |||
CloudLabels map[string]string `json:"cloudLabels,omitempty"` | |||
// NodeLabels indicates the kubernetes labels for nodes in this group | |||
NodeLabels map[string]string `json:"nodeLabels,omitempty"` | |||
// FileAssets is a collection of file assets for this instance group | |||
FileAssets []*FileAssetSpec `json:"fileAssets,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change all the API []*FileAssetSpec
to []FileAssetSpec
please? I know we have a lot of []*T
but API machinery is happier with []T
OK, I've been thinking about this a lot, and I think we should do this PR, but I'd suggest a few tweaks:
I guess the question is which of your use cases would this break? And can I instead volunteer to write you some hooks or extends kops/nodeup (particularly for the ones that need to be executable)? BTW, for webhook tokens, we did merge initial support for "kopeio" authentication, so explicit support might also be an option (search for |
17e0524
to
f1e43ac
Compare
hi @justinsb ... i've removed the Mode and Template (we are templating on the outside anyhow, so one more thing to template isn't a big deal. It was introduced as figured given the API scheme remained static is was ok to use template, but i get the concern). In regard to the Path could we compromise and say default /srv/kubenetes/assets/ and then allow an override a user override |
The current implementation does not make it ease to fully customize nodes before kube install. This PR adds the ability to include file assets in the cluster and instaneGroup spec which can be consumed by nodeup. Allowing those whom need (i.e. me :-)) greater flexibilty around their nodes. @note, nothing is enforced, so unless you've specified anything everything is as the same - updated the cluster_spec.md to reflect the changes - permit users to place inline files into the cluster and instance group specs - added the ability to template the files, the Cluster and InstanceGroup specs are passed into context - cleaned up and missed comment, unordered imports etc along the journey
- removed the Mode field from the FileAsset spec - removed the ability to template the content - removed the need to specify the Path and instead default to /srv/kubernetes/assets/<name> - change the FileAssets from []*FileAssets to []FileAssets
} | ||
|
||
// @perhaps a path finder? | ||
var templateFuncs = template.FuncMap{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused now I think
allErrs = append(allErrs, field.Required(fieldPath.Child("Content"), "")) | ||
} | ||
|
||
return allErrs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good to validate the base64 value here as otherwise will fail in nodeup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indeed .. that's a good shout .. I'll add it to the PR
/lgtm |
/ok-to-test |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gambol99, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/retest |
Flakiness is being tracked in upstream issue: kubernetes/kubernetes#51128, hopefully fixed by kubernetes/kubernetes#51144 |
/retest |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
@chrislovecnm @justinsb ...
The current implementation does not make it ease to fully customize nodes before kube install. This PR adds the ability to include file assets in the cluster and instaneGroup spec which can be consumed by nodeup. Allowing those whom need (i.e. me :-)) greater flexibilty around their nodes. @note, nothing is enforced, so unless you've specified anything everything is as the same
notes: In addition to this; need to look at the detecting the changes in the cluster and instance group spec. Think out loud perhaps using a last_known_configuration annotation, similar to kubernetes