Add antctl commands to set up and delete Multi-cluster ClusterSet #3992
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3992 +/- ##
==========================================
+ Coverage 61.19% 68.31% +7.11%
==========================================
Files 294 310 +16
Lines 44262 45539 +1277
==========================================
+ Hits 27088 31109 +4021
+ Misses 14885 12015 -2870
- Partials 2289 2415 +126
|
| --namespace=<NAMESPACE> \ | ||
| --cluster-id=<MEMBER_CLUSTER_ID> | ||
|
|
||
| # Join the ClusterSet from a member cluster with config file. If you use both command line options and config file, |
There was a problem hiding this comment.
Please update the doc for antctl as well.
There was a problem hiding this comment.
Sure. I'll update the doc for antctl after finishing the commands JIanjun mentioned in another comment.
| func waitForLeaderClusterSetReady(client client.Client, name string, namespace string, memberClusterID string) error { | ||
| return wait.PollImmediate( | ||
| 1*time.Second, | ||
| 3*time.Minute, |
There was a problem hiding this comment.
Maybe we can add a timeout argument? I test on my PC sometimes it just takes several seconds, sometimes more than 1 mins.
|
@luolanzone Sure. Thanks for reminding me. |
|
This pull request introduces 2 alerts when merging 90b874a into 4b788e7 - view on LGTM.com new alerts:
|
jianjuns
changed the title
| @@ -49,6 +50,8 @@ var DeployCmd = &cobra.Command{ | |||
| Short: "Deploy Antrea Multi-cluster Controller to a leader or member cluster", | |||
| } | |||
|
|
|||
| var JoinCmd = join.NewJoinCommand() | |||
There was a problem hiding this comment.
Besides join for member clusters, would you add a command for the leader or change "create clusterset" too? Pasted below what we discussed in #3921 :
So, we just need two commands:
- "deploy" to deploy MC controllers;
- "create clusterset" (or "init" in leader and "join" in member as kubeadmin) to create/join a clusterset. For the leader, the command can generate a shared SA/token for member to join the clusterset.
There was a problem hiding this comment.
I meant we either:
- change the current "create clusterset" command to create a clusterset & a default SA/taken in the leader; and create a clusterset & join it in a member
- or, add an "init" command to create a clusterset & a default SA/taken in the leader; and a "join" command to create a clusterset & join it in a member
But if we go 2), how should a leader/member leave a ClsuterSet? Would you add anther "destroy" command for leader and a "leave" command for member?
In any case, we should remove the commands that are no longer valid, like "create claims", "add member", etc.
There was a problem hiding this comment.
Sure. I will add those commands. thanks for advice.
There was a problem hiding this comment.
Could you talk about your design choices (what commands to add or revise) too? We do not have much time for 1.8.0, and need to be more productive on design/discussions.
There was a problem hiding this comment.
Design added in #3921
hjiajing
force-pushed
the
antctl-join
branch
2 times, most recently
from
5fef660 to
206a7a1
Compare
|
@hjiajing : please wrap lines in commit message at column 72. |
hjiajing
force-pushed
the
antctl-join
branch
11 times, most recently
from
cd8d492 to
46a644f
Compare
hjiajing
force-pushed
the
antctl-join
branch
2 times, most recently
from
1c983ea to
99bee47
Compare
docs/multicluster/antctl.md
Outdated
| + `antctl mc create clusterclaims` command can create two ClusterClaims in a leader or member cluster. One for the leader or member cluster, and another for the ClusterSet. | ||
| + `antctl mc create clusterset` command can create a ClusterSet in a leader or member cluster. | ||
| `antctl mc create` command can create tokens for member clusters to join a ClusterSet. The command will | ||
| also create a Secret to store the token, as well as a ServiceAccount and a RoleBinding. The --output-file |
There was a problem hiding this comment.
Add `` around --output-file
docs/multicluster/antctl.md
Outdated
| + `antctl mc delete clusterset` command can delete a ClusterSet in a leader or member cluster. | ||
| + `antctl mc delete member-cluster` command can delete a member cluster in a specified Antrea Multi-cluster ClusterSet. | ||
| `antctl mc init` command initializes an Antrea Multi-cluster ClusterSet in a leader cluster. It will create a | ||
| ClusterSet and ClusterClaims for the leader cluster. If the `--output-file` option is set, the join config |
There was a problem hiding this comment.
Humm.. I feel we still need to rephrase the sentence. How about:
", the config arguments for member clusters to join the ClusterSet will be saved to the specified file."
There was a problem hiding this comment.
Also change "set" to "specified"
pkg/antctl/raw/multicluster/join.go
Outdated
| command.Flags().StringVarP(&joinOpts.LeaderNamespace, "leader-namespace", "", "", "Namespace of the leader cluster") | ||
| command.Flags().StringVarP(&joinOpts.LeaderClusterID, "leader-clusterid", "", "", "Cluster ID of the leader cluster") | ||
| command.Flags().StringVarP(&joinOpts.TokenSecretName, "token-secret-name", "", "", "Name of the Secret resource that contains the member token. "+ | ||
| "Token Secret name takes precedence over token Secret file and Secret manifest in the join config file") |
pkg/antctl/raw/multicluster/join.go
Outdated
| } | ||
| } | ||
|
|
||
| // The precedence order is that the TokenSecretName > TokenSecretFile > JoinConfigFile. |
| } | ||
| err = deleteClusterClaims(cmd, k8sClient, cleanOpts.Namespace) | ||
| if err != nil { | ||
| fmt.Fprintf(cmd.OutOrStdout(), "Failed to delete ClusterClaim: %v\n", err) |
There was a problem hiding this comment.
First, we should remove the logs. Otherwise, we got duplicated log messages.
I meant just to remove "err =", so we have:
deleteClusterClaims(cmd, k8sClient, cleanOpts.Namespace)
deleteClusterSet(cmd, k8sClient, cleanOpts.Namespace, cleanOpts.ClusterSet)
...
Will this really get an error of golang checking? What is the error?
docs/multicluster/antctl.md
Outdated
|
|
||
| + `antctl mc deploy leadercluster` command can deploy Antrea Multi-cluster Controller to a leader cluster, and define all the CRDs the leader cluster needed. | ||
| + `antctl mc deploy membercluster` command can deploy Antrea Multi-cluster Controller to a member cluster, and define all the CRDs the member cluster needed. | ||
| When the config file is provided, the command line options may be overridden by the file. A token is needed for a |
There was a problem hiding this comment.
| When the config file is provided, the command line options may be overridden by the file. A token is needed for a | |
| When the config file is provided, the command line options may be overwritten by the file. A token is needed for a |
docs/multicluster/antctl.md
Outdated
|
|
||
| ## antctl mc leave | ||
|
|
||
| `antctl mc leave` command lets a member cluster leave a ClusterSet. It will delete the ClusterSet and ClusterClaims |
There was a problem hiding this comment.
| `antctl mc leave` command lets a member cluster leave a ClusterSet. It will delete the ClusterSet and ClusterClaims | |
| `antctl mc leave` command lets a member cluster leave a ClusterSet. It will delete the ClusterSet and ClusterClaims |
| deleteClusterClaims(cmd, k8sClient, cleanOpts.Namespace) | ||
| deleteClusterSet(cmd, k8sClient, cleanOpts.Namespace, cleanOpts.ClusterSet) |
There was a problem hiding this comment.
Could you delete ClusterSet first, them ClusterClaim? Here is a on-going PR #4062 which will stop ClusterClaim deletion if there is any ClusterSet referring to it.
| return e | ||
| } | ||
|
|
||
| func deleteClusterSet(cmd *cobra.Command, k8sClient client.Client, namespace string, clusterSet string) error { |
There was a problem hiding this comment.
