v1alpha2 API #1183
v1alpha2 API #1183
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
justinsb
force-pushed
the
use_ig_for_bastions_2
branch
2 times, most recently
from
fba580c to
13f5ef3
Compare
|
@kris-nova the TF changes are now manageable I think:
So if you have a look at the TF changes here I think they are more understandable now: dfc2fa7 |
| @@ -13,7 +13,7 @@ resource "aws_autoscaling_group" "bastion-privateweave-example-com" { | |||
| launch_configuration = "${aws_launch_configuration.bastion-privateweave-example-com.id}" | |||
| max_size = 1 | |||
| min_size = 1 | |||
| vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"] | |||
| vpc_zone_identifier = ["${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"] | |||
There was a problem hiding this comment.
We aren't renaming private subnets to utility subnets are we?
In general the 2 conventions that we were using
Public
These are where the NAT gateways live, and have the synonym utility
Private
These are private, and hold the resources like instances
There was a problem hiding this comment.
In general this was a PITA because the keyword private was easily confused with what kops calls a private topology
There was a problem hiding this comment.
We are not, but "normal" public & private subnets (where nodes live) are unqualified i.e. us-east-1a.k8s.example.com in both topologies. We have to do this because when we're doing the version conversion we don't have access to the full cluster state. It does have some advantages though - I think it might be possible to move from topology public <-> private, though I haven't tried it..
There was a problem hiding this comment.
The utility subnet (ELBs, NAT gateways) is only used in private topologies, and is always public. I did debate renaming it to dmz (as I think that's the common term) but utility is probably at least as clear and less likely to offend.
|
@justinsb your changes LGTM if you could please follow up on my comment about the |
|
Also CI and e2e. Any way we going to get those to pass? |
|
|
||
| apimachinery: | ||
| #go install ./cmd/libs/go2idl/conversion-gen | ||
| ~/k8s/bin/conversion-gen --input-dirs k8s.io/kops/pkg/apis/kops/v1alpha1 --v=8 --output-file-base=zz_generated.conversion |
There was a problem hiding this comment.
Should we have the comments parts in another target and have this documented?
There was a problem hiding this comment.
Well... so the challenge is that the fix I had to make it k8s so the conversion generator works only just landed today. So we also have to update k8s to the latest, or pull it out into the shared repo. I'm inclined to do the latter. It's a placeholder for actually installing the code for real
There was a problem hiding this comment.
I would encourage us to bump k8s version before this merges.
There was a problem hiding this comment.
Just starting review but do we have an API machinery doc floating around this PR?
There was a problem hiding this comment.
We don't but we have #1164
Bumping k8s version means going onto the master branch :-(
| @@ -96,7 +96,12 @@ func RunCreateInstanceGroup(f *util.Factory, cmd *cobra.Command, args []string, | |||
| // Populate some defaults | |||
| ig := &api.InstanceGroup{} | |||
| ig.ObjectMeta.Name = groupName | |||
| ig.Spec.Role = api.InstanceGroupRole(options.Role) | |||
|
|
|||
| role, ok := api.ParseInstanceGroupRole(options.Role, true) | |||
There was a problem hiding this comment.
So I got coached on using err, so we should use err ;)
There was a problem hiding this comment.
Another case of weird golangisms...
This is actually fine - the function api.ParseInstanceGroupRole() is not returning an err but rather returning a bool than be used in a very similar way as err
Usually you see this if the function doesn't actually do anything wrong, just returns a bool that the user can trigger off of
| cmd.Flags().DurationVar(&rollingupdateCluster.MasterInterval, "master-interval", 5*time.Minute, "Time to wait between restarting masters") | ||
| cmd.Flags().DurationVar(&rollingupdateCluster.NodeInterval, "node-interval", 2*time.Minute, "Time to wait between restarting nodes") | ||
| cmd.Flags().DurationVar(&rollingupdateCluster.BastionInterval, "bastion-interval", 5*time.Minute, "Time to wait between restarting bastions") |
There was a problem hiding this comment.
Oh crap, this will impact my pr ...
There was a problem hiding this comment.
Do we need a change here? This PR is huge - to say the least, in a name of keeping the comments clean can you let us know if anything needs to change? If so - what?
There was a problem hiding this comment.
What is needed? We have nothing here that suggests a change to be honest.
Don't understand what we need to do
There was a problem hiding this comment.
I will handle on my PR ;) We cannot drain a Bastion ;)
| ) | ||
|
|
||
| type ClusterSubnetSpec struct { | ||
| // TODO: Rename |
There was a problem hiding this comment.
Is this todo still valid?
There was a problem hiding this comment.
Yes, I probably should do this - I changed it from Name -> SubnetName to force compiler errors, because previous Name was actually Zone. This rename will not be visible outside the code though. But I'll do it!
There was a problem hiding this comment.
I noticed we had subnet.SubnetName floating around earlier - if we have a usecase for it let's leave it - but if we can use subnet.Name I would prefer that to keep things consistent.
| if len(c.Spec.AdminAccess) == 0 { | ||
| c.Spec.AdminAccess = append(c.Spec.AdminAccess, "0.0.0.0/0") | ||
| // TODO: Move elsewhere | ||
| if len(c.Spec.SSHAccess) == 0 { |
There was a problem hiding this comment.
Think @vendrov can refactor
There was a problem hiding this comment.
What needs to be changed here?
| } | ||
|
|
||
| nodeUpTags, err := buildNodeupTags(role, tf.cluster, tf.tags) | ||
| if err != nil { | ||
| return "", err | ||
| return nil, err | ||
| } |
There was a problem hiding this comment.
SGTM - might I have a fmt please sir
| var r realVPCDHCPOptionsAssociation | ||
| if err := json.Unmarshal(data, &r); err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
I think I should stop asking
There was a problem hiding this comment.
Particularly on autogenerated code :-)
| return a[i].Zone < a[j].Zone | ||
| } | ||
|
|
||
| func assignCIDRsToSubnets(c *kops.Cluster) error { |
There was a problem hiding this comment.
This is fun code. How much test coverage do we have?
There was a problem hiding this comment.
I see unit tests.. See comment about negative test cases.
| @@ -0,0 +1,150 @@ | |||
| /* | |||
| Copyright 2016 The Kubernetes Authors. | |||
There was a problem hiding this comment.
Would love to see some negative test cases. If I am reading this correctly we do not have any, could be wrong
There was a problem hiding this comment.
Let's do it in another PR
| default: | ||
| return fmt.Errorf("unknown group type for group %q", group.InstanceGroup.ObjectMeta.Name) | ||
| } | ||
| } | ||
|
|
||
| // Upgrade bastions first; if these go down we can't see anything |
There was a problem hiding this comment.
Ok so we update the bastion here. No drain, but definitely validate.
There was a problem hiding this comment.
Yep - just get these out of the way first IMHO
There was a problem hiding this comment.
Great test for this PR, push my PR to after this monster
|
Think this PR will only address a couple of open bugs... SGTM |
We probably shouldn't, but we delete the ASG when you `kops delete ig`. If the ASG doesn't exist though, we can still delete the IG.
Utility subnets are only for type=Bastion
As the subnets will partition the parent NetworkCIDR, so they require it to be set.
By testing with data from various schema versions, we effectively check that they are equivalent. Also this uncovered a few places where we were not strictly ordering things - add some sorts in there.
justinsb
force-pushed
the
use_ig_for_bastions_2
branch
from
3043b4c to
91b77ae
Compare
|
Jenkins Kubernetes AWS e2e failed for commit 91b77ae. Full PR test history. The magic incantation to run this job again is |
|
|
||
| apimachinery: | ||
| #go install ./cmd/libs/go2idl/conversion-gen | ||
| ~/k8s/bin/conversion-gen --input-dirs k8s.io/kops/pkg/apis/kops/v1alpha1 --v=8 --output-file-base=zz_generated.conversion |
There was a problem hiding this comment.
Just starting review but do we have an API machinery doc floating around this PR?
| if existingZones[zone] == nil { | ||
| cluster.Spec.Zones = append(cluster.Spec.Zones, &api.ClusterZoneSpec{ | ||
| Name: zone, | ||
| for _, subnetName := range parseZoneList(c.Zones) { |
There was a problem hiding this comment.
Zone's and subnets are hard
It looks like parseZoneList return a slice of subnet names..? Is that what we want?
There was a problem hiding this comment.
