Hollow out our ConfigMaps. #3047
Conversation
knative-prow-robot
added
the
do-not-merge/work-in-progress
knative-prow-robot
requested review from
josephburnett,
lichuqiang,
markusthoemmes,
mdemirhan and
vagababov
knative-prow-robot
added
the
size/XL
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
| @@ -71,6 +71,7 @@ func NewNetworkFromConfigMap(configMap *corev1.ConfigMap) (*Network, error) { | |||
| nc := &Network{} | |||
| if ipr, ok := configMap.Data[IstioOutboundIPRangesKey]; !ok { | |||
| // It is OK for this to be absent, we will elide the annotation. | |||
| nc.IstioOutboundIPRanges = "*" | |||
There was a problem hiding this comment.
@mdemirhan Does this make sense?
There was a problem hiding this comment.
- and empty have different meanings. From the config map:
# If omitted or set to "", value of global.proxy.includeIPRanges
# provided at Istio deployment time is used. In default Knative serving
# deployment, global.proxy.includeIPRanges value is set to "*".
- will intercept everything. Empty will default to Istio's installation defaults, which is vendor specific.
I think it is ok to change this behavior, given that we will soon remove this entire thing and replace is with proper Egress rules from Istio (hopefully the change will be in soon to enable us that). But for clarity, we should change the documentation in the config map and mention that both *, omitted or "" behaves the same way.
|
@mdemirhan and @tcnghia I'd like to get this blessed by both of you because there may be subtle changes to the logging/metrics or networking/istio configurations, which I'd like to have you sanity check for your respective areas. Also, if you have any light to shed on my "Note to self" I'd appreciate it. I will take a deeper look in the morning with fresh eyes that can hopefully see through the sea of IPv4 :) |
mattmoor
force-pushed
the
hollow-configmaps
branch
from
9ecf609 to
4bbf071
Compare
|
The following is the coverage report on pkg/.
|
mattmoor
force-pushed
the
hollow-configmaps
branch
from
4bbf071 to
a7233d2
Compare
knative-prow-robot
removed
the
do-not-merge/work-in-progress
|
Removing WIP, but I want multiple sets of eyeballs on this so adding a |
knative-prow-robot
added
the
do-not-merge/hold
mattmoor
force-pushed
the
hollow-configmaps
branch
from
a7233d2 to
eeb6ce0
Compare
|
Fixed the coverage dip in |
|
e2e failure looks legit, will investigate and push a fix. |
mattmoor
force-pushed
the
hollow-configmaps
branch
2 times, most recently
from
f726ef0 to
48606fa
Compare
This change hollows out the ConfigMaps that we use with Knative in order to walk a very fine line that enables us to deploy knative/serving via `ko` or `kubectl apply` while still preserving edits made to the serving ConfigMaps. This fine line is dancing around the way the `kubectl apply` annotation `kubectl.kubernetes.io/last-applied-configuration` is used to update resources. Essentially, this annotation is attached with the body of the current apply, and subsequent applications take it upon themselves to remove keys that were present in the prior apply, but not in the current apply. By reserving all of our ConfigMap keys to be specified by the user via `kubectl edit cm -nknative-serving config-foo`, which does not update the annotation, we ensure that subsequent applies won't remove the keys because those keys were never a part of the previous apply. One of the key scenarios this unlocks is the ability to preserve users' domain settings in `config-domain.yaml` across applies. Fixes: knative#2668
mattmoor
force-pushed
the
hollow-configmaps
branch
from
48606fa to
f89c5e4
Compare
|
/lgtm |
| @@ -23,14 +23,3 @@ spec: | |||
| # This is the Go import path for the binary that is containerized | |||
| # and substituted here. | |||
| image: github.com/knative/serving/cmd/queue | |||
| --- | |||
| apiVersion: caching.internal.knative.dev/v1alpha1 | |||
There was a problem hiding this comment.
can you please also explain this change in the description? this isn't a config map change.
There was a problem hiding this comment.
I removed this because it was removed from the observability ConfigMap.
| @@ -38,6 +37,17 @@ const ( | |||
| LocalGatewayKeyPrefix = "local-gateway." | |||
| ) | |||
|
|
|||
| var ( | |||
| defaultGateway = Gateway{ | |||
There was a problem hiding this comment.
Can we add instructions somewhere describing the new way of adding new config entries? Look like from now on we will need to make changes in the code to do this?
I wonder if instead we should provide a set of "default" configmap which we can automatically patch post installation? That would make it easier to add new config key.
There was a problem hiding this comment.
After I wrote this I don't know if that's even possible given what we want (default config won't be able to be migrated).
However you may know a way so I'll leave the comment here for you to decide.
There was a problem hiding this comment.