I didn't see you catch the error by deleteClusterSet and other delete methods on cleanup, so the return error can be removed?
pkg/antctl/raw/multicluster/join.go
Outdated
| return fmt.Errorf("a member token Secret must be provided through the Secret Name, or Secret file, or Secret manifest in the config file") | ||
| } | ||
| if o.LeaderNamespace == "" { | ||
| return fmt.Errorf("the the leader cluster Namespace is required") |
There was a problem hiding this comment.
| return fmt.Errorf("the the leader cluster Namespace is required") | |
| return fmt.Errorf("the leader cluster Namespace is required") |
pkg/antctl/raw/multicluster/join.go
Outdated
| return fmt.Errorf("the API server of the leader cluster is required") | ||
| } | ||
| if o.TokenSecretName == "" && o.Secret == nil { | ||
| return fmt.Errorf("a member token Secret must be provided through the Secret Name, or Secret file, or Secret manifest in the config file") |
There was a problem hiding this comment.
| return fmt.Errorf("a member token Secret must be provided through the Secret Name, or Secret file, or Secret manifest in the config file") | |
| return fmt.Errorf("a member token Secret must be provided through the Secret name, or Secret file, or Secret manifest in the config file") |
pkg/antctl/raw/multicluster/leave.go
Outdated
| var leaveOpts *common.CleanOptions | ||
|
|
||
| var leaveExamples = strings.Trim(` | ||
| # Leave the ClusterSet. |
There was a problem hiding this comment.
| # Leave the ClusterSet. | |
| # Leave the ClusterSet from a member cluster. |
pkg/antctl/raw/multicluster/leave.go
Outdated
| func NewLeaveCommand() *cobra.Command { | ||
| command := &cobra.Command{ | ||
| Use: "leave", | ||
| Short: "Leave ClusterSet from a member cluster", |
There was a problem hiding this comment.
| Short: "Leave ClusterSet from a member cluster", | |
| Short: "Leave the ClusterSet from a member cluster", |
| if err != nil { | ||
| return err | ||
| } | ||
| if _, err := file.Write([]byte("\n# Create a token Secret with the embedded manifest.\n")); err != nil { |
There was a problem hiding this comment.
I feel this line is not necessary as it looks strange in the standalone token Secret YAML file (not the join-config YAML). But not a big deal.
There was a problem hiding this comment.
If we want to keep it, maybe rephrase the comment to be more generic, like
"# Manifest to create a Secret for a member cluster token."
There was a problem hiding this comment.
Changed the comment to " Manifest to create a Secret for a member cluster token."
docs/multicluster/antctl.md
Outdated
|
|
||
| ```bash | ||
| antctl mc add membercluster [CLUSTER_ID] [-n NAMESPACE] [--clusterset CLUSTERSET] [--service-account SERVICE_ACCOUNT] | ||
| antctl mc deploy leadercluster [--antrea-version ANTREA_VERSION] [-n NAMESPACE] [-f PATH_TO_MANIFEST] |
There was a problem hiding this comment.
Should we use:
antctl mc deploy leadercluster -n NAMESPACE [--antrea-version ANTREA_VERSION] [-f PATH_TO_MANIFEST]
assuming Namespace is mandatory?
docs/multicluster/antctl.md
Outdated
| antctl mc delete clusterclaims [-n NAMESPACE] | ||
| antctl mc delete clusterset [NAME] [-n NAMESPACE] | ||
| antctl mc delete membercluster [MEMBER_CLUSTER_ID] [-n NAMESPACE] [--clusterset CLUSTERSET] | ||
| antctl mc init [-n NAMESPACE] [--clusterset CLUSTERSET_ID] [--clusterid CLUSTERID] [--create-token] [--output-file OUTPUT_FILE] |
There was a problem hiding this comment.
Should we use:
antctl mc init -n NAMESPACE --clusterset CLUSTERSET_ID --clusterid CLUSTERID [--create-token] [--output-file OUTPUT_FILE]
docs/multicluster/antctl.md
Outdated
|
|
||
| ```bash | ||
| antctl mc deploy leadercluster [--antrea-version ANTREA_VERSION] [-n NAMESPACE] [-f PATH_TO_MANIFEST] | ||
| antctl mc deploy membercluster [--antrea-version ANTREA_VERSION] [-n NAMESPACE] [-f PATH_TO_MANIFEST] | ||
| antctl mc join --clusterset=[CLUSTERSET_ID] \ |
There was a problem hiding this comment.
Should we remove "[]" around the values? "[]" usually means optional.
There was a problem hiding this comment.
Sure. Removed the "[]".
docs/multicluster/antctl.md
Outdated
| and other resources created by antctl for the member cluster. | ||
|
|
||
| ```bash | ||
| antctl mc leave --clusterset=[CLUSTERSET_ID] --namespace [NAMESPACE] |
There was a problem hiding this comment.
antctl mc leave --clusterset=CLUSTERSET_ID [--namespace NAMESPACE]
?
docs/multicluster/antctl.md
Outdated
| ClusterSet and ClusterClaims and other resources created by antctl for the leader cluster. | ||
|
|
||
| ```bash | ||
| antctl mc destroy --clusterset=CLUSTERSET_ID --namespace [NAMESPACE] |
There was a problem hiding this comment.
Namespace is not optional for "destroy".
docs/multicluster/antctl.md
Outdated
| antctl mc deploy membercluster [--antrea-version ANTREA_VERSION] [-n NAMESPACE] [-f PATH_TO_MANIFEST] | ||
| antctl mc join --clusterset=CLUSTERSET_ID \ | ||
| --clusterid=CLUSTER_ID \ | ||
| --namespace=MEMBER_NAMESPACE \ |
There was a problem hiding this comment.
We can change to [--namespace=MEMBER_NAMESPACE]
docs/multicluster/antctl.md
Outdated
| --leader-clusterid=LEADER_CLUSTER_ID \ | ||
| --leader-namespace=LEADER_NAMESPACE \ | ||
| --leader-apiserver=LEADER_APISERVER \ | ||
| --token-secret-name=TOKEN_SECRET_NAME \ |
docs/multicluster/antctl.md
Outdated
| --leader-namespace=LEADER_NAMESPACE \ | ||
| --leader-apiserver=LEADER_APISERVER \ | ||
| --token-secret-name=TOKEN_SECRET_NAME \ | ||
| --token-secret-file=TOKEN_SECRET_FILE |
docs/multicluster/antctl.md
Outdated
| --token-secret-name=TOKEN_SECRET_NAME \ | ||
| --token-secret-file=TOKEN_SECRET_FILE | ||
|
|
||
| antctl mc join --config-file PATH_TO_CONFIG_FILE |
There was a problem hiding this comment.
Maybe we can add [--clusterid=CLUSTER_ID] [--token-secret-name=TOKEN_SECRET_NAME] [--token-secret-file=TOKEN_SECRET_FILE] to indicate these can be overwritten?
There was a problem hiding this comment.
Added the optional arguments.
docs/multicluster/antctl.md
Outdated
| anctcl mc create accesstoken [NAME] [-n NAMESPACE] [--serviceaccount SERVICE_ACCOUNT] [--role-binding ROLE_BINDING] | ||
| antctl mc create clusterclaims [-n NAMESPACE] [--clusterset-id CLUSTERSET_ID] [--cluster-id CLUSTER_ID] | ||
| antctl mc create clusterset [NAME] [-n NAMESPACE] [--leader-server LEADER_SERVER] [--service-account SERVICE_ACCOUNT] [--secret SECRET] [--leader-cluster LEADER_CLUSTER_ID] | ||
| anctcl mc create membertoken NAME -n NAMESPACE [--output-file OUTPUT_FILE] |
| config := &ClusterSetJoinConfig{ | ||
| APIVersion: common.ClusterSetJoinConfigAPIVersion, | ||
| Kind: common.ClusterSetJoinConfigKind, | ||
| Namespace: "", |
There was a problem hiding this comment.
@hjiajing : when we unmarshal the YAML, will these "" fields overwrite values in ClusterSetJoinConfig?
There was a problem hiding this comment.
If so, I suggest not to set these fields in the generated file, as I hope the join command can use command line options to provide these arguments which seems the most convenient way for users.
I meant something like antctl mc join --clusterid test-cluster-leader -n kube-system --config-file join-config.yml
Or even better, if we can write clusterID and namespace and other optional fields to the config file as comments:
#clusterID: ""
#namespace: ""
# Use the pre-created token Secret.
#tokenSecretName: ""
# Create a token Secret with the manifest file.
#toeknSecretFile: ""
See also the discussion at #4096 (comment).
There was a problem hiding this comment.
Added a raw string constant now the output join config looks like
---
kind: ClusterSetJoinConfig
apiVersion: multicluster.antrea.io/v1alpha1
clusterSetID: test-clusterset
leaderClusterID: test-cluster-north
leaderNamespace: antrea-multicluster
leaderAPIServer: https://172.18.0.3:6443
clusterID: "test-cluster-east"
#namespace: ""
# Use the pre-created token Secret.
#tokenSecretName: ""
# Create a token Secret with the manifest file.
#toeknSecretFile: ""There was a problem hiding this comment.
I feel we should comment out clusterID too, so it can be overwritten by command line argument.
#clusterID: ""
There was a problem hiding this comment.
Sorry I copied the output file which I edited. The output is
"config.yaml" 25L, 3372B 13,1 All
---
kind: ClusterSetJoinConfig
apiVersion: multicluster.antrea.io/v1alpha1
clusterSetID: test-clusterset
leaderClusterID: test-cluster-north
leaderNamespace: antrea-multicluster
leaderAPIServer: https://172.18.0.3:6443
#clusterID: ""
#namespace: ""
# Use the pre-created token Secret.
#tokenSecretName: ""
# Create a token Secret with the manifest file.
#toeknSecretFile: ""The clusterID is commented out.
hjiajing
force-pushed
the
antctl-join
branch
2 times, most recently
from
de8f1ad to
068a3c5
Compare
pkg/antctl/raw/multicluster/join.go
Outdated
| func unmarshallSecret(raw []byte) (*v1.Secret, error) { | ||
| decoder := yamlutil.NewYAMLOrJSONDecoder(bytes.NewReader(raw), 100) | ||
| secret := &v1.Secret{} | ||
| // We need to skip the first object in the config file which is ClusterSetJoinConfig |
There was a problem hiding this comment.
Question - why we need to do the same for Secret file? Maybe we need to revise the comment?
There was a problem hiding this comment.
The output of Secret and join config both start with ---. So when we unmarshall the Secret, we need to skip the first object, too. Revised the comment now.
pkg/antctl/raw/multicluster/join.go
Outdated
| func unmarshallSecret(raw []byte) (*v1.Secret, error) { | ||
| decoder := yamlutil.NewYAMLOrJSONDecoder(bytes.NewReader(raw), 100) | ||
| secret := &v1.Secret{} | ||
| // We need to skip the first object, the Secret object is always the second object when unmarshalling the |
There was a problem hiding this comment.
, as the Secret object...
Signed-off-by: hujiajing <[email protected]>
|
@hjiajing Thanks for the hard work and addressing all comments! |
|
/test-e2e |
|
/test-integration |
|
/skip-all |
Add 4 new commands for the users to set up and delete ClusterSets. And
delete some old commands.
antctl mc init: to set up a ClusterSet in a leader cluster.antctl mc join: to join a ClusterSet in a member cluster.antctl mc destroy: to delete a ClusterSet in a leader cluster.antctl mc leave: to leave a ClusterSet in a member cluster.