Remove InstanceGroup from NodeupModelContext

[johngmyers]

Move all data from InstanceGroup into NodeupModelContext.NodeupConfig to address some of the issues mentioned in #9229.

There could be an issue if the Hooks or FileAssets are too big to fit in userdata.

Creates a new NodeupAuxConfig struct which is read from an instancegroup-specific file in the state store.

[hakman]

/retest

[johngmyers]

/retest

[hakman]

I think we may need to rebase :)

[johngmyers]

/retest

[johngmyers]

/retest

[justinsb]

Sorry about the delay in reviewing this. So I believe we had problems fitting in the 16KB limit in the past, which is why we had this split. I don't have an example to hand though. I suspect the most likely case would be if we were adding some certificates or keys, simply because those compress so poorly.

For the nodes, we could move to fetching this data from kops-controller, which would have two advantages: no S3 access required (so fewer node permissions), and effectively no limit on the size.

That doesn't really help us on the control plane nodes, though.

I do really like the simplification of the code here, so I would like to see us get this in; we just need to satisfy ourselves that we aren't going to paint users that have large fileAssets/keys into a corner.

I propose:

• We verify that we do compress the userdata if it's > 16KB, just so we know the limit we're dealing with on AWS (GCE has a similar limit, but it's much bigger - 256KB if memory holds)
• We bring it up at office hours on Friday, to see if there are use cases we're missing (and if people still do this)
• We think about adding a external mechanism for these files: PKI data could be referenced from the kops CAStore, fileAssets or hooks could be referenced by URL (including an S3 url). I don't love the URL option (in particular), I just think we probably need to offer something here.

[johngmyers]

The only other thing I can think of is store them in a per-launchconfiguration directory in vfs with deletion tied into the code that deletes old launchconfigurations (/launchtemplates).

[k8s-ci-robot]

@johngmyers: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-kops-verify-hashes	1f8d717	link	/test pull-kops-verify-hashes

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[johngmyers]

/retest

[justinsb]

How about nodeconfig or configversion or fullconfig?

[johngmyers]

It's the config specific to particular instancegroups. First I partition by IG role (because that's the granularity our IAM roles currently have), then by IG. Whether the config is "full" or versioned is secondary to this partitioning.

[justinsb]

Does strings.ToLower(string(ig.Spec.Role)) need to be in the path?

[johngmyers]

That's so we can deny the nodes IG role read access to other IG roles' config.

[justinsb]

Should we put these fields (EnableLifecycleHook, UpdatePolicy) into the AuxConfig? I figure we make this config only what we need to load the other configuration.

[johngmyers]

I've been leaning towards putting as much of the small stuff into the userdata as possible. If we can gain confidence that we have enough testing to catch any breakage in the AuxConfig mechanism, I'd like to have nodeup skip loading the AuxConfig in the common case where everything fits in userdata.

I think we can get to the case where in the common case the worker nodes don't need any access to the state store.

[johngmyers]

Ah, I see. If you have to go to the state store, you might as well get everything from there instead of going field-by-field. So we'd put everything in Config and when it's too big, spill it to the state store and put a smaller bootstrap thing in userdata.

I'll put it on the backlog, but unblocking v1beta1 apiversion is higher priority.

[justinsb]

Maybe instead of calling this AuxConfig, NodeFullConfig would be consistent with ClusterFullConfig. I see, nodeup.Config as more the auxiliary configuration ... it is the small config (constrained by userdata size) that lets us locate and load the real config.

[johngmyers]

I'd prefer not to put duplicate, unused fields in this object.

I have thought of using the same schema for userdata's Config and this file in the state store. That would allow putting the hooks, etc. in the userdata when they fit. The userdata would then have metadata saying "pull these fields from the one in the state store" when things don't fit.

But that is all more complicated and should be deferred until after we get more experience and better testing around the exceptional cases.

[justinsb]

A few quibbles, but I like where this is going and I think we can discuss the quibbles separately.

Going to apply a hold in case you immediately agree with any of the suggestions (and want to change them here), but otherwise please just remove the hold.

/approve
/lgtm

/hold

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[johngmyers]

These comments are all things that can be dealt with in future PRs, possibly in future releases.
/hold cancel