Probably not - thanks :-)
| } | ||
|
|
||
| if c.Bastion { | ||
| return fmt.Errorf("Bastion supports --topology='private' only.") |
There was a problem hiding this comment.
Can we get rid of the command line flag connotations in error messages?
We call kops as a library often, and the users typically have no concept of --topology
Wordsmith:
return fmt.Errorf("Attempting to create bastion, in a non-bastion configuration (Topology: private)")
| @@ -96,7 +96,12 @@ func RunCreateInstanceGroup(f *util.Factory, cmd *cobra.Command, args []string, | |||
| // Populate some defaults | |||
| ig := &api.InstanceGroup{} | |||
| ig.ObjectMeta.Name = groupName | |||
| ig.Spec.Role = api.InstanceGroupRole(options.Role) | |||
|
|
|||
| role, ok := api.ParseInstanceGroupRole(options.Role, true) | |||
There was a problem hiding this comment.
Another case of weird golangisms...
This is actually fine - the function api.ParseInstanceGroupRole() is not returning an err but rather returning a bool than be used in a very similar way as err
Usually you see this if the function doesn't actually do anything wrong, just returns a bool that the user can trigger off of
| } | ||
|
|
||
| func runTest(t *testing.T, clusterName string, srcDir string) { | ||
| func runTest(t *testing.T, clusterName string, srcDir string, private bool) { |
There was a problem hiding this comment.
Woo! Private bool! (No change needed)
| } | ||
|
|
||
| // SSH is open to AdminCIDR set | ||
| if b.Cluster.IsTopologyPublic() { |
There was a problem hiding this comment.
What about if !b.Cluster.IsTopologyPublic()? Where are defining the security groups that open the IG's to the ELB security groups?
There was a problem hiding this comment.
When we define that ELB, we do it there. So api_loadbalancer
We can refactor if you'd prefer
There was a problem hiding this comment.
PS the refactoring will be much easier once we get this in - just normal go refactoring :-)
There was a problem hiding this comment.
yes yes indeed - this is far from a deal breaker, and more exciting than anything.. The PRs coming through on this code are going to do just fine - no refactor needed :)
| @@ -0,0 +1,25 @@ | |||
| /* | |||
There was a problem hiding this comment.
Convenience functions are good.. and I see when they are useful..
But I have to gripes here..
misc.go
Just naming a file that, opens up the door to contributors dropping in arbitrary logic they don't want to figure out where it should really go
Suggest: convenience.go
s() and i64()
While these are super handy, and I love them in the new models.. they don't really tell the dev (usually me) what the heck they do..
(Yes I mean this) Can we maybe use the convenience functions as wrappers to very specific verbose function names?
func s(v string) *string {
return stringToStringPointer(v)
}
func stringToStringPointer(v string) *string {
return &v
}
It might seem like super over kill to dig 3 functions deep just to add a & to the beginning of a string variable name, but pointers are a huge deal. Also when we are working on the models, if we need to see what s() does, the code will document itself immediately.
There was a problem hiding this comment.
Just in general whenever a shortcut name like s() is used, I have found it useful to have it wrap a more verbose function - that's all I am getting at - simple code doc would work too
There was a problem hiding this comment.
Great suggestion.
We actually have aws.String and fi.String so I delegated to those already (and added a comment to fi.String)
I actually debated having a macros package and _ importing them, but I like your convenience.go suggestion a lot better!
| @@ -0,0 +1,118 @@ | |||
| apiVersion: kops/v1alpha2 | |||
There was a problem hiding this comment.
So this is great - I love seeing these new tests come to life - Good job @justinsb
| @@ -0,0 +1,182 @@ | |||
| package cloudup | |||
There was a problem hiding this comment.
Headers here,
Also GJ on getting the subnets here - you read my mind
| default: | ||
| return fmt.Errorf("unknown group type for group %q", group.InstanceGroup.ObjectMeta.Name) | ||
| } | ||
| } | ||
|
|
||
| // Upgrade bastions first; if these go down we can't see anything |
There was a problem hiding this comment.
Yep - just get these out of the way first IMHO
|
Removing WIP! |
krisnova
dismissed
chrislovecnm’s stale review
I think we discussed most of these concerns
|
This is a big PR, with a ton of work thanks to @justinsb - This change LGTM
|
This change is