config/v1/types_infrastructure.go: add service endpoints to aws platform status #599
Conversation
openshift-ci-robot
added
the
size/S
|
/assign @soltysh |
abhinavdahiya
force-pushed
the
aws_service_endpoints
branch
from
1881232 to
2e7af5c
Compare
openshift-ci-robot
added
size/M
|
Before this merges, I think the related enhancement needs to reach closure. Creating an api that requires stitching in at least four different operators seems like a bad pattern to create without buy in from those components. In addition, the user input here would result in either an improper cloud.conf being provided to those components or information duplication. If you provided an operator/cluster-config-operator control loop to perform the stitching it would make this much more palatable. /hold |
openshift-ci-robot
added
the
do-not-merge/hold
from the PR description..
|
abhinavdahiya
force-pushed
the
aws_service_endpoints
branch
2 times, most recently
from
529b4b8 to
332b556
Compare
|
The enhancement was approved, do we need to update anything here to sync with changes or is this ready to go? @abhinavdahiya @deads2k |
config/v1/types_infrastructure.go
Outdated
| // platformSpec holds desired information specific to the underlying | ||
| // infrastructure provider. | ||
| // +optional | ||
| PlatformSpec *PlatformSpec `json:"platformSpec,omitempty"` |
There was a problem hiding this comment.
I think an empty type implies missing. We try to avoid pointers.
There was a problem hiding this comment.
since go marshal/unmarshal doesn't omit empty structs, I think pointer is a better choice here.
Also this is important for migrations as detailed in https://github.com/openshift/api/pull/599/files#r401189373
There was a problem hiding this comment.
since go marshal/unmarshal doesn't omit empty structs, I think pointer is a better choice here.
We are ok with including empty values in serialization. In some ways it's even good since it outlines what is available and what is not. We've been avoiding pointer in our config structs to good effect. If migration cannot be handled another way we would do it, but I don't think that's the case today.
By allowing empty string in Type, you can distinguish intent.
| // type is the underlying infrastructure provider for the cluster. This | ||
| // value controls whether infrastructure automation such as service load | ||
| // balancers, dynamic volume provisioning, machine creation and deletion, and | ||
| // other integrations are enabled. If None, no infrastructure automation is |
There was a problem hiding this comment.
how will you migrate existing clusters on update?
There was a problem hiding this comment.
@deads2k
personally, the platformSpec should be empty nil <=> no configuration for infra like we support today.
and when users want to modify existing clusters to add infra specific desired state, the validations should force them to set the type and corresponding platformSpec.
But if you think emptying out the spec to just platform type and empty platform spec is more suitable, which i don't think we should be doing, we (same team that is doing the platformstatus migration) can write the migration to set it.
secondary, there is planned change to validations (in openshift kube-apiserver) to make sure the type doesn't change once set. i.e when the platformSpec is once set, it can't change the type.
config/v1/types_infrastructure.go
Outdated
| // This must be provided and cannot be empty. | ||
| Name string `json:"name"` | ||
|
|
||
| // URL is hostname only or fully qualified URI that overrides the default generated |
There was a problem hiding this comment.
do we allow http or only https? I strongly prefer the latter.
There was a problem hiding this comment.
personally that's the restriction from AWS SDK, and i'm tracking that here. it doesn't say http or https only...
There was a problem hiding this comment.
personally that's the restriction from AWS SDK, and i'm tracking that here. it doesn't say http or https only...
We get to be opinionated in our API. If calls should only be https, then we should restrict them. The doc doesn't match the field name. why hostname only in a url field?
config/v1/types_infrastructure.go
Outdated
| // AWSServiceEndpoint store the configuration of a custom url to | ||
| // override existing defaults of AWS Services. | ||
| type AWSServiceEndpoint struct { | ||
| // Name is the name of the AWS service. |
There was a problem hiding this comment.
we need to restrict these names. enumerated keys would be best. Name restrictions would be second best.
There was a problem hiding this comment.
The names cannot be restricted. The number of AWS services are unbounded, and we can't play catchup with AWS SDK here. The requirement is users should be able to set endpoints for any AWS service.
There was a problem hiding this comment.
We need to at least document a naming convention for AWS services. We can't have customers define S3 as the service name, and have things like the image registry not pick up the endpoint because its operator is expecting s3 as the service name...
There was a problem hiding this comment.
We need to at least document a naming convention for AWS services. We can't have customers define S3 as the service name, and have things like the image registry not pick up the endpoint because its operator is expecting s3 as the service name...
that's what i'm saying, AWS controls the names of the services and not us... so personally i don't really know how we can unless we wanna play catch up all the time..