We need Operator docs on how to configure things in general. I believe some of this is documented (e.g. custom domains), but the ConfigMaps are just one class of knobs here.
| @@ -53,4 +58,4 @@ data: | |||
| # For more information, visit | |||
| # https://istio.io/docs/tasks/traffic-management/egress/ | |||
| # | |||
| istio.sidecar.includeOutboundIPRanges: "*" | |||
| # istio.sidecar.includeOutboundIPRanges: "*" | |||
There was a problem hiding this comment.
Does commenting these out result in them not being parsed in unit tests? I worry that these get stale pretty soon.
There was a problem hiding this comment.
Another (usability?) problem here is that when people does kubectl edit they probably won't see these commented out values?
I was wondering if we can prefix these with something "special" (hack?) like underscore so they still show when user does kubectl edit cm. If we do that we can also remove the defaulting logic that scatter through the code. What do you think?
There was a problem hiding this comment.
I opened #3066 to track the idea we discussed offline.
| @@ -19,36 +19,41 @@ metadata: | |||
| namespace: knative-serving | |||
| labels: | |||
| serving.knative.dev/release: devel | |||
| data: | |||
|
|
|||
There was a problem hiding this comment.
This configuration file is mainly for vendors and I don't think customers need to make any changes here or if we care to preserve their changes. Should we keep the original form of this?
There was a problem hiding this comment.
Discussed on chat. Vendors can still modify these files in releases, if they want to specify values that users shouldn't override (and each apply will clobber any user changes). If they want to let users configure them then they can omit them as we do here.
|
|
||
| # The revision log url template, where ${REVISION_UID} will be replaced by the actual | ||
| # revision uid. For the url to work you'll need to set up monitoring and have access to | ||
| # the kibana dashboard using `kubectl proxy`. | ||
| logging.revision-url-template: | | ||
| http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) | ||
| # logging.revision-url-template: | |
There was a problem hiding this comment.
This is also something vendor specific and each vendor will probably want to put their own values here rather than letting customer override it.
There was a problem hiding this comment.
If vendors don't want this specified, then they can set it and kubectl apply will start to overwrite it.
| @@ -71,6 +71,7 @@ func NewNetworkFromConfigMap(configMap *corev1.ConfigMap) (*Network, error) { | |||
| nc := &Network{} | |||
| if ipr, ok := configMap.Data[IstioOutboundIPRangesKey]; !ok { | |||
| // It is OK for this to be absent, we will elide the annotation. | |||
| nc.IstioOutboundIPRanges = "*" | |||
There was a problem hiding this comment.
- and empty have different meanings. From the config map:
# If omitted or set to "", value of global.proxy.includeIPRanges
# provided at Istio deployment time is used. In default Knative serving
# deployment, global.proxy.includeIPRanges value is set to "*".
- will intercept everything. Empty will default to Istio's installation defaults, which is vendor specific.
I think it is ok to change this behavior, given that we will soon remove this entire thing and replace is with proper Egress rules from Istio (hopefully the change will be in soon to enable us that). But for clarity, we should change the documentation in the config map and mention that both *, omitted or "" behaves the same way.
|
/hold cancel |
knative-prow-robot
removed
the
do-not-merge/hold
This change hollows out the ConfigMaps that we use with Knative in order to walk a very fine line that enables us to deploy knative/serving via `ko` or `kubectl apply` while still preserving edits made to the serving ConfigMaps. This fine line is dancing around the way the `kubectl apply` annotation `kubectl.kubernetes.io/last-applied-configuration` is used to update resources. Essentially, this annotation is attached with the body of the current apply, and subsequent applications take it upon themselves to remove keys that were present in the prior apply, but not in the current apply. By reserving all of our ConfigMap keys to be specified by the user via `kubectl edit cm -nknative-serving config-foo`, which does not update the annotation, we ensure that subsequent applies won't remove the keys because those keys were never a part of the previous apply. One of the key scenarios this unlocks is the ability to preserve users' domain settings in `config-domain.yaml` across applies. Fixes: knative#2668
This change hollows out the ConfigMaps that we use with Knative
in order to walk a very fine line that enables us to deploy
knative/serving via
koorkubectl applywhile still preservingedits made to the serving ConfigMaps. This fine line is dancing
around the way the
kubectl applyannotationkubectl.kubernetes.io/last-applied-configurationis used to updateresources.
Essentially, this annotation is attached with the body of the current
apply, and subsequent applications take it upon themselves to remove
keys that were present in the prior apply, but not in the current apply.
By reserving all of our ConfigMap keys to be specified by the user
via
kubectl edit cm -nknative-serving config-foo, which does notupdate the annotation, we ensure that subsequent applies won't remove
the keys because those keys were never a part of the previous apply.
One of the key scenarios this unlocks is the ability to preserve
users' domain settings in
config-domain.yamlacross applies.Fixes: #2668
This is WIP until the supporting change knative/pkg#258 is merged and this is updated to pull from
knative/pkg.