Add some settings to specify a remote Openshift cluster URL

[barkbay]

Hi,

Our ElasticSearch cluster is hosted on an remote K8S cluster. Therefore we have to be able to set the URL of the Openshift cluster when the plugin want to check the authorizations of a user.
This PR allows you to specify a remote Openshift cluster URL while allowing the Kubernetes plugin to discover the topology of the ElasticSearch cluster the usual way.
I would love to hear your thoughts.

Thanks

[richm]

What is the default CA path?

[barkbay]

There is no default CA path. If this parameter is not set by the user then the CA detected or set by the K8S plugin is not overwritten.

[richm]

Are there additional types of Exceptions which can be thrown and need to be handled? e.g. if the user specifies an incorrect openshiftCaPath will the api throw a FileNotFound or PermissionDenied or some other type of exception? I want to make sure e.g. if the user made a typo they can easily identify the problem, or if the user did not set the right file permission, etc.

[barkbay]

If the CA path is incorrect the following exception is thrown :

io.fabric8.kubernetes.client.KubernetesClientException: An error has occurred.
	at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:57)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:137)
	at io.fabric8.kubernetes.client.BaseClient.<init>(BaseClient.java:41)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.<init>(DefaultOpenShiftClient.java:174)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.<init>(DefaultOpenShiftClient.java:170)
	at io.fabric8.elasticsearch.plugin.OpenshiftClientFactory.create(OpenshiftClientFactory.java:50)
[....]
Caused by: java.io.FileNotFoundException: /tmp/junit2122595593726896985/ca.crt.does_not_exist (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at io.fabric8.kubernetes.client.internal.CertUtils.getInputStreamFromDataOrFile(CertUtils.java:55)
	at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:61)
	at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:113)
	at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:107)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:68)
	... 29 more

In case of bad permissions :

io.fabric8.kubernetes.client.KubernetesClientException: An error has occurred.
	at io.fabric8.kubernetes.client.KubernetesClientException.launderThrowable(KubernetesClientException.java:57)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:137)
	at io.fabric8.kubernetes.client.BaseClient.<init>(BaseClient.java:41)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.<init>(DefaultOpenShiftClient.java:174)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.<init>(DefaultOpenShiftClient.java:170)
	at io.fabric8.elasticsearch.plugin.OpenshiftClientFactory.create(OpenshiftClientFactory.java:50)
[...]
Caused by: java.io.FileNotFoundException: /tmp/you_cant_read_it.crt (Permission denied)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at io.fabric8.kubernetes.client.internal.CertUtils.getInputStreamFromDataOrFile(CertUtils.java:55)
	at io.fabric8.kubernetes.client.internal.CertUtils.createTrustStore(CertUtils.java:61)
	at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:113)
	at io.fabric8.kubernetes.client.internal.SSLUtils.trustManagers(SSLUtils.java:107)
	at io.fabric8.kubernetes.client.utils.HttpClientUtils.createHttpClient(HttpClientUtils.java:68)
	... 29 more

[richm]

Please also add some unit tests for this new feature

[jcantrill]

I'm not certain this change is required at all since you can alter all these values using env variables [1]. I would go further in that if we are going to accept these changes to prefer using if checks to build up the config instead of providing defaults and setting them. I think we should prefer the client defaults as we do now instead of redefining them.

[1] https://github.com/fabric8io/kubernetes-client

[barkbay]

Not sure we can use env variables since the K8S client is already used inside a local Kubernetes cluster.
In other words we have to manage two different K8S clusters within the same JVM.
How handle this use case with env variables ?

[barkbay]

I'm working on a new PR that will add some unit tests and preserve the client defaults instead of redefining them : https://github.com/fabric8io/openshift-elasticsearch-plugin/compare/master...barkbay:external_openshift.diff

I will update this PR when I have got time to run some e2e integration tests against our clusters.

[jcantrill]

@barkbay Please clarify the usecase you have:

1. Elasticsearch running on a Kubernetes Cluster
2. Logs from an Openshift cluster are written to ES on Kubernetes Cluster

This LGTM other then what appears to be an unexpected deployment topology. Please also rebase and squash the commits

[barkbay]

A picture is worth a thousand words ;)

Today our ElasticSearch cluster is deployed with Ansible but we are working on a new deployment using recent Kubernetes features like statefulset and local volumes.
I will rebase and squash the commits.

[jcantrill]

@barkbay FYI, we have been slow to adopt statefulsets due do internal discussions regarding their ability to correctly support the ES usecase.
I will put together a PR against openshift/origin-aggregated-logging to run these changes through our CI test

[barkbay]

@jcantrill Could you tell me a little bit more about the drawbacks of deploying ES with statefulsets ?
Thank you for the PR.

