feat(ingress) Experimental Native Ingress

[krisnova]

Work for experimental native ingress. Run the documentation to see how to use the new feature.

Requires deis/controller#1243
Requires deis/builder#495
Requires deis/router#316

[mboersma]

I'm a broken record, sorry, but ideally this would be in a separate PR.

[mboersma]

What happens if experimental_native_ingress: true, but the hostname field here wasn't updated? Ideally that would lead to a hard-stop error before helm actually installs the chart, but I don't know off-hand how to accomplish that.

[krancour]

This is analogous to the router chart's platform_domain setting, yes?

Can I propose that platform_domain is a better name than hostname? And to both 1. avoid confusion with the setting of the same name under router and 2. move this configuration closer to the point of use, this belongs under controller settings instead of global (because, afaik, the controller chart, which will have to honor this new setting won't be able to "look up" to the "parent" chart's global settings).

[krisnova]

@mboersma As it stands we will get a regex error before we install the chart.

kris-nova:workflow kris$ helm install . --namespace deis --set global.experimental_native_ingress=true
Error: release elegant-cardinal failed: Ingress.extensions "controller-api-server-ingress" is invalid: spec.rules[0].host: Invalid value: "deis.": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')
kris-nova:workflow kris$ 

[krisnova]

@krancour thanks for the suggestions, I changed hostname to platform_domain and pulled it into the controller and out of global.

[krisnova]

Example command for reference:

helm install . --namespace deis --set global.experimental_native_ingress=true,controller.platform_domain=fabulous.af

[mboersma]

Typo: "engress"

[mboersma]

Although we always used to, we should avoid using "Deis" as shorthand for "Deis Workflow" these days. Maybe reword this section like this?

# Experimental feature to use Kubernetes ingress instead of Workflow's deis-router.
#
# Valid values are:
# - true: deis-router will not be deployed. Workflow will not be usable until a Kubernetes ingress controller is installed.
# - false: deis-router will be deployed (default).

[rimusz]

indeed, it confuses people

[mboersma]

I would say "publicly resolvable here" or "resolvable public hostname" here.

[krancour]

Even with the following line clarifying it, I somehow still feel thrown off by the phrase "to build your cluster with."

Can we maybe replace this and the following sentence with something like:

A resolvable domain or subdomain name. All applications created by the controller will, by default, be subdomains of this. When experimental native ingress is enabled, these subdomains are used in defining host-based routing rules. If, for instance, platform_domain were "example.com", given a application "foobar", the controller will create a rule to route foo.example.com to the appropriate backend.

^ And that's totally imperfect. Feel free to iterate on that if you can improve it further.

[krisnova]

Changed to "publicly resolvable" to keep it simple

If we want to elaborate more on this later we can.

[mboersma]

Maybe make this paragraph a bit more direct?

Workflow now offers experimental native ingress to take advantage of native Kubernetes routing. Any compatible Kubernetes ingress controller can be used in place of Workflow's nginx-based deis-router. Follow this guide to enable experimental native ingress.

[mboersma]

For consistency, I think we capitalize all the words here except for "and."

[mboersma]

Are we using global.hostname or controller.platform_domain? The example disagrees with this sentence.

[krancour]

controller.platform_domain. It was changed elsewhere but not here.

[mboersma]

add -w?

[krisnova]

Kubernetes will have the pod information stored very quickly, and I think adding a -w adds an implicit requirement on noting ^C and that sounds like adding a lot for a small gain.

[mboersma]

"a Kubernetes ingress controller has been installed"? Or is just "ingress" the right terminology here?

[krancour]

"ingress" is the proper terminology here, as @kris-nova is referring to ingress resources that are part of the chart and define routing rules for the controller, grafana, etc.

That being said, "a Kubernetes ingress," might need to change because I do think there's more than one installed as part of the platform itself.

[mboersma]

Typo: "exerpimental"

[mboersma]

Since it's experimental, should we provide a link in the docs to github issue reporting? Or encourage users to share their stories of success with different ingress controllers by submitting docs PRs as HOWTOs?

Not necessary, just thinking...

[rimusz]

What is missing I see is the ingress rules annotation e.g. kubernetes.io/ingress.class: "traefik" (or whatever ingress controller is used there) setup option in controller/apps ingress rules. Without it the traffic will not pass ingress controller but each rule will get the loadbalancer created instead.

The case above does not apply for AWS, but for GKE/GCP is needed, as otherwise the GKE/GCP controller will fight the custom controller for the Ingress.

[krancour]

@rimusz @kris-nova

What is missing I see is the ingress rules annotation e.g. kubernetes.io/ingress.class: "traefik" setup option in controller/apps ingress rules.

Well... as much as I love it. Let's not lock ourselves into Traefik. More on that in a second.

Without it the traffic will not pass ingress controller but each rule will get the loadbalancer created instead.

