Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Add labels to kube-system and components namespaces #646

Merged
merged 9 commits into from
Aug 11, 2020
Merged

Add labels to kube-system and components namespaces #646

merged 9 commits into from
Aug 11, 2020

Conversation

ipochi
Copy link
Member

@ipochi ipochi commented Jun 19, 2020
edited
Loading

This PR adds label lokomotive.kinvolk.io/name: <namespace_name> to Namespace object for kube-system and all components.

This is done so allow NetworkPolicies be written using the namespaceSelector.

UPDATE:
To go along with network policies we also need customized namespace labels such as metrics labels for prometheus operator, this was not possible in the current incarnation.

To mitigate that:

  1. Add new method to the component interface GetNamespacelabels()
  2. Each component can provide a customized set of labels that needs to be added to the namespace, because helm doesn't not deal with namespace creation or update.
  3. Before installing the component, component.GetNamespaceLabels() is called and passed to UpdateNamespaceWithLabels function.

Fixes : #153 #647

@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from 81da759 to cd3166c Compare June 19, 2020 14:29
@ipochi
Copy link
Member Author

ipochi commented Jun 19, 2020
edited
Loading 

Error: rendered manifests contain a resource that already exists. Unable to continue with install:
existing resource conflict: kind: Namespace, namespace: , name: kube-system

@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 2 times, most recently from 373ab03 to c110753 Compare June 22, 2020 08:56
knrt10
knrt10 reviewed Jun 22, 2020
View reviewed changes
Copy link
Member

@knrt10 knrt10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit

cli/cmd/cluster-apply.go Outdated Show resolved Hide resolved
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 2 times, most recently from 5df427d to 8085908 Compare June 22, 2020 12:38
invidian
invidian reviewed Jun 22, 2020
View reviewed changes
cli/cmd/cluster-apply.go Outdated Show resolved Hide resolved
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from 8085908 to e1be658 Compare June 23, 2020 07:10
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from e1be658 to 666ca3e Compare June 26, 2020 09:53
@ipochi
Copy link
Member Author

ipochi commented Jun 26, 2020
edited
Loading

@iaguis @invidian @knrt10 @surajssd Updated the PR

old: allow a generic label lokomotive.kinvolk.io/name:<namespace-name> to the kube-system and component namespace.

To go along with network policies we also need customized namespace labels such as metrics labels for prometheus operator, this was not possible in the current incarnation.

To mitigate that:

  1. Add new method to the component interface GetNamespacelabels()
  2. Each component can provide a customized set of labels that needs to be added to the namespace, because helm doesn't not deal with namespace creation or update.
  3. Before installing the component, component.GetNamespaceLabels() is called and passed to UpdateNamespaceWithLabels function.

@invidian
Copy link
Member

Each component can provide a customized set of labels that needs to be added to the namespace, because helm doesn't not deal with namespace creation or update.

Some questions about the spec of that:

  • What if 2 components wants to install into same namespace, or worse, they declare conflicting labels? If we implement it this way, we put the constraint on us, which we must be aware of, as it may lead to bugs.
  • What if we remove some label from the components? How do we handle updates? I'd like as to avoid adding code, which may in the future require manual intervention from the user, as that gives a feeling of the very poor automation. However, this could be implemented in the future, by maintaining the list of old labels, which should no longer exist. We could also define, that those labels are immutable and when we change them, it requires component re-installation. However, this should also be conscious and documented decision.

Before installing the component, component.GetNamespaceLabels() is called and passed to UpdateNamespaceWithLabels function.

Maybe we could just re-use Metadata(), so we keep single method for obtaining common information from the components and we leave other component methods "actionable" (like Render(), which may fail etc.)?

@ipochi ipochi mentioned this pull request Jun 30, 2020
Merged
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 4 times, most recently from 8cbd52a to b5c3176 Compare July 22, 2020 14:19
@ipochi
Copy link
Member Author

ipochi commented Jul 22, 2020
edited
Loading

@iaguis @invidian @knrt10 @surajssd

Completely reworked the PR to accommodate reviews and bugs found during testing.

  1. Includes a PostInstall step for components., with each component doing whatever they need post installation.

A common task for post installation is to update the components release namespace with labels.

Even if we allow helm to take care of components release namespace creation, it only does on the fly creation of the namespace and not from the chart manifest(if namespace manifest is present)
Hence we cannot add Lokomotive specific labels to the chart manifest as helm complains of the resource already exists error

  1. Special case for kube-system namespace as as we want the namespace to be updated post installation.

  2. During components update, Kubernetes doesn't not keep the old labels, annotations that the user might have created, leading to a loss of such information when we update the component.

Before updating the release namespace, I retrieve the existing metadata of namespace and remove the labels specific to Lokomotive i.e labels with prefix lokomotive.kinvolk.io and delete them and merge the existing user metadata with new set of metadata that may/may not be included in the upgraded component.

I believe this same trick can be applied to all manifests in the chart that have Lokmotive specific labels that may/may not be removed in the updated version of the component (out of scope for this PR)

  1. This also fixes Cert-manager Namespace label doesn't get applied when installing the component #647 as cert-manager component can now add its own specific set of labels the release namespace requires.