[portante]

@barkbay, from https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/, the section on "Deployment and Scaling Guarantees":

---

• For a StatefulSet with N replicas, when Pods are being deployed, they are created sequentially, in order from {0..N-1}.
• When Pods are being deleted, they are terminated in reverse order, from {N-1..0}.
• Before a scaling operation is applied to a Pod, all of its predecessors must be Running and Ready.
• Before a Pod is terminated, all of its successors must be completely shutdown.

The StatefulSet should not specify a pod.Spec.TerminationGracePeriodSeconds of 0. This practice is unsafe and strongly discouraged. For further explanation, please refer to force deleting StatefulSet Pods.

When the nginx example above is created, three Pods will be deployed in the order web-0, web-1, web-2. web-1 will not be deployed before web-0 is Running and Ready, and web-2 will not be deployed until web-1 is Running and Ready. If web-0 should fail, after web-1 is Running and Ready, but before web-2 is launched, web-2 will not be launched until web-0 is successfully relaunched and becomes Running and Ready.

If a user were to scale the deployed example by patching the StatefulSet such that replicas=1, web-2 would be terminated first. web-1 would not be terminated until web-2 is fully shutdown and deleted. If web-0 were to fail after web-2 has been terminated and is completely shutdown, but prior to web-1’s termination, web-1 would not be terminated until web-0 is Running and Ready.

---

Pods are created, terminated in a specific order. Which means, if a given pod fails to come up, of fails to terminate, then we have a problem.

How do statefulsets handle the case where we have to apply maintenance to one member out of order? Disk failure, etc.?

Do statefulsets allow dynamic scaling? For example oc scale dc es --replicas=3? If we consider the case where the replica set had 5 to start with, isn't this very easy to drop state quickly?

For Elasticsearch, how do statefulsets know when it is okay to remove those two pods? When data is properly replicated? How have we told Elasticsearch that the expected cluster size is now 3 instead of 5?

@smarterclayton

[barkbay]

Pods are created, terminated in a specific order because of the default OrderedReady pod management policy.
With Parallel pod management the second pod does not wait for the first to be ready :

Parallel Pod Management
Parallel pod management tells the StatefulSet controller to launch or terminate all Pods in parallel, and to not wait for Pods to become Running and Ready or completely terminated prior to launching or terminating another Pod.

With a replica of two and OrderedReady pod management policy, the second pod is not created :

{17-11-14 8:11}124-100:~ root# kubectl get pods -n elastic1 -o wide                                                                                                                                                                                 
NAME                         READY     STATUS    RESTARTS   AGE       IP               NODE 
[...]
es-data-0                    0/1       Pending   0          2m        <none>           <none> 

With Parallel pod management policy :

{17-11-14 8:35}124-100:~ root# kubectl get pods -n elastic1 -o wide                                                                                                                                                                                
NAME                         READY     STATUS    RESTARTS   AGE       IP               NODE                              
[...]                        
es-data-0                    0/1       Pending   0          14m       <none>           <none>                            
es-data-1                    1/1       Running   0          14m       10.233.109.236   124-103

124-100:~ root# kubectl uncordon 124-101
node "124-101" uncordoned

124-100:~ root# kubectl get pods -n elastic1 -o wide
NAME                         READY     STATUS            RESTARTS   AGE       IP               NODE                      
[...]                 
es-data-0                    0/1       PodInitializing   0          18m       10.233.98.152    124-101                   
es-data-1                    1/1       Running           0          18m       10.233.109.236   124-103 

For Elasticsearch, how do statefulsets know when it is okay to remove those two pods?

Nothing specific to ES or K8S here. IMHO dropping more than one node at the same time is a very bad idea with any distributed storage system (ES, Cassandra, Zookeeper, Ceph).

[barkbay]

Hi,

Please, could you have an other look at this PR ? We have to maintain our own build pipeline for this very small patch, we would be glad to have it merged into the plugin source code.

Tanks.

[jcantrill]

/ok-to-test

[fusesource-ci]

License check failed: run mvn -N license:format to update all licenses, commit, squash & force push please.

[jcantrill]

minor nits

[jcantrill]

remove. DI is manual in lieu of using a library to wire dependencies

[jcantrill]

Please set to 'openshift.master.url' to be consistent with the config setting

[fusesource-ci]

License check failed: run mvn -N license:format to update all licenses, commit, squash & force push please.

[fusesource-ci]

Tests failed.

[fusesource-ci]

Tests failed.

[richm]

settings.get returns null if there is no such setting?

[barkbay]

yes, this is why the reference is tested at https://github.com/fabric8io/openshift-elasticsearch-plugin/pull/111/files#diff-064e72178bca90921d549aa255acd4b6R197

[barkbay]

Do you think that this PR can be merged for the next release ?

[richm]

lgtm - @jcantrill what say you?

[jcantrill]

[merge]

[fusesource-ci]

Merge failed.

[jcantrill]

@barkbay please look at the merge test failures. I'm not certain why this would not be caught in the test job

[jcantrill]

closed as stale