Yes... because that's how the L7 ingress controller (which is a default in GKE) behaves. The fact that it works by creating load balancers isn't wrong. It's merely an implementation detail, although it might not be one you care for. (I don't.) As you've alluded to, various annotations are typically used as signals to different ingress controllers that they either should or should not act on any given ingress. The precise annotations used seem to vary from one ingress controller to the next.

@kris-nova buried somewhere in the Google doc I'd written up about this, this detail was discussed. I probably should have called more attention to it. What we will need to do is allow, within this chart, for users to specify annotations as k/v pairs in their values.yaml. Those will have to be passed to the controller either through an env var or configmap and the controller will have to ensure the indicated annotations are added to each ingress it creates.

(If that's already present, I apologize. I am just now starting to review in earnest, and I am taking a guess that @rimusz wouldn't have overlooked this if it were already there.)

The case above does not apply for AWS, but for GKE/GCP is needed, as otherwise the GKE/GCP controller will fight the custom controller for the Ingress.

Right. Because no solution (that I am familiar with) for provisioning k8s on AWS includes a default ingress controller of any kind. So in practical terms, this only (currently) is a problem in GKE, but it can become a problem anywhere if someone has (for whatever reasons) installed more than one ingress controller.

[krancour]

Does the ! operator actually work here? I was hoping it would, but I wasn't sure and hadn't had a chance to verify yet.

[krancour]

But if it works... this is exactly what I had in mind for how the router chart, in its entirety, is conditionally included or excluded. I ❤️ this.

[krisnova]

So I decided to take this functionality out for this PR.. seems out of scope, and honestly if it's critical that we move our abstraction out to another abstracted place of abstraction we can PR that later.

Also this is blocked on a helm issue: helm/helm#2111

[krancour]

So the plan is to include the router even if the user opts in to native ingress?

[mboersma]

No, we wouldn't include deis-router in that case. The debate is whether to use Helm 2.2.x's tags & conditions feature as the mechanism to disable deis-router, or whether to use our convention of big {{ if }} blocks which is more backward-compatible and consistent with other components.

I want to argue that we turn off deis-router "the old way," then make a separate effort to refactor all sub-charts to use the new Helm functionality. But it may not be that simple; see #771.

[krancour]

@mboersma I don't like the "big {{ if }}" approach because it requires changes to the router chart that endow that chart with an awareness that some parent chart might include it but wish for it to do nothing. That doesn't seem very clean to me.

[mboersma]

It's not very clean, agreed. The advantages are:

• works with older versions of helm
• matches the (ugly) way we do things in other charts

But I was off-base in suggesting we could fix everything in a unified way: it may not be feasible to convert other sub-charts to use tags & conditions in a perfectly backward-compatible fashion. So this should be an isolated decision. I know you feel strongly about it @krancour and my main concern at this point is that @kris-nova doesn't get whiplash if we want to revert the deis-router changes. 😄

[krancour]

I'm wondering if this page repeats too much documentation from the "normal" doc for installing without this experimental feature. Do we want to consider a lesser page that just highlights what's different when you install with this feature flag set? I really don't know what's best here. I'm just asking the question.

[krisnova]

So I already considered hooking into the existing page, I think it makes sense to have a clear change in flow for an entire section, than to try to add a bunch of conditional logic to an existing flow. I visualize the flows like this:

Separate and clear

         ----
----- <        > ------
         ----

Together and conditional

---- <>-<>-<>-<> ---- 

[krancour]

Does "separate and clear" become a maintenance burden if / as additional flags for major / experimental features get added. I'm afraid of committing to the notion of a page per permutation.

[krisnova]

I think the wise thing to do here is to let problems present themselves instead of trying to be too defensive and predict the future. If it becomes a problem, we can always change. The concern seems trivial to be honest, and this an experimental feature after all, shouldn't we be experimenting to see what works best?

[krancour]

I don't think it's a trivial concern. We generally accept the practice of avoiding DRY exceptions in code. imo, docs shouldn't be any different. In either case, a DRY exception represents an on-going maintenance burden.

Though I don't think it's a trivial concern, I'm not going to belabor it either. You're doing the legwork on this, so I defer to your judgement.

[krancour]

Shouldn't it actually be *.$host that resolves to their ingress controller?

[bacongobbler]

Should we make a prelude here saying that this is documented further below in "Configuring DNS"?

[bacongobbler]

there's a few extra unneeded newlines here inbetween paragraphs. Mind removing them?

[bacongobbler]

extra newline here

[bacongobbler]

took a few loops waiting for minio*

extra context is good :)

[bacongobbler]

Can you add an extra newline here between the paragraph and the new heading? Just a small pet peeve of mine :)

[krisnova]

@bacongobbler thanks for the review, your concerns have been addressed.

[bacongobbler]

As far as I'm concerned this all looks good to me.

[krisnova]

Wooo! Thanks @mboersma and @bacongobbler for the approval here!

I think we should wait for the other PRs to fall into alignment before merging. Particularly deis/controller#1243

[mboersma]

Replaced by #782.