?? open to suggestions that don't end up hard coding the list.
There was a problem hiding this comment.
Here's an idea - for a given AWS service:
- Drop any "AWS" or "Amazon" prefix.
- Drop any "Service" suffix.
- If the service has a well-established acronym in AWS documentation, use that in all capitals. Example:
EC2,S3,ELB,VPC,RDS. - Otherwise, use the service name in
CamelCase. Ex:Route53,ElastiCache. Names should have a leading capital letter.
There was a problem hiding this comment.
@adambkaplan please no, AWS services already have names in their SDK:
There was a problem hiding this comment.
+1 @dmage - seems like this is the canonical list of endpoints. Make sense for us to out-link to their SDK source?
There was a problem hiding this comment.
It makes sense to reference. A quick scan seems to reveal that they don't support emoji characters. Anything other than a-z,-,0-9? We can start restrictive, but catching obvious typos like that seems like a good idea.
| // PlatformSpec holds the desired state specific to the underlying infrastructure provider | ||
| // of the current cluster. Since these are used at spec-level for the underlying cluster, it | ||
| // is supposed that only one of the spec structs is set. | ||
| type PlatformSpec struct { |
There was a problem hiding this comment.
indicate how these are vetted, validated, and promoted.
There was a problem hiding this comment.
these
wdym by these? individual platform specs or something else.
|
/assign @deads2k |
|
@abhinavdahiya @deads2k any idea when this will land? Downstream operators are expected to consume this in 4.5 to fulfill https://issues.redhat.com/browse/CORS-1271 right? |
config/v1/types_infrastructure.go
Outdated
| // AWSServiceEndpoint store the configuration of a custom url to | ||
| // override existing defaults of AWS Services. | ||
| type AWSServiceEndpoint struct { | ||
| // Name is the name of the AWS service. |
config/v1/types_infrastructure.go
Outdated
| // This must be provided and cannot be empty. | ||
| Name string `json:"name"` | ||
|
|
||
| // URL is hostname only or fully qualified URI that overrides the default generated |
| // URL is hostname only or fully qualified URI that overrides the default generated | ||
| // endpoint for a client. | ||
| // This must be provided and cannot be empty. | ||
| URL string `json:"url"` |
There was a problem hiding this comment.
@damemi do we default to required or optional? Is there any downside to simply specifying everything?
abhinavdahiya
force-pushed
the
aws_service_endpoints
branch
from
332b556 to
f3bb448
Compare
config/v1/types_infrastructure.go
Outdated
| Name string `json:"name"` | ||
|
|
||
| // URL is hostname only or fully qualified URI that overrides the default generated | ||
| // url is hostname only or fully qualified URI with schemes https or http, that overrides the default generated |
There was a problem hiding this comment.
What requires HTTP? Do we really want to allow that. If we don't know of anything, let's require secure to match the posture of the rest of the product.
There was a problem hiding this comment.
What requires HTTP? Do we really want to allow that. If we don't know of anything, let's require secure to match the posture of the rest of the product.
AWS SDK supports it, and that's way I have it here, keeping the parity with AWS SDK.
abhinavdahiya
force-pushed
the
aws_service_endpoints
branch
from
1bd3edd to
3428c53
Compare
|
/lgtm squash please, then retag at will. |
openshift-ci-robot
added
lgtm
…orm spec and status The change is based on the aws-custom-region-custom-endpoints enhancement [1]. This change only addresses the service endpoints list in the infrastructure object. The service endpoints URL currently only support `https` schemes to follow openshift security stance. [1]: https://github.com/openshift/enhancements/pull/163/files#diff-b6a7e34af40d81a977a31247b107348eR191-R203
abhinavdahiya
force-pushed
the
aws_service_endpoints
branch
from
5dbb30e to
6c25f0f
Compare
|
/lgtm |
openshift-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…ud-config ConfigMap cloudConfig is now generated by kube_cloud_config controller for all supported platforms. Controller generates kube-cloud-config ConfigMap in openshift-config-managed namespace where cloud.conf key is stored. Links: - https://github.com/openshift/enhancements/blob/master/enhancements/installer/aws-custom-region-and-endpoints.md - openshift/api#599 - openshift/api#621
10 participants
The change is based on the aws-custom-region-custom-endpoints enhancement. This change only adds the status update because the spec update requires the work of
addtional operator that will be added later on, and therefore that change will be added when the work for operator is in flight and this change allows operators to have a head start for that time.