Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "meta: Treat internal k8s annotations as invalid" #199

Closed
wants to merge 1 commit into from
Closed

Revert "meta: Treat internal k8s annotations as invalid" #199

wants to merge 1 commit into from

Conversation

mbarrien
Copy link
Contributor

This reverts #50 and closes #60 by allowing "internal" annotations that have "kubernetes.io" in the domain name.

Examples abound for which this "feature" breaks basic usage, such as with:

https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
https://docs.microsoft.com/en-us/azure/aks/internal-lb
https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/
https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/ingress-resources.md#annotations

For 3rd party Kubernetes plugins, Kubernetes has no control over what annotation names they use, and many others have created custom annotations for their tools that end with kubernetes.io in the part before the slash, and for which the annotation is absolutely essential to get it working.

There was an argument made that this plugin is not meant to support alpha or beta features. The problem is these "alpha" or "beta" feature are heavily relied on in production by many users because of the long beta cycles and the the usefulness of those "beta" but in practice stable features. This provider should not be in the business of saying "this annotation should not be supported because it's beta"; let the developer/ops person decide.

With this over-protectiveness, people will start using direct calls to kubectl via null_resource local-execs; that's even more of a nightmare that lets people shoot themselves in the foot more than having the potential for a few broken annotations here and there (for which a good developer will notice the false changes in the plan, and eventually realize how to fix it).

Let the engineers make their mistakes and trust them to figure it out; don't be so over-protective as to cripple core functionality. If necessary, put a big warning up saying "you better know what you're doing", but don't stop the innovation.

@willscripted
Copy link

👏 👏 thank you @mbarrien

This PR unblocks our transition to terraform-defined kubernetes load balancers in eks.

Is the gist of #50 this: Terraform is not the only actor annotating kubernetes resources. Since there are others, reality drifts away from terraform state in acceptable way? But terraform sees diffs and trys to "correct" them by resetting the annotations set by other actors. To avoid this overwrite of legitimate drifted state, #50 flat-out prohibits use of any "risky" annotations.

Did I get that right @mbarrien / @radeksimko ?

@TechnicalMercenary
Copy link

Is this going to happen ?

@alexsomesan
Copy link
Member

Yes, but not on it’s own.
If we just merge this we are going to break the use cases that depend on the present behavior.
So this has to be paired with a white / blacklisting feature that would allow for control over the set of annotations to be ignored.
I just didn’t have the time to get to that part yet.

@rpatrick00
Copy link

How would you propose the user defines/manages this white/blacklisting feature? I am happy to take a shot at implementing it but it would be good to make sure that we agree on how/where the list(s) are defined.

@pdecat
Copy link
Contributor

pdecat commented Dec 5, 2018

FYI, @dh-harald has made a POC for the whitelisting feature: #60 (comment)

@nmartin413
Copy link

FWIW - not rolling back this restriction makes the resource unusable for non-trivial functionality in the Azure AKS product:

https://docs.microsoft.com/en-us/azure/aks/internal-lb

@rpatrick00
Copy link

rpatrick00 commented Dec 10, 2018

@nmartin413, with PR #244, you can simply add the list of annotations you want to allow to the provider's whitelist. I believe that this allows us to move forward and use the provider without having to fight the battle of reverting the change. Both AWS EKS and GCP GKE have the same issues with blocking the kubernetes.io annotations.

@rpatrick00
Copy link

rpatrick00 commented Dec 14, 2018

@alexsomesan, can someone please look at PR #244 and either merge it or provide feedback?

@trevor403
Copy link

Is there a timeline for getting this PR accepted and merged?

@tdmalone
Copy link
Contributor

I don't normally do this, but since this provider is almost unusable.... is there a timeline for getting this PR accepted and merged?

@alexsomesan
Copy link
Member

alexsomesan commented Mar 22, 2019 via email

@tdmalone
Copy link
Contributor

While I appreciate these priorities...

...deliver a functional provider with the release of 0.12
...merging additional functionality is mostly on hold right now

I beg to differ, as:

@rpatrick00
Copy link

rpatrick00 commented Mar 22, 2019 via email

@tdmalone
Copy link
Contributor

I have created some additional noise at the main Terraform repo: hashicorp/terraform#20788

@jjgrayston
Copy link

jjgrayston commented Mar 26, 2019

For anyone else who is currently blocked until this is fixed - my temporary workaround has been to write the service definition to a local file and invoke kubectl apply using a local provisioner. Then use the kubernetes_service data source to access attributes of the newly created service. Ugly but functional.

@ghost ghost locked and limited conversation to collaborators Apr 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Can not set internal annotations to specify load balancer ssl certs
10 participants