[Kic2.0] Fix KIC image deployment failure #1486 #1487
Conversation
Codecov Report
@@ Coverage Diff @@
## next #1487 +/- ##
==========================================
- Coverage 51.39% 51.27% -0.12%
==========================================
Files 91 91
Lines 6300 6342 +42
==========================================
+ Hits 3238 3252 +14
- Misses 2768 2796 +28
Partials 294 294
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
ccfishk
added
area/maintenance
ccfishk
changed the title
ccfishk
changed the title
|
Do we know where the attempt to edit Historically we haven't had any system to automatically infer the admin API URL from a Service or similar, and hadn't had any plans to add one, as directly providing a URL has been sufficient. Can you elaborate on why you added it? The proposal here makes several decisions we wouldn't want (always using HTTP and sending traffic through an Ingress rather than to a Service over the intra-cluster network) that the URL avoids. Manifests we planned to handle in #1256, though that's more about building out new kustomize helpers than just providing a manifest--the existing 1.x manifests should work fine for now. |
Please ignore the specific error messages (sorry for that example details) since different ones pop up when debugging deployment. The purpose of this PR is to unblock controller manager in cluster deployment with appropriate configuration which is illustrated in the yaml and readme file. The points of the Kong Admin API URL is to remove hardcode ip address (publishStatusAddress) and leverage environment variable retrieving service information. Understand the previous configuration due to controller and proxy are in the same namespace and same pods. Now, we have the flexibility to de-couple them in 2.0 |
shaneutt
dismissed
their stale review
Dismissing my review to unblock: @mflendrich needs to review here as there is duplication with his recent PR and they need to be coordinated.
Agree that both publish-service and PublicStatusAddress should retain as it is, which was covered by #1509 and #1451. It is unrelated to the KIC individual deployment yaml KIC does need KongAdminAPI for configuration communication, Current configuration way https:/Kong/kubernetes-ingress-controller/pull/1500/files#L90 assumes all modules are in the same node and having static port (8444), this will break if we deploy controller and proxy separately. The function retrieve Admin ip and port through namespace and name configuration. https:/Kong/kubernetes-ingress-controller/pull/1487/files#diff-786a1651aa544e8c2f84a32b474758ecb0f8e6c5d9d745b5f643d3d786bc57c4R152 |
…troller into kic2.0-deployment
|
The assumptions in the various all-in-one YAMLs are by design: those are intentionally opinionated configurations for a select few common configurations (OSS or Enterprise, either with or without a database). They use a single Pod with one Kong container and a controller container because that topology is simple to manage, suitable for many users (especially those that don't have a known reason to use some other topology), and has security benefits for OSS (placing the controller in the same Pod means you don't need to expose the admin API, which is a simple means of securing it without RBAC). If you want another topology, we currently instruct you to use the chart or to build your own manifests by hand. That stems from a combination of historical reasons (when we started providing manifests, Helm was fairly mature and both Kustomize and Operators were new) and capacity (we have limited resources to maintain deployment tools, so have not built out more complex Kustomize manifests or a non-Helm Operator). We don't provide plain manifests for topologies other than single-Pod because there are so many of them (you can basically mix and match any of the ~12 options covered in the chart documentation, and even the chart doesn't commit to handling all topologies in their entirety--many require multiple releases). That all said, I still don't think we gain anything by building admin API information from a Service rather than providing a URL, and introduces new problems (which aren't solved here yet):
IMO we'd only want to add the Service option if we had some functionality that required interactions with the Kubernetes API (e.g. we want to get endpoint information or need to edit its metadata for some reason), and I don't think we have any such functionality proposed. Between that and the other points above, I'd recommend we close this and continue the manifest changes separately in #1500 and other issues attached to #1256. |
[Jimin] No doubt about all-in-one benefits - simplicity. Stick to design, the Kong Admin TLS option https:/Kong/charts/blob/main/charts/kong/values.yaml#L117 provides the scalability to allow other components access the service either in cluster or out of the cluster with security. Also, from standardization point of view, each component/service/controller deploy separately provides the topology management flexibility, rather than simplicity.
[Jimin] OK. ATM, most users are using HELM style deployment, users might not be familiar with kubectl tool deployment. I think the kubectl apply -f resource.yaml tool gives user the options to modify resources (namespace etc) on the fly - easy. Yes, we also need consider the chart compitablity.
[Jimin] Either from service, or URL, the point is to avoid hardcode configuration - localhost:8444; 127.0.0.1:8001. Need also use the deployment configuration if there is .
[Jimin] We can use svc-name.namespace if the Admin is deployed from a cloud provider with valid HostName as external IP. Thats a valid point - both IP and HostName. Will change accordingly.
[Jimin] we do provide well-defined compatibility https:/Kong/kubernetes-ingress-controller/pull/1487/files#diff-777c5b378220515f6b692537382429104081d22a761062c7e2f0919e6c0d1757R221
[Jimin] I think this PR and #1500 provides different solutions to different use cases which direct us to k8s standardization. I would suggest to de-duplication and merge them accordingly. |
|
Had offline discussion with @mflendrich, also @rainest's input - users get used to helm charts for deployment mainly atm. Change the PR to WIP. |
ccfishk
changed the title
ccfishk
changed the title
[Jimin] @rainest here is the answer to the question "what issue we had there", update 1.3.x all-in-one as a base
deployment throws following following error messages time="2021-07-09T01:19:57Z" level=error msg="Reconciler error" error="secrets "default-token-m5gft" is forbidden: User "system:serviceaccount:kong:kong-serviceaccount" cannot update resource "secrets" in API group "" in the namespace "metallb-system"" logger=controller-runtime.manager.controller.secret name=default-token-m5gft namespace=metallb-system reconciler group= reconciler kind=Secret time="2021-07-09T01:33:32Z" level=error msg="Reconciler error" error="endpoints "rancher.io-local-path" is forbidden: User "system:serviceaccount:kong:kong-serviceaccount" cannot update resource "endpoints" in API group "" in the namespace "local-path-storage"" logger=controller-runtime.manager.controller.endpoints name=rancher.io-local-path namespace=local-path-storage reconciler group= reconciler kind=Endpoints
|
|
tl;dr the permissions failures are because the controller wanted to add finalizers, and couldn't after I removed resource-wide edit permissions. There are subresource permissions that we could add instead to fix this, but we no longer need them following the removal of finalizers in #1522. @ccfishk are you still seeing deploy failures with latest next? For testing/pending completion of #1256 1.x manifests should work with: These errors: come from adding finalizers to resources, which is a metadata update. We originally had broader permissions on resources, and I reduced permissions on most resources to We no longer will need those since we've removed finalizers in #1522 There's a bit of (possible) inaccuracy in the kubebuilder examples, where https://book.kubebuilder.io/reference/using-finalizers.html indicates you should have full edit permissions on the resource for finalizers, but it looks like those aren't necessary. You can handle the finalizer RBAC needs with If we were to continue using them, we'd want to add that to the kubebuilder RBAC tags in the |
[Jimin] AFAIK, finalizer only applied for resource deletion, we apply finalizer for KIC ingress we created. If your operation include all namespaces/any resources, might be associated to this error. Not sure why only got this complain at that moment, would like to take one more look/dig into my case.
[Jimin] aware of the permission scope - it is not Kong's cluster, user's cluster. Agree restrict permission is good. thanks. |
Some of the errors from controller-gen reconciler code are unfortunately rather opaque--they tell you they're trying to edit an object and failed, but not the specific edit and/or where in the code it logged the error. Don't actually recall how I realized the finalizers were the culprit last week. I observed that adding to roles cleared it, but forget why I thought to do that--I think it was reading through the generated reconciler and seeing which successful logs appeared and checking what client actions it took after. Doing that is rather tedious. |
|
Close this atm according to discussion last Friday, also tests this week. |
What this PR does / why we need it:
Able to deploy kong ingress controller into the cluster namespace using a yaml and controller is able to run and function as expected.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes ##1480
#1421
#1256
Special notes for your reviewer:
PR Readiness Checklist:
Complete these before marking the PR as
ready to review:CHANGELOG.mdrelease notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR