Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure ingressController to use routeSelector and configure external ingress service #157

Merged
merged 5 commits into from
Nov 22, 2022

Conversation

dystewart
Copy link
Contributor

No description provided.

larsks
larsks previously requested changes Nov 18, 2022
Copy link
Member

@larsks larsks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've noted one additional change we need to make here.

Since you're going to be making changes anyway, I would suggest making the commit messages slightly more descriptive:

  • For the "Change ingressController to use routeSelector", consider adding to the commit body our reasons for that change.

  • For "Configure address for external ingress service", it's probably worth noting which fields in particular we're adding with this change (and why), since otherwise it's not obvious.

In either or both cases, consider adding a link to the relevant documentation if you think it's appropriate (see e.g. 480edd0 for an example of how I typically do that).

@larsks
Copy link
Member

larsks commented Nov 18, 2022

I've removed my requested change (apparently I am unable to read), but I would still like to see the commit messages updated. Sorry for the noise!

@@ -15,6 +15,6 @@ spec:
nodeSelector:
matchLabels:
nerc.mghpcc.org/external-ingress: 'true'
namespaceSelector:
routeSelector:
matchLabels:
type: external
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, here is one more change I think we should make. I think that type is probably too generic. Let's (a) pick a more descriptive name, and (b) let's namespace it like we have for other locally relevant labels.

How about:

routerSelector:
  matchLabels:
    nerc.mghpcc.org/external-ingress: "true"

This is the same label we use to identify nodes that host the external ingress address (and placement for the external ingress service).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@larsks good points, updated the commit messages and changed the label

To allow for more granularity, we are opting to go with a route selector as opposed to a namespace
selector for the ingress controller. The idea here is that we're filtering the traffic serviced by the ingress
controller at the route level as opposed to the entire namespace.
This service is used with the external ingressController and connects with our public metallb loadBalancer
The important fields to pay attention to here are the:
metadata.annotations metallb.universe.tf/address-pool: public

spec.loadBalancerIP: 199.94.61.6
This is the ip where we are servicing external traffic
@larsks
Copy link
Member

larsks commented Nov 21, 2022

@dystewart this looks fine, but there are apparently still missing pieces. See nerc-project/operations#41 for some details. I'd like to hold off merging this until we get things working (because we'll probably need to update the same set of files).

We already know it's an ingress controller.
Keep all the external-ingress resources together so they're easier to
manage.
When we create an IngressController, the IngressController creates a
Service. We need to modify that service resource to add both an annotation
and a loadBalancerIP, but ArgoCD doesn't allow us to patch existing
resources.

The best we can do is apply patches using an ArgoCD post-sync hook [1].

This commit adds a post-sync Job that takes care of patching the Service
resource. This job will run after every sync operation.

[1]: https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/
@larsks larsks requested a review from naved001 November 22, 2022 15:07
@larsks larsks dismissed their stale review November 22, 2022 15:07

Code udpated

@larsks larsks self-requested a review November 22, 2022 15:07
Copy link
Contributor

@naved001 naved001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good. I don't know a lot about patch operator, but is there a reason why we aren't using that?

@larsks
Copy link
Member

larsks commented Nov 22, 2022

looks good. I don't know a lot about patch operator, but is there a reason why we aren't using that?

I'm a little leery of it: it appears to be written by a single person, and I disagree with the security model (see e.g. redhat-cop/patch-operator#47).

@larsks larsks merged commit 61a0dfc into OCP-on-NERC:main Nov 22, 2022
@dystewart dystewart deleted the external branch January 16, 2023 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants