Skip to content

🌱 Contribute Kubeconfig-Based Provider #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

🌱 Contribute Kubeconfig-Based Provider #26

wants to merge 3 commits into from

Conversation

christensenjairus
Copy link

@christensenjairus christensenjairus commented Mar 25, 2025
edited
Loading

This is a functioning PoC for a kubeconfig-based multi-cluster provider. It reads secrets from the operator's namespace with a given label and engages the clusters that the secret applies to.

This works in real time for engaging and disengaging clusters as the provider watches all secrets in the operator's namespace.

I've included a helper script to create the secrets from kubeconfigs.

This is currently working in this repo and I can provide logs demonstrating functionality if requested.

Related issue: link

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Mar 25, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot requested review from embik and skitt March 25, 2025 19:23
@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Mar 25, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @christensenjairus!

It looks like this is your first PR to kubernetes-sigs/multicluster-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/multicluster-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 25, 2025
corentone
corentone reviewed Mar 25, 2025
View reviewed changes
Copy link

@corentone corentone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some thoughts.
I think mostly on simplifying the example as much as possible to focus on the must have.
Then Im not sure I followed the breakdown of the interfaces. They seem to be very kubeconfig centric, and given they are interfaces I wonder if they should either apply to all providers or if we could simplify.

@christensenjairus
Copy link
Author

christensenjairus commented Mar 26, 2025
edited
Loading

@corentone I've simplified the example quite a bit. It was a pretty large change - it should be more straightforward and not have redundant interfaces. It follows the format the other providers have a lot more closely than my first draft did.

Here's a demonstration of the logs

Tear it apart 😆

embik
embik suggested changes Mar 26, 2025
View reviewed changes
Copy link
Member

@embik embik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks so much for the contribution! I have some doubts about how the provider actually runs, I think we can streamline that to be in sync with the other provider implementations, happy to further discuss this here or on Slack. :)

sttts
sttts reviewed Mar 26, 2025
View reviewed changes
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: christensenjairus
Once this PR has been reviewed and has the lgtm label, please ask for approval from embik. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 27, 2025
@christensenjairus
Copy link
Author

christensenjairus commented Mar 27, 2025
edited
Loading

@sttts @embik @corentone I've simplified the example further. It works much faster than it used to, and much of the extra stuff I had originally I didn't end up needing. Like waiting for the cache, using hashes, ready for wait, etc. It's another large step towards matching how the other providers work.

I could use another review when you get a minute

@christensenjairus
Copy link
Author

christensenjairus commented Mar 27, 2025
edited
Loading

Do you think we need to add any instructions (or a script?) for generating kubeconfigs & setting up RBAC for the operator to use?

EDIT: I modified the script and added RBAC to it, so it should help streamline getting started.

Also, the way it's written now, it treats the local cluster as if it was remote as far as reconciles go. A user would need to set up RBAC and add a kubeconfig secret for the local cluster to get main.go's controllers to reconcile against the local k8s api.

It may not be ideal, but it's nice for code consistency. What do you think? I can add a local manager if we don't agree.

@christensenjairus christensenjairus requested a review from embik March 28, 2025 15:11
@skitt
Copy link
Member

skitt commented Mar 28, 2025

I know having separate commits makes reviewing incremental changes easier, but given the scale of the changes in some of the commits here, that’s somewhat moot. Could you squash this, or re-split it if you think separate (logical) commits make sense?

@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Mar 28, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Mar 28, 2025
@christensenjairus
Simplify provider and main.go further, making them look like other pr…
b21016e 
…oviders. Remove extra unnecessary aspects like isReady, hashing, etc. Add script to create kubeconfig secrets using remote serviceaccounts.
@christensenjairus christensenjairus marked this pull request as draft March 30, 2025 14:23
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 30, 2025
embik
embik reviewed Mar 30, 2025
View reviewed changes
providers/kubeconfig/provider.go
Comment on lines +206 to +211
if clusterExists {
log.Info("Cluster already exists, updating it")
if err := p.removeCluster(clusterName); err != nil {
return fmt.Errorf("failed to remove existing cluster: %w", err)
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't remember what hashing you were doing earlier, but looking at this code, won't every update to the kubeconfig secret coming down the informer pipeline cancel the engaged cluster and re-engage it? It probably makes sense to ensure we only do that if the kubeconfig actually changed.

mjudeikis
mjudeikis reviewed Apr 6, 2025
View reviewed changes
Copy link

@mjudeikis mjudeikis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jumping bit late to review train. Few questions, but leaving for @embik and @corentone to tell if they make sense or not :)

examples/kubeconfig/README.md
Comment on lines +28 to +29
1. The remote cluster has a service account with the necessary RBAC permissions for your operator
2. The service account exists in the namespace where you want to create the kubeconfig secret
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is a remote cluster in this case? Cluster where the operator runs or each remote cluster it accesses?
I think maybe some topology documentation/explanation would answer this.

examples/kubeconfig/controllers/pod_lister.go
log.Info("Engaging cluster")

// Start a goroutine to periodically list pods
go func() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im a bit not sure if this is a good example.
1st can we use same configMap pattern like in other example so its consistent
2nd - Can we make it watcher (true controller) over just a loop?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@corentone corentone corentone left review comments

@mjudeikis mjudeikis mjudeikis left review comments

@embik embik embik requested changes

@skitt skitt Awaiting requested review from skitt

Assignees

@embik embik

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@christensenjairus @k8s-ci-robot @skitt @sttts @corentone @mjudeikis @embik