-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TEP-0029 Technical design for Step & Sidecar Workspaces #260
Conversation
/kind tep |
/test pull-community-teps-lint |
1 similar comment
/test pull-community-teps-lint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like it! i brainstormed a few more drawbacks but 👍 from me to the overall proposal
/approve
I think at this point it might make sense to include the change to status: implementable
in this PR also?
teps/0029-step-workspaces.md
Outdated
## Drawbacks | ||
|
||
- If we were to pursue the idea of a shareable `Step` type then we would need to find some way to map from | ||
the workspaces a Task declares into those that a referenced `Step` declares. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point! and i think we'd run into that for params (and maybe results??) too
- If we were to pursue the idea of a shareable `Step` type then we would need to find some way to map from | ||
the workspaces a Task declares into those that a referenced `Step` declares. | ||
- It takes the `Step` and `Sidecar` types further from being "pure" k8s Container. However we've already | ||
made moves in this direction by introducing our own `Script` field to `Steps` and `Sidecars`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one more potential drawback/risk: automounting workspaces into sidecars could have some kinda unexpected side effect. seems pretty unlikely, but it's possible (e.g. if someone was using a sidecar that mounts something at the same path as a workspace?? pretty far fetched tho)
additional Tekton-specific context and behaviour (i.e. the additional constraint | ||
that adding a workspace volume to a `volumeMount` entry will prevent other Steps | ||
from receiving that `workspace` unless they too include it in their | ||
`volumeMounts` list). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it also removes some of the abstraction that workspaces add - i like that (in my mind anyway) workspaces could be fulfilled by anything the underlying system chooses but by using volume mounts we're saying explicitly it's a mounted volume - and i think we'd have to decide which of the fields at https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#volumemount-v1-core to support
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Updated status to implementable and updated the TOC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a late coming comment and possible ask for clarification @sbwsg
please apply non-SME type of disclaimers to my question :-)
workspaces: | ||
- name: my-sensitive-workspace | ||
``` | ||
3. When a `workspace` is listed in a Step, it is no longer automatically mounted - either to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apologies in advance for coming late to this, and possibly re-introducing prior discussion, as well as coming in without hands on experience with sidecars
but the is no longer automatically mounted
text implies a change in behaviour and "breaking API change" of sorts
is my non-SME interpretation correct? if so, should this TEP be explicit in stating "a breaking API change is being suggested to facilitate X/Y/Z" ?
some of the referenced design docs may claim that more decisively (apologies, I did not search them for such), but I would contend that detail of such ilk should be surfaced in the TEP.
conversely, if this is not a breaking API sort of change, perhaps some clarification somewhere in the TEP as to why that is the case would help those coming in later on to the discussion
WDYT @sbwsg ?
thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabemontero thanks for reviewing!
"is no longer automatically mounted" -> Sorry for the confusion. It's definitely not a breaking API change because we haven't had "Step-level" workspaces before this. So it's a new behaviour that the user opts in to by adding the workspace to a Step. They couldn't do this before - add a workspace to a Step - and by doing so they're effectively saying "I only want this Step to have access to this workspace."
Here's what a Task with workspaces currently looks like:
spec:
workspaces:
- name: foo # All Steps get this workspace (they're automatically mounted to all Steps)
steps:
- image: ubuntu
script: # ...
and here's the new thing we're adding:
spec:
workspaces:
- name: foo
steps:
- image: ubuntu
workspaces:
- name: foo # Only this Step gets this workspace (they're no longer automatically mounted to all Steps)
script: # ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll take another breeze through this doc and try to clarify that language.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah OK good to know @sbwsg
the before / after yaml's together like that are concise and make the net change clear ... adding the before yaml right before the existing after yaml and changing that text would benefit me at least
thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added an explicit before/after example at the top of the Proposal
section. Cheers!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK the new adding new API / behavior but preserving existing API / behavior verbiage makes it very clear now @sbwsg thanks!
LGTM
I'll circle back tomorrow to see if others have chimed in or our planning to chime in soon for the "multi-company" sign off, otherwise I can do it if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vdemeester says he is going to look at this today @sbwsg .... I'll defer to him on LGTM-ing
- name: my-workspace | ||
``` | ||
|
||
4. When a `workspace` is listed in a Sidecar, it is no longer automatically mounted - either to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same note as above on the no longer automatically mounted
text
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One question on mountPath
in steps, otherwise looks good to me 👍🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
In f22828 we introduced a new TEP describing two problems: first, Sidecars don't have access to Workspaces. Second: Workspaces are globally available to all Steps all of the time. For sensitive data this is less than ideal - preferably a Task should be able to declare precisely which Steps or Sidecars are allowed to access a given Workspace. This commit adds a technical design to TEP-0029 that shows how we can add both Workspace support to Sidecars as well as a mechanism for isolating Workspaces to specific Steps/Sidecars in a Task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
In f22828 we introduced a new TEP describing two problems: first, Sidecars
don't have access to Workspaces. Second: Workspaces are globally available to all
Steps all of the time. For sensitive data this is less than ideal - preferably a
Task should be able to declare precisely which Steps or Sidecars are allowed to
access a given Workspace.
This commit adds a technical design to TEP-0029 that shows how we can add both
Workspace support to Sidecars as well as a mechanism for isolating Workspaces
to specific Steps/Sidecars in a Task.