@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 3 times, most recently from 27cc2b7 to f63f5cb Compare July 23, 2020 06:24
@ipochi ipochi requested review from surajssd and invidian July 23, 2020 07:42
@ipochi ipochi mentioned this pull request Jul 23, 2020
Merged
6 tasks
invidian
invidian suggested changes Jul 23, 2020
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @ipochi. I left some comments with suggestions of what I think we should improve before we merge, as in my opinion there is way too much duplicated code in this PR, which can be handled in a better way.

pkg/components/metadata.go Outdated Show resolved Hide resolved
pkg/components/aws-ebs-csi-driver/component.go Outdated Show resolved Hide resolved
pkg/components/aws-ebs-csi-driver/component.go Outdated Show resolved Hide resolved
pkg/k8sutil/create.go Outdated Show resolved Hide resolved
pkg/k8sutil/create.go Outdated Show resolved Hide resolved
pkg/k8sutil/create.go Outdated Show resolved Hide resolved
pkg/components/interface.go Outdated Show resolved Hide resolved
cli/cmd/cluster-apply.go Outdated Show resolved Hide resolved
test/components/cert-manager/cert-manager_test.go Outdated Show resolved Hide resolved
test/components/cert-manager/cert-manager_test.go Outdated Show resolved Hide resolved
@ipochi
Copy link
Member Author

ipochi commented Aug 10, 2020

Mostly LGTM, I commented on some nits. One thing which I would change still is e2etests to make them shorter and not per-component, as mentioned in previous comments.

Yes, I am testing a new single method. for purposes of not messing it up. I have tests per component as part of the PR for now. Once the CI passes for the new test. I will update the e2e tests commit and remove the per component tests.

@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from a8bf9f4 to 6332379 Compare August 10, 2020 11:36
@ipochi ipochi requested a review from invidian August 10, 2020 11:38
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from 6332379 to 3ed0efc Compare August 10, 2020 11:39
invidian
invidian suggested changes Aug 10, 2020
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some last nits, otherwise LGTM 🎉

pkg/k8sutil/create_test.go Outdated Show resolved Hide resolved
cli/cmd/cluster-apply.go Show resolved Hide resolved
test/components/kubernetes/namespaces_labels_test.go Outdated Show resolved Hide resolved
test/components/kubernetes/namespaces_labels_test.go Outdated Show resolved Hide resolved
test/components/kubernetes/namespaces_labels_test.go Outdated Show resolved Hide resolved
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 2 times, most recently from b7ae4d2 to d447aa3 Compare August 10, 2020 14:40
invidian
invidian suggested changes Aug 10, 2020
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, except one nit.

test/components/util/util.go Show resolved Hide resolved
@ipochi
k8sutil: Namespace struct for storing namespace metadata
f288aac 
This commit adds a new Namespace struct that holds metadata regarding
the Name, Labels and Annotatations specific to the Lokomotive
installation or components installation.

Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
internal: add function to append name label to a given map
46ce909 
Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
components: use k8sutil.Namespace struct for Metadata
acf1b5a 
To allow components specify metadata(labels, annotations) for release
namespace.

Adds the labels that are required to be present on the components
release namespace.

Updates references where needed due to this change.

Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
k8sutil: Utility functions to create/update Namespace
81117d6 
Move function `ensureNamespaceExists` to k8sutil package with new name
CreateOrUpdateNamespace. This function creates/updates the namespace.

Components use this function to create/update the release namespace.

This function is also used to update the `kube-system` namespace after
cluster installation.

Includes another helper function in the `internal` package that merges
two given maps. This is done to ensure that existing labels and
annotations are retained and the new set of Labels/annotations overrides
any existing ones.

Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
components: add namespace label to release namespace.
ea36299 
This commit adds the namespace label `lokomotive.kinvolk.io/name :
<namespace_name>` to the release namespace.

Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
cluster: update pre installed namespaces with labels
667571d 
This commit updates the pre-installed namespaces in the cluster to
include the labels provided.

Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch 2 times, most recently from ced9a7a to 8e4a55f Compare August 11, 2020 07:42
invidian
invidian previously approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

test/components/util/util.go Outdated Show resolved Hide resolved
knrt10 and others added 3 commits August 11, 2020 13:39
@knrt10 @ipochi
Add functionality to test namespace
b512bae 
Signed-off-by: knrt10 <tripathi.kautilya@gmail.com>
@ipochi
test: use a consistent way to create test namespaces
e187820 
Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi
e2etest: Add e2e test to check if labels were added correctly
a51b143 
Signed-off-by: Imran Pochi <imran@kinvolk.io>
@ipochi ipochi force-pushed the imran/add-labels-to-namespace branch from 8e4a55f to a51b143 Compare August 11, 2020 08:11
invidian
invidian approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

surajssd
surajssd approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@surajssd surajssd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

knrt10
knrt10 approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@knrt10 knrt10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT and great work @ipochi 🎉

@ipochi ipochi merged commit aed5228 into master Aug 11, 2020
@ipochi ipochi deleted the imran/add-labels-to-namespace branch August 11, 2020 10:27
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@knrt10 knrt10 knrt10 approved these changes

@surajssd surajssd surajssd approved these changes

@invidian invidian invidian approved these changes

@iaguis iaguis Awaiting requested review from iaguis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Network policies: namespaces (kube-system, etc.) should have labels
5 participants
@ipochi @invidian @iaguis @surajssd @knrt10