[installer]: grant option for disabling proxy load balancer #7280
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: No associated issue. Update pull-request body to add a reference to an issue, or get approval with The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
roboquat
added
team: webapp
mrsimonemms
force-pushed
the
sje/installer-custom-ingress
branch
from
0b67612 to
5c7fe79
Compare
|
@csweichel @corneliusludmann would be interested in your thoughts on this. We definitely need to do SOMETHING, but open to suggestions if this is the correct something. I've put it on hold as want to get community feedback if this will work across the board |
|
/hold |
Codecov Report
@@ Coverage Diff @@
## main #7280 +/- ##
========================================
- Coverage 7.44% 5.76% -1.68%
========================================
Files 15 13 -2
Lines 1330 1162 -168
========================================
- Hits 99 67 -32
+ Misses 1228 1094 -134
+ Partials 3 1 -2
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
installer/README.md
Outdated
| ``` | ||
|
|
||
| This will set the `ServiceType` to `ClusterIP` allowing you to create your own | ||
| ingress controller - click [here](https://gist.github.com/MrSimonEmms/480e88c149f6e725c727cc1f20b21474) |
There was a problem hiding this comment.
Do we have a better, GP-owned place to put this?
There was a problem hiding this comment.
How about somewhere in this repo under the contrib/ folder?
There was a problem hiding this comment.
That's a good idea
@mrsimonemms this config gives the impression that Gitpod uses Ingress, and that's not the case. meta:
ingress:
serviceType: ClusterIP |
mrsimonemms
force-pushed
the
sje/installer-custom-ingress
branch
from
5c7fe79 to
091ec0a
Compare
|
I've done the change @aledbf suggested. This will require some additional validation to ensure that the I can also see the potential preference of setting it as |
installer/README.md
Outdated
| ```yaml | ||
| meta: | ||
| ingress: | ||
| enabled: false |
installer/README.md
Outdated
| your Installer configuration: | ||
|
|
||
| ```yaml | ||
| meta: |
There was a problem hiding this comment.
Unlike workspace - which refers workspaces rather than the team - the term meta does not make sense from a user's perspective.
There was a problem hiding this comment.
Fair point. Have you got a preferred name?
installer/README.md
Outdated
| ```yaml | ||
| meta: | ||
| ingress: | ||
| enabled: false |
There was a problem hiding this comment.
We should make the behaviour of this flag more obvious in its naming, e.g. directly refer to the type of the proxy service.
mrsimonemms
force-pushed
the
sje/installer-custom-ingress
branch
from
091ec0a to
ff69a02
Compare
|
@mrsimonemms |
|
Ingress can be ruled out, it is a imagebuild issue. |
mrsimonemms
added
the
installer: needs interface change
|
With the right distribution (Ubuntu 20.04 instead of Debian 10) everything works. To get the ingress working I added the following annotations: I am not quite sure how big the proxy-body-size must be set, but 1G works. So, this could be used as a starting point. |
|
@mrsimonemms please do not include references or examples to Ingress configurations. The main reason is related to the side effects of reload in ingress controllers like ingress-nginx and the impact on workspaces and reconnections. |
|
@appcoders if you configure |
| ```yaml | ||
| components: | ||
| proxy: | ||
| serviceType: ClusterIP |
There was a problem hiding this comment.
Maybe add a validation checking that serviceType is LoadBalancer or ClusterIP only?
Both, proxy and ws-proxy are configured on ports 80 and 443
|
@aledbf You are right. This was a leftover from previous tests... |
|
Thanks, @mrsimonemms for opening this pull request. I am currently trying to better understand the use case as well as the implications/risks for this change. Use CaseCurrently, we create a service for the proxy of type LimitationsThe proxy still needs to have SSL certs. With this change, you still cannot move the SSL handling/termination to the ingress controller, right? ImplicationsIntroducing this option in the installer indicates also that this is a valid use case we fully support somehow. That's why it's important to understand the implications and risks of this change. Or in other words, is the use of an ingress controller something we can support with confidence without regular testing? Or should we expect that there will be problems with it from time to time as users try it out and find cases that we haven't considered/tested? (Which ultimately leads to more variance that we need to test and support.) @aledbf's comment above indicates that using a custom ingress controller could bring side-effect:
This means that we would probably have to test the case thoroughly with different ingress controllers if we want to officially support this. What's next?Surely there are or will be users who have a need for this use case. However, at the moment there seems to be no one we know for sure (especially with the limitation mentioned above), right? This pull request is, at its core, a small change in the load balancer that allows changing the type from I don't want to be a wet blanket. But especially because we can re-implement this change pretty quickly once we have the actual need from a customer for such a feature, I would vote for putting this pull request on hold for now. When we close this pull request now, we still have the code snippets available here once we decide that we need to implement (and test) this. And if people from the community want to experiment with ingress controllers, they can still patch the output from the installer after the rendering pretty easily to change the service type of their installation. What do you think? See also |
|
@corneliusludmann You're asking for use-cases? We are self-hosting on dedicated servers with no LB available. So, the Ingress solution is needed in this case. And certificate handling is not a problem as cert-manager handles renewal and the ingress uses the same cert secret as the proxy does. |
|
@corneliusludmann tl;dr, I'm happy holding this but there is a legitimate use-case for this. This is an oft-requested feature in the community, including from some potential large users. Technical reasons are somewhat sketchy for this, but I'm expecting that @appcoders's "we are hosting on servers with no LB available" is one such reason - I don't expect that this is the only one though. I'm happy enough saying to people that post-processing the YAML is the recommended solution, but if we do that then we need to have better documentation on this - I would suggest as well that