Cluster / InstanceGroup File Assets

[gambol99]

@chrislovecnm @justinsb ...

The current implementation does not make it ease to fully customize nodes before kube install. This PR adds the ability to include file assets in the cluster and instaneGroup spec which can be consumed by nodeup. Allowing those whom need (i.e. me :-)) greater flexibilty around their nodes. @note, nothing is enforced, so unless you've specified anything everything is as the same

• updated the cluster_spec.md to reflect the changes
• permit users to place inline files into the cluster and instance group specs
• added the ability to template the files, the Cluster and InstanceGroup specs are passed into context
• cleaned up and missed comment, unordered imports etc along the journey

notes: In addition to this; need to look at the detecting the changes in the cluster and instance group spec. Think out loud perhaps using a last_known_configuration annotation, similar to kubernetes

[k8s-ci-robot]

Hi @gambol99. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[gambol99]

/assign @justinsb

[gambol99]

just realized i could use instead

c.AddTask(&nodetasks.File{
	Path:  filepath.Dir(asset.Path),
	Type:  nodetasks.FileType_Directory,
	Mode:  s("0700"),
	Owner: s("root"),
        Group: s("root"),
})

[gambol99]

a friendly ping :-) @justinsb ... Note we've also raised #3120 so changes would be detectable

[justinsb]

So not saying "no" here, but the long term direction is towards immutable infrastructure and OS independence, and I worry that this is setting us up for something we don't really want to encourage.

Would you mind describing some of the use-cases (you can always let me know privately if they are sensitive). Hooks are still early, but they are likely to be a better way IMO, and it does seem that we can do anything in them!

For example, rather than do iptables-restore, the hook could install your rules even when we swap out iptables. Or a daemonset could not apply the iptables rules, but also continue to synchronize them even if they somehow got out of sync - and also makes it easier to update the ruleset because you can then use kubernetes to manage it.

That said I recognize that just dropping a file is the path of least resistance, and we don't want to make things unnecessarily hard for you (or anyone!)

[k8s-github-robot]

@gambol99 PR needs rebase

[gambol99]

hi @justinsb ... similar lines to the #3063 PR ... the driving force provide this was a concrete, versioned, immutable and tagged version for production. I becomes difficult to test and ultimately provide assurance if you have a bunch on third party includes via daemonset's and external pipelines.

[gambol99]

this also permit's us to use a token webhook and place the config on box without having to go via an external hook

[gambol99]

hey @justinsb ... is there any other chances you want made to this? ...

[justinsb]

I would be much more comfortable if this was marked as an alpha feature or similar.

[justinsb]

Looks like we merged containsRole :-)

[justinsb]

Do you need the mode? I'm more worried about execute permissions and noexec than anything else here...

[justinsb]

Would you be OK with putting the assets all into the same directory i.e. dropping this field? I'm thinking then we don't have to worry about immutable base images, and we also could in theory deliver the assets via another mechanism, i.e. just like configmap in a pod.

[justinsb]

If we do want to allow Templated, we have to be really careful - it ties us to a particular version of the API objects. So we should be specifying the API version somehow. But I think I would rather not include Templated at all, and push people to hooks, because our experience of go templating is that they rapidly become unmaintainable.

[justinsb]

Can we change all the API []*FileAssetSpec to []FileAssetSpec please? I know we have a lot of []*T but API machinery is happier with []T

[justinsb]

OK, I've been thinking about this a lot, and I think we should do this PR, but I'd suggest a few tweaks:

• The mental model I'm using is secrets or configmap, which exist independently, can be mounted on the filesystem, but could also be delivered by other mechanisms today or in future (e.g. a secure secret channel, or env vars)
• If we can, I would like to keep the files in a particular directory, e.g. /etc/kubernetes/assets or similar. Then this will work on immutable images. Not sure whether that works for your use cases. The would imply not having the Path field - not sure if that works for you.
• Similarly, allowing the executable mode is a tricky one. Do you actually need customizable modes?
• In a different way, templates are also worrying to me. They tend to evolve into "real programming", and then the limitations of the templating system become very apparent vs go code. That's what we found with kops anyway.

I guess the question is which of your use cases would this break? And can I instead volunteer to write you some hooks or extends kops/nodeup (particularly for the ones that need to be executable)?

BTW, for webhook tokens, we did merge initial support for "kopeio" authentication, so explicit support might also be an option (search for writeAuthenticationConfig).

[gambol99]

hi @justinsb ... i've removed the Mode and Template (we are templating on the outside anyhow, so one more thing to template isn't a big deal. It was introduced as figured given the API scheme remained static is was ok to use template, but i get the concern). In regard to the Path could we compromise and say default /srv/kubenetes/assets/ and then allow an override a user override

[justinsb]

Unused now I think

[justinsb]

Would be good to validate the base64 value here as otherwise will fail in nodeup

[gambol99]

indeed .. that's a good shout .. I'll add it to the PR

[justinsb]

/lgtm

[justinsb]

/ok-to-test

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gambol99, justinsb

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [justinsb]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[justinsb]

/retest

[justinsb]

Flakiness is being tracked in upstream issue: kubernetes/kubernetes#51128, hopefully fixed by kubernetes/kubernetes#51144

[eparis]

/retest
merged the referenced fix

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue