Page MenuHomePhabricator
Create Task
Maniphest T234231

Toolforge ingress: decide on how ingress configuration objects will be managed
Closed, ResolvedPublic
Actions

Description

We have several options for doing the ingress object configuration in kubernetes. We can namespace the ingress objects and allow users to manage them via the API (mostly via the webservice command) or maintain the config in a daemon under our control.

Open question. How do we prevent tool2 maintainer from adding this config?:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tool2-ingress
  namespace: tool2
spec:
  rules:
  - host: tool1.toolsbeta.wmflabs.org    <---- wrong!
    http:
      paths:
      - backend:
          serviceName: tool2-svc
          servicePort: 8081

It seems we have 3 options:

  • a daemon detecting which tools are online and generating the ingress config automagically. The webservice command does not generate the ingress config. Management of ingress objects in the API is forbidden for end users.
  • a custom admission controller to enforce correct ingress config, and have the webservice command generate it. The API allows users to manage ingress objects, because we are enforcing a valid config in the API.
  • some mixed thing using a CRD.

Details

SubjectRepoBranchLines +/-
ingress-admission: Complete pieces for deliverycloud/toolforge/ingress-admission-controllermaster+18 -6
ingress: adding initial files as they come togethercloud/toolforge/ingress-admission-controllermaster+660 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero triaged this task as High priority.Sep 30 2019, 3:33 PM
aborrero created this task.
aborrero moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
Deedriscolll subscribed.Sep 30 2019, 8:27 PM
This comment was removed by bd808.
aborrero mentioned this in T228500: Toolforge: evaluate ingress mechanism.Oct 7 2019, 9:31 AM
aborrero added a comment.Oct 11 2019, 9:04 AM

We had a team meeting on 2019-10-10 and we decided to try the custom admission controller to enforce correctness in ingress objects.

@Bstorm already has some code bootstrapped to handle this, and she will follow-up.

Bstorm claimed this task.Oct 11 2019, 10:36 PM

Requested the repo cloud/toolforge/ingress-admission-controller after getting the cloud and toolforge placed above that level.

Bstorm mentioned this in T235279: Create a new repository for kubernetes tool under a new directory in gerrit that doesn't exist yet.Oct 11 2019, 10:38 PM
Krenair subscribed.Oct 12 2019, 12:14 PM
Bstorm added a comment.Oct 15 2019, 4:00 PM

https://gerrit.wikimedia.org/r/admin/projects/cloud/toolforge/ingress-admission-controller

gerritbot added a comment.Oct 16 2019, 10:50 PM

Change 543727 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[cloud/toolforge/ingress-admission-controller@master] ingress: adding initial files as they come together

https://gerrit.wikimedia.org/r/543727

gerritbot added a project: Patch-For-Review.Oct 16 2019, 10:50 PM
gerritbot added a comment.Oct 21 2019, 9:47 PM

Change 543727 merged by Bstorm:
[cloud/toolforge/ingress-admission-controller@master] ingress: adding initial files as they come together

https://gerrit.wikimedia.org/r/543727

Maintenance_bot removed a project: Patch-For-Review.Oct 21 2019, 10:10 PM
gerritbot added a comment.Oct 22 2019, 12:08 AM

Change 545116 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[cloud/toolforge/ingress-admission-controller@master] ingress-admission: Complete pieces for delivery

https://gerrit.wikimedia.org/r/545116

gerritbot added a project: Patch-For-Review.Oct 22 2019, 12:08 AM
gerritbot added a comment.Oct 22 2019, 7:13 PM

Change 545116 merged by Bstorm:
[cloud/toolforge/ingress-admission-controller@master] ingress-admission: Complete pieces for delivery

https://gerrit.wikimedia.org/r/545116

Maintenance_bot removed a project: Patch-For-Review.Oct 22 2019, 8:10 PM
Bstorm closed this task as Resolved.Oct 23 2019, 3:19 PM

The image needs upload and all that, but this is ready with some minor touches tracked in other tickets.

Stashbot mentioned this in T215531: Deploy upgraded Kubernetes to toolsbeta.Oct 25 2019, 11:41 PM
Stashbot mentioned this in T215678: Replace each of the custom controllers with something in a new Toolforge Kubernetes setup.

Mentioned in SAL (#wikimedia-cloud) [2019-10-25T23:41:32Z] <bstorm_> Deployed custom webhook controllers for registry and ingress checking to toolsbeta-test kubernetes cluster T215531 T215678 T234231

Bstorm closed subtask T236203: Add CI checks for golang admission controllers as Resolved.Mar 6 2020, 8:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL