Add cluster-api integration enhancement #913
Conversation
alexander-demicev
force-pushed
the
capi
branch
from
130b51f to
fe7a469
Compare
elmiko
left a comment
elmiko
left a comment
There was a problem hiding this comment.
good start, i have a few questions inline, also i'm curious about how a user might use CAPI on OpenShift. will we allow users to create new clusters from the CAPI on their OpenShift install? (essentially allowing them to use OpenShift as the management cluster for new workload clusters)
alexander-demicev
force-pushed
the
capi
branch
2 times, most recently
from
6688bc9 to
8c35095
Compare
alexander-demicev
force-pushed
the
capi
branch
from
8c35095 to
131c5b1
Compare
|
|
||
| In order to maintain the lifecycle of Cluster API related resources, we will create a new operator `cluster-capi-operator`, this name was chosen for avoiding confusion with upstream Cluster API operator. | ||
| This operator will be responsible for all administrative tasks related to the deployment of the Cluster API project within the cluster. | ||
| During tech preview phase, the new operator will also manage all Cluster API related CRDs. All CRD manifests will placed in openshift forks of CAPI and will take from there with no changes. |
There was a problem hiding this comment.
FWIW in hypershift will install these CRDs in clusters that it runs.
There was a problem hiding this comment.
you will need to change the CRD to convert from cert-manager to service-ca (minor). Also not convinced that within in each fork is the best location as it's going to make rebasing harder. So far I have done this in my pr here openshift/cluster-capi-operator#8 .
Argument for this:
- the operator controls the version of each provider so having the manifests seems reasonable
- reduces the rebase difficulty in each provider
- can do translations from cert-manager to service-ca in one place
alexander-demicev
force-pushed
the
capi
branch
from
131c5b1 to
681ee9e
Compare
elmiko
left a comment
elmiko
left a comment
There was a problem hiding this comment.
i think this is looking better @alexander-demichev , i left a couple comments. also, it might be helpful to start resolving some of the conversations to make the reviewing a little easier.
|
|
||
| - During tech preview `cluster-capi-operator` will have permissions to manage CRDs, this might be a not secure permission for an operator. | ||
| - Note, this permission should be restricted to creating CRDs only, as once installed, the technical preview cannot be uninstalled. | ||
| - CLI usage, once Cluster API is installed command like `oc get machine` will return Cluster API machines, in order to use Machine API users will have to use fully qualified name `oc get machines.machine.openshift.io`. |
There was a problem hiding this comment.
this makes me wonder if we shouldn't have some sort of warning message associated with oc get machines once the feature gate is active, but i'm not sure if that's even possible.
There was a problem hiding this comment.
Yeah, we still have to figure out what to do here.
There was a problem hiding this comment.
Where did the conversation end up with API team about changing the priority so we don't make this breaking change?
There was a problem hiding this comment.
We have a "hack" to set the preference in openshift. If we do this then any scripts should not break and users will have to use fully qualified names for CAPI resources.
There was a problem hiding this comment.
We should make a note of that hack and ideally get something to track that so we don't forget to do it
There was a problem hiding this comment.
I've just added a note
alexander-demicev
force-pushed
the
capi
branch
4 times, most recently
from
977577c to
afdc763
Compare
|
|
||
| - During tech preview `cluster-capi-operator` will have permissions to manage CRDs, this might be a not secure permission for an operator. | ||
| - Note, this permission should be restricted to creating CRDs only, as once installed, the technical preview cannot be uninstalled. | ||
| - CLI usage, once Cluster API is installed command like `oc get machine` will return Cluster API machines, in order to use Machine API users will have to use fully qualified name `oc get machines.machine.openshift.io`. |
There was a problem hiding this comment.
Where did the conversation end up with API team about changing the priority so we don't make this breaking change?
alexander-demicev
force-pushed
the
capi
branch
3 times, most recently
from
4f52628 to
107bc3d
Compare
openshift-ci
bot
added
lifecycle/rotten
|
Rotten enhancement proposals close after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Reopen the proposal by commenting /close |
|
@openshift-bot: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@alexander-demichev: Reopened this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
elmiko
left a comment
elmiko
left a comment
There was a problem hiding this comment.
i think this generally reads well to me
the only question i have, which i don't think really fits within the enhancement scope is how the capi deployment might interact with the cluster-autoscaler. by default i don't imagine it would make any difference, but there is now the possibility for a user to install the autoscaler into a namespace that could read the capi machinesets and thus work in parallel with the openshift autoscaler.
just a though, i'm not sure we need to mention it here except to maybe say that we won't change the autoscaler behavior.
|
|
||
| In order to maintain the lifecycle of Cluster API related resources, we will create a new operator `cluster-capi-operator`, this name was chosen for avoiding confusion with upstream Cluster API operator. | ||
| This operator will be responsible for all administrative tasks related to the deployment of the Cluster API project within the cluster. | ||
| During tech preview phase, the new operator leverage new [CVO feature](https://github.com/openshift/enhancements/blob/master/enhancements/update/cvo-techpreview-manifests.md) for managing all Cluster API related CRDs. |
There was a problem hiding this comment.
minor nit
| During tech preview phase, the new operator leverage new [CVO feature](https://github.com/openshift/enhancements/blob/master/enhancements/update/cvo-techpreview-manifests.md) for managing all Cluster API related CRDs. | |
| During tech preview phase, the new operator will leverage the new [CVO feature](https://github.com/openshift/enhancements/blob/master/enhancements/update/cvo-techpreview-manifests.md) for managing all Cluster API related CRDs. |
|
Rotten enhancement proposals close after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Reopen the proposal by commenting /close |
|
@openshift-bot: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@alexander-demichev: Reopened this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
alexander-demicev
force-pushed
the
capi
branch
from
f5f7b7b to
227f355
Compare
|
@elmiko I added a note about autoscaler to nongoals of this proposal. |
|
@alexander-demichev: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
elmiko
left a comment
elmiko
left a comment
There was a problem hiding this comment.
generally looks good to me @alexander-demichev , i have a couple minor nits
/approve
| - Create both Cluster and InfrastructureCluster objects with externally managed cluster infrastructure annotation. | ||
| - Ensure spec/status of InfrastructureCluster are configured for the OpenShift cluster (infrastructure information can be sourced from resources within the OpenShift Cluster). | ||
| - Patch `Cluster` status to `Ready=true`. | ||
|
|
There was a problem hiding this comment.
might be nice to put this in the non-goals as well
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| - During tech preview `cluster-capi-operator` will have permissions to manage CRDs, this might be a not secure permission for an operator. |
There was a problem hiding this comment.
minor nit
| - During tech preview `cluster-capi-operator` will have permissions to manage CRDs, this might be a not secure permission for an operator. | |
| - During tech preview `cluster-capi-operator` will have permissions to manage CRDs, this might not be a secure permission for an operator. |
|
/remove-lifecycle rotten |
openshift-ci
bot
removed
the
lifecycle/rotten
|
This enhancement has been stagnant for a while with no additional feedback and no new discoveries or changes to the plan that we are implementing. Let's merge this and iterate on it if we find new stuff that's needs updating |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: elmiko, JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
10 participants
No description provided.