-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add local K8S remote cluster support #2543
Conversation
jenkins test this please |
jenkins test this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I just took a quick look.
|
||
// RemoteClusters defines some remote Elasticsearch clusters. | ||
type RemoteClusters struct { | ||
K8sLocal []K8sLocalRemoteCluster `json:"k8sLocal,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know we discussed this before but I am still not 💯 on the naming here, mostly gut feeling/aesthetics reasons, so apologies if I don't have a better suggestion right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm trying to find alternatives. If we look at eg. VolumeSources, there's a flat list of optional sources expressed in a single struct. Maybe we could remove one layer here?
type RemoteCluster struct {
Config RemoteClusterConfig `json:"config,omitempty"`
ElasticsearchRef *commonv1.ObjectSelector
ElasticCloudRef *ElasticCloudRef
NetworkRef *NetworkRef
}
spec:
remoteClusters:
- elasticsearchRef:
name: foo
namespace: bar
config:
transport.ping_schedule: 30s
- elasticsearchRef:
name: bar
namespace: baz
config:
transport.ping_schedule: 10s
- elasticCloudRef:
clusterId: 1234
config:
transport.ping_schedule: 10s
- networkRef:
seeds: 1.2.3.4:9300
config:
transport.ping_schedule: 10s
ElasticsearchRef
is implicitly the "local" ref. If later on we want to extend it to cross-k8s cluster boundaries we can either extend the existing ElasticsearchRef
with more fields (eg. elasticsearchref.k8sCluster
), either introduce a new type (federatedElasticsearchRef
).
pkg/controller/elasticsearch/remotecluster/remoteca/controller.go
Outdated
Show resolved
Hide resolved
Name: TransportServiceName(es.Name), | ||
Labels: label.NewLabels(nsn), | ||
}, | ||
Spec: corev1.ServiceSpec{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we allow users to control the spec like we do for the HTTP service? For remoting outside of the k8s cluster users probably want this to be of type LoadBalancer
for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes sense. That said this PR is already pretty large and is targeting clusters inside a same k8s cluster. I would do that in a dedicated PR, I can create an issue to track this effort.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work!
There is a lot of code so I have a lot of comments, sorry 😄
One concern I have is that I feel lost when reading the association controller reconciliation code. It's hard to figure out what local, what's remote, how the local CA also needs to be remote, etc. I don't know if we can make that clearer? Maybe through smaller functions and more comments about the high-level things we want to do.
|
||
// RemoteClusters defines some remote Elasticsearch clusters. | ||
type RemoteClusters struct { | ||
K8sLocal []K8sLocalRemoteCluster `json:"k8sLocal,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm trying to find alternatives. If we look at eg. VolumeSources, there's a flat list of optional sources expressed in a single struct. Maybe we could remove one layer here?
type RemoteCluster struct {
Config RemoteClusterConfig `json:"config,omitempty"`
ElasticsearchRef *commonv1.ObjectSelector
ElasticCloudRef *ElasticCloudRef
NetworkRef *NetworkRef
}
spec:
remoteClusters:
- elasticsearchRef:
name: foo
namespace: bar
config:
transport.ping_schedule: 30s
- elasticsearchRef:
name: bar
namespace: baz
config:
transport.ping_schedule: 10s
- elasticCloudRef:
clusterId: 1234
config:
transport.ping_schedule: 10s
- networkRef:
seeds: 1.2.3.4:9300
config:
transport.ping_schedule: 10s
ElasticsearchRef
is implicitly the "local" ref. If later on we want to extend it to cross-k8s cluster boundaries we can either extend the existing ElasticsearchRef
with more fields (eg. elasticsearchref.k8sCluster
), either introduce a new type (federatedElasticsearchRef
).
pkg/controller/elasticsearch/certificates/remoteca/reconcile.go
Outdated
Show resolved
Hide resolved
pkg/controller/elasticsearch/certificates/remoteca/reconcile.go
Outdated
Show resolved
Hide resolved
|
||
const ( | ||
// RemoteClusterNamespaceLabelName used to represent the namespace of the RemoteCluster in a TrustRelationship. | ||
RemoteClusterNamespaceLabelName = "remotecluster.k8s.elastic.co/namespace" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should probably have elasticsearch.k8s.elastic.co
in the name.
Can we do elasticsearch.k8s.elastic.co/remote-cluster: {"namespace": "ns", "name": "cluster-name"}
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we can put some json in a label (also I'm not sure it's easy to create a label selector against it)
I have updated the PR description with the new spec format, ICYMI here is an example: apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: cluster-1
namespace: ns1
spec:
version: 7.5.2
remoteClusters:
- name: ns2-cluster-2
elasticsearchRef:
name: cluster-2
namespace: ns2
- elasticsearchRef:
name: cluster-3
namespace: ns3
name: ns3-cluster-3
nodeSets:
- name: default
count: 3
config:
node.store.allow_mmap: false |
jenkins test this please |
@sebgl I split the remote CA reconciler and add some comments, I also tried to address most of your comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, this is really impressive work. I think I am 👍 on merging and if necessary follow up with two PRs:
- making the transport service user configurable
- if we decide to use file based config for remote clusters to switch to that
Leaving the final ✅ to @sebgl who did the more in-depth review
pkg/controller/elasticsearch/remotecluster/remoteca/controller.go
Outdated
Show resolved
Hide resolved
pkg/controller/elasticsearch/remotecluster/remoteca/controller.go
Outdated
Show resolved
Hide resolved
) | ||
|
||
// Add creates a new RemoteCa Controller and adds it to the manager with default RBAC. | ||
func Add(mgr manager.Manager, accessReviewer rbac.AccessReviewer, params operator.Parameters) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any particular reason why you did not move everything from elasticsearch/remotecluster/remoteca
into this package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At first it was only in elasticsearch/remotecluster/remoteca
The reason is that this controller only makes sense in the context of Elasticsearch.
I moved a part of it to make it "visible", I'm not sure I would go further because this controller is dependent on the Elasticsearch one, but I'm happy to move everything if you think it makes sense.
pkg/controller/elasticsearch/certificates/remoteca/reconcile.go
Outdated
Show resolved
Hide resolved
pkg/controller/elasticsearch/remotecluster/remoteca/controller.go
Outdated
Show resolved
Hide resolved
pkg/controller/elasticsearch/remotecluster/remoteca/controller.go
Outdated
Show resolved
Hide resolved
Thanks for making the changes, I understood the code much better now regarding what's remote vs. local and why we reconcile 2 secrets per association. Most of my comments above are nitpicks. Except this one that I'd like to understand. I think we are reconciling the same secret multiple times in different reconciliations targeting different clusters and we may not have to? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Great work!
Fixes #2203
What this PR does:
remoteClusters
field (as usual naming can be discussed) to theElasticsearch
schema:Secret
called<cluster-name>-es-remote-ca
Here is a example of the new
Secrets
:Side notes: