feat: Add ObservabilityUI plugins API#434
Conversation
jgbernalp
requested review from
danielmellado and
jan--f
and removed request for
a team
|
Hi @jgbernalp. Thanks for your PR. I'm waiting for a rhobs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
2 times, most recently
from
f0c64c4 to
b81e843
Compare
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
b81e843 to
6707faf
Compare
|
Generally this looks good, I might have requests on some details later. |
Thanks for the initial check. I agree, we should verify whether the cluster supports the ConsolePlugin and, if it's not present, skip the reconciliation process. Imo since the service is relevant only within an OpenShift cluster where plugins are available, opting to skip reconciliation seems to be an adequate solution also for the serving cert annotation. |
|
I was also about to suggest to drop openshift-specific names like groupAPI but it just makes sense to completely fall back if on non-openshift cluster. +1! |
Sharing my experience on how we isolate OpenShift features in Loki Operator the last two years:
|
|
Reading quickly through the discussion, I think that the Loki approach is lean and flexible (thanks @periklis for the details!). FWIW the upstream Prometheus operator does something different: it introspects CRDs + RBAC permissions to adjust the behavior at runtime (e.g. conditional start of some controllers) but the situation isn't the same since we don't control the deployment model (can be custom installation, Helm, OLM, ...) and have to deal with users not updating everything when they upgrade to a new operator version. One question would be regarding HyperShift: do you foresee (or have you experienced) a situation where the operator depends on a feature that exists in classic OCP but not in HyperShift? |
Not yet! But from experience with ARO/ROSA I can foresee the following workflow, assuming Service Delivery is managing the Loki Operator installation for customers:
In general our support matrix for feature gates settings in Loki Operator has been static and in turn weakly tested to users manipulating them before installing the operator. We suspect with quite a confidence that some combinations will break the operator entirely. Therefore we give them a static but tested configmap upfront in the bundle as per later being treated immutable by OLM. |
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
7862c0d to
eb5f959
Compare
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
eb5f959 to
c588944
Compare
|
/ok-to-test |
| // +required | ||
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:validation:Enum=dashboards | ||
| Type UIPluginType `json:"type"` |
There was a problem hiding this comment.
I was experimenting with ObservabilityUIPlugin creation in an OpenShift cluster and even though the type is displayed as required (in UI), I can create a plugin with an empty value.
Perhaps the // +kubebuilder:validation:Enum=dashboards should be applied to UIPluginType type (example here)
There was a problem hiding this comment.
I think this is still problematic (enum required validation). Maybe the ObservabilityUIPluginSpec should not have omitempty for validation to happen and it should probably be // +kubebuilder:validation:Enum=Dashboards
Maybe we could also declare Dashboards as the default value, but I don't know what the future plans are.
|
|
||
| ### Dashboards | ||
|
|
||
| The plugin will search for datasources as ConfigMaps in the `openshift-config-managed` namespace with the `console.openshift.io/dashboard-datasource: 'true'` label. The namespace `openshift-config-managed` is required, more details on how to create a datasource ConfigMap can be found in the [console-dashboards-plugin](https://github.com/openshift/console-dashboards-plugin/blob/main/docs/add-datasource.md) |
There was a problem hiding this comment.
we might need to update this section if the plugin searches only in the COO namespace.
There was a problem hiding this comment.
The plugin will search only in the openshift-config-managed namespace. This can be adjusted in the future to be a configurable value. But now it follows the same namespace as the console dashboards.
| case uiv1alpha1.TypeDashboards: | ||
| { | ||
| readerRoleName := plugin.Name + "-datasource-reader" | ||
| datasourcesNamespace := "openshift-config-managed" |
There was a problem hiding this comment.
just for my own education, this is currently hardcoded by the plugin?
There was a problem hiding this comment.
This can be configured in the plugin using the --dashboards-namespace flag but its default is openshift-config-managed. At this point there is a single deployment template used for any plugin. This might change when we add support for other plugins that need specific options.
| }, | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: readerRoleName, | ||
| Namespace: datasourcesNamespace, |
There was a problem hiding this comment.
if the role is limited to the COO namespace, shouldn't we adjust the --dashboards-namespace plugin flags accordingly?
https://github.com/openshift/console-dashboards-plugin/blob/6800afc1e9bd785e31bf0a7a4b7d282d60eb0b1a/cmd/plugin-backend.go#L17
| // RBAC for managing observability ui plugin objects | ||
| //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=list;watch;create;update;delete;patch | ||
| //+kubebuilder:rbac:groups="",resources=serviceaccounts;services;configmaps,verbs=get;list;watch;create;update;patch;delete |
There was a problem hiding this comment.
Do we really need create/update/patch/delete permissions?
It can be adjusted as a follow-up and in fact, we probably want to review/tidy up the operator permissions after the PR merges.
There was a problem hiding this comment.
I created a follow up task https://issues.redhat.com/browse/COO-121
| resources: | ||
| - uiplugins | ||
| verbs: | ||
| - create |
There was a problem hiding this comment.
same remark here regarding permissions
There was a problem hiding this comment.
I created a follow up task https://issues.redhat.com/browse/COO-121
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
53789b5 to
adece23
Compare
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
adece23 to
6e99265
Compare
simonpasquier
dismissed
periklis’s stale review
IIUC the concern was about the UIPlugin resource being namespace-scoped, it's now cluster-scoped.
| func (r Updater) Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme) error { | ||
| if r.resourceOwner.GetNamespace() == r.resource.GetNamespace() { | ||
| // If the resource owner is in the same namespace as the resource, or if the resource owner is cluster scoped set the owner reference. | ||
| if r.resourceOwner.GetNamespace() == r.resource.GetNamespace() || r.resourceOwner.GetNamespace() == "" { |
|
I didn't test/review in depth the latest version of the PR but you've got my virtual |
|
Besides the nit issue on the commit-lint IMHO this is ready to merge. @jgbernalp mind addressing that? Tnx! |
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
4ccc116 to
090b61e
Compare
jgbernalp
force-pushed
the
add-observability-ui-plugins
branch
from
090b61e to
a7e6188
Compare
|
@jgbernalp: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Works as expected, follow-up tasks for some minor nits are created and tracked. Good to go, thanks everyone! |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jan--f, jgbernalp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
8 participants
This PR adds the Observability UI CRDs.
https://issues.redhat.com/browse/OU-357
Every ObservabilityUIPlugin, creates the following resources:
And patches the console to add the plugin so is enabled in the web console