Conversation
|
Integration test results for 507f9f3: success 🎉 |
|
Per #2337 (comment) I'm considering scoping stage 1 strictly to cluster-level resources:
|
There was a problem hiding this comment.
Looks like a good start to me 👍
Per your last comment, if you limit the first stage to just cluster-level resources, you'd increase the chance of getting warning events during the second stage.
Also users might start entering config flags in the first stage, so we'll have to persist them in the main ConfigMap in that stage. This also means we'll have to update that config with flags passed during the second stage. We can't fail in the second stage if there's already a ConfigMap, so most likely we'll have to introduce a new field to distinguish between finished installs and configed-only ones.
I added a couple of comments regarding ordering/dependencies in #2337 (comment).
| linkerd install | kubectl apply -f - | ||
|
|
||
| # Installation may also be broken up into two stages by user privilege. | ||
| linkerd install config | kubectl apply -f - |
There was a problem hiding this comment.
How about adding a note that this stage requires cluster-admin privileges?
| proxyInjectorConfigTemplateName = "templates/proxy_injector-config.yaml" | ||
| proxyInjectorTemplateName = "templates/proxy_injector.yaml" | ||
| spValidatorConfigTemplateName = "templates/sp_validator-config.yaml" | ||
| spValidatorTemplateName = "templates/sp_validator.yaml" |
There was a problem hiding this comment.
Out of curiosity, why did these get the axe?
There was a problem hiding this comment.
Since these strings only occur in one place, I prefer to just hard-code them. This way I can look at one place in the file rather than two to get my head around what's happening.
ihcsim
left a comment
ihcsim
left a comment
There was a problem hiding this comment.
LGTM. I assume the TODOs will happen in other PRs?
As for scoping stage 1 strictly to cluster-level resources, I think it depends if an operator/admin who runs linkerd install config cares about things like secrets and global configs or not, in particular, I am thinking of the --identity-* flags.
|
My expectation is the linkerd control plane admin will have to care about the issuer credentials; not the cluster admin. |
siggy
force-pushed
the
siggy/install-stages
branch
from
507f9f3 to
bb9fc00
Compare
I think this is ok for now (at least not worse than current state). Per #2337 (comment), Kubernetes is designed to handle not everything being available during startup, and I'm increasingly feeling that we should not try to control/solve deployment ordering.
I've rebased the whole PR to make the first stage cluster-level resources only, and also added some code to disable most flags for the first stage. |
|
Integration test results for bb9fc00: success 🎉 |
siggy
force-pushed
the
siggy/install-stages
branch
from
bb9fc00 to
7e4ad1f
Compare
|
Integration test results for 7e4ad1f: success 🎉 |
siggy
force-pushed
the
siggy/install-stages
branch
from
7e4ad1f to
a1d4f9b
Compare
|
Integration test results for a1d4f9b: success 🎉 |
cli/cmd/install.go
Outdated
| if f.Changed { | ||
| switch f.Name { | ||
| // TODO: remove "proxy-auto-inject" when it becomes default | ||
| case "linkerd-namespace", "proxy-auto-inject": |
There was a problem hiding this comment.
I think we should add to this list ignore-cluster and all the global config flags.
There was a problem hiding this comment.
I meant all the "global flags" (--api-addr, etc)
There was a problem hiding this comment.
The flags var passed into this function comes from installOptions.recordableFlagSet(), which does not include the "global flags".
$ bin/go-run cli install config --api-addr foo > /dev/null && echo $?
0
$ bin/go-run cli install config --admin-port 123 > /dev/null && echo $?
Error: flag not available for config stage: --admin-port
Usage:... that said, i'm realizing that there is also installOnlyFlagSet, none of which should be set during linkerd install config, i have pushed a new commit to reflect this. i don't think linkerd install config --ignore-cluster should be supported, as it has no effect on the output.
There was a problem hiding this comment.
linkerd install config --ignore-clustershould be supported, as it has no effect on the output.
linkerd install and linkerd install config both check if linkerd already exists in the cluster, so I was thinking on allowing that flag in both cases for consistency.
There was a problem hiding this comment.
oops sorry i mean linkerd install config --ignore-cluster should not be supported (i think you read it the way i intended anyway ;) ) ...
nice catch! i failed to realize that linkerd install config would error out if a cluster already existed, and not providing an --ignore-cluster flag leaves the user completely unable to render that output. i've pushed a new commit to always allow linkerd install config to succeed, regardless of cluster state.
|
If not through some sort of state field in the global ConfigMap, what's the plan for ensuring |
@alpeb I think we can manage a lot of this via docs. I'd like to ensure users can run these commands in any order, just to see the output. While the behavior of |
|
Integration test results for 8a8be09: success 🎉 |
|
I kinda think we may need to evaluate the user experience more when a user tries to install the control plane without running Error from server (NotFound): error when creating "STDIN": namespaces "linkerd" not foundWhich may be a little shocking when running |
@dadjeibaah Your comments and @alpeb's are making me think we need to guide the user a bit more via the cli. Maybe we can have $ linkerd install control-plane
Error: 'linkerd' namespace does not exist, run 'linkerd install config' first, or 'linkerd install control-plane ignore-cluster' to get the output anyway.
