feat: allow customizing admin url when using k8s service #1874
Conversation
diurnalist
requested review from
NissesSenap,
weisdd,
ishanjainn,
theSuess,
hubeadmin and
pb82
as code owners
|
for context, i ran in to this issue on our local deployments of the operator. i would prefer not having to be forced to use an Ingress in this case, and honestly am not sure how our internal network security and infra would support that. having the ability to override the AdminUrl to the k8s service fqdn is very helpful. we currently seem to cater to Openshift's own demands on this host 😅 |
|
Thanks for the PR! I think this is a valid usecase but we'll discuss it in the next weekly on monday before merging |
|
@theSuess sounds good, thanks! i admit i don't really love this implementation, i dislike adding very specific flags like this. when i first did this patch in our fork, it was from an older version, before the OpenShift-specific adaptation was added. originally i just renamed it from |
|
actually, i wonder if it can just be svc.cluster.local - it looks like the |
|
@diurnalist To me, the implementation that relies on templating seems to be overly complex. - I think the only variation that users are likely to see lies in cluster domain (= suffix), so a simple string join is likely to be sufficient unless you can think of a more complex scenario. |
|
@weisdd that's fair, for our use-case, just specifying the suffix would do the job. i was concerned there might be other weird cases after seeing this was changed for OpenShift--but i was probably over-thinking :) |
|
We discussed this today and came to the conclusion that adding a suffix field is the best way forwards because of the ease of use and maintenance simplicity. Happy to review any work in that direction |
|
@theSuess sounds good, will rework this today when I have a moment. |
this is a no-op by default, but the fqdn can help when other network policy agents are in the mix, which may have rules set up for svc.cluster.local to enable traffic passing. for example, in an environment with istio and opa in the mix, there might be policies and/or assumptions about what form the service address takes. we already saw this with openshift's certificate signing; this just opens a door to other exceptions in the future.
diurnalist
force-pushed
the
b/adminurl-fqdn
branch
from
0d53faa to
a2f9bc8
Compare
|
i have updated to use the suffix/domain approach. there isn't a great avenue for testing this kind of nested functionality in the operator right now as far as i can tell -- extracting the logic into a function that was tested w/ a whitebox test (like the existing test for the service reconciler) doesn't imo add much value b/c it's essentially a string concat test. if folks have an idea about how better to test the value of the status field, i'm happy to add something :) |
|
the more i pull at this, the weirder it seems that openshift wouldn't support if openshift supports the FQDN, the simplest fix is to just use the FQDN for this in all cases. |
|
@diurnalist Before |
clusterDomain is how this setting is generally referred to in kubernetes; aligning on that terminology for consistency.
|
@weisdd aha, thanks for that info. i didn't actually realize this was even configurable in kubernetes :) so my current understanding is that we are using a relative/partial domain name so as to be agnostic to |
|
@diurnalist I think it looks great now, thanks for making the final adjustments :) |
this is a no-op by default, but the fqdn can help when other network policy agents
are in the mix, which may have rules set up for svc.cluster.local to
enable traffic passing. for example, in an environment with istio and opa in
the mix, there might be policies and/or assumptions about what form the service
address takes. we already saw this with openshift's certificate signing; this just
opens a door to other exceptions in the future.