$ linkerd install control-plane --ignore-cluster
---
kind: Service
...@grampelberg thoughts? |
|
It's not clear which flags are available to each stage. You think it would be too much to have these be totally different commands, like |
|
@alpeb good points re: which flags work for which commands. Creating different commands would make that clearer. I think another approach could be to set these up as proper Cobra subcommands of Either way, I'd like to get this baseline functionality merged as-is, to minimize merge conflicts with ongoing install/inject work. I've filed #2729 to track this. |
|
@alpeb @dadjeibaah @grampelberg latest commit causes $ bin/go-run cli install control-plane
Failed to find the Linkerd control-plane namespace. If this expected, use the --ignore-cluster flag.
Error: The "linkerd" namespace does not exist
$ bin/go-run cli install control-plane --ignore-cluster
---
kind: ConfigMap
... |
|
Integration test results for 6a9be59: success 🎉 |
| hc := newHealthChecker( | ||
| []healthcheck.CategoryID{healthcheck.KubernetesAPIChecks}, | ||
| time.Time{}, | ||
| ) |
There was a problem hiding this comment.
TIOLI: we might gain some consistency by reusing this same minimalistic healthchecker in exitIfClusterExists. That might need some new hc.CheckConfigMap method to replace the direct call we're making in existIfClusterExists.
There was a problem hiding this comment.
Agree, I looked at refactoring this a bit further, then backed it out in the interest of getting this PR through. I captured your comment, and related requirements for healthcheck and client creation via #2735.
grampelberg
left a comment
grampelberg
left a comment
There was a problem hiding this comment.
- I'd like to expand on #2729 a little bit with different help text as well as flags.
- @adleong had a good suggestion for a flag that was different than
--ignore-cluster, it seemed like a good idea at the time. - Should we move all service accounts into stage1? There's no RBAC but as a cluster admin I'd restrict creation of service accounts on a per-namespace basis.
Mostly just some questions/comments, this feels pretty good as it is. Definitely a step in the right direction!
|
The check that the Linkerd namespace exists before running |
cli/cmd/install.go
Outdated
|
|
||
| err := hc.CheckNamespace(context.Background(), controlPlaneNamespace, true) | ||
| if err != nil { | ||
| fmt.Fprintln(os.Stderr, "Failed to find the Linkerd control-plane namespace. If this expected, use the --ignore-cluster flag.") |
There was a problem hiding this comment.
Probably our first suggestion should be to run linkerd install config. Maybe something like:
"Failed to find required control-plane namespace: %s. Run linkerd install config -l %s | kubectl apply -f - to create it (this requires cluster administration permissions.) See {website docs link} for more information. Or use {flag} to proceed anyway."
This change introduces two named parameters for `linkerd install`, split by privilege: - `linkerd install config` - Namespace - ClusterRoles - ClusterRoleBindings - CustomResourceDefinition - `linkerd install control-plane` - ConfigMaps - ServiceAccounts - Secrets - Deployments - Services Comprehensive `linkerd install` is still supported. TODO: - `linkerd check` support - `linkerd upgrade` support - integration tests Part of #2337 Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
siggy
force-pushed
the
siggy/install-stages
branch
from
e2fc912 to
3e7cf8d
Compare
cli/cmd/install.go
Outdated
|
|
||
| success := hc.RunChecks(exitOnError) | ||
| if !success { | ||
| fmt.Fprintln(os.Stderr, "Failed to connect to Kubernetes. If this expected, use the --ignore-cluster flag.") |
There was a problem hiding this comment.
I think this message needs to be updated as well
Signed-off-by: Andrew Seigner <[email protected]>
|
Integration test results for b2c04f4: success 🎉 |
cli/cmd/public_api.go
Outdated
| package cmd | ||
|
|
||
| // TODO: this file should probably move out of `./cli/cmd` into something like | ||
| // `./cli/publicapi` or `./cli/pkg` |
There was a problem hiding this comment.
maybe create an issue and link to it in this TODO?
There was a problem hiding this comment.
filed #2735 yesterday to track, have updated the comment for reference.
Signed-off-by: Andrew Seigner <[email protected]>
|
Integration test results for 2f85d3d: fail 😕 |
8 participants
This change introduces two named parameters for
linkerd install, splitby privilege:
linkerd install configlinkerd install control-planeComprehensive
linkerd installis still supported.TODO:
linkerd checksupportlinkerd upgradesupportPart of #2337
Signed-off-by: Andrew Seigner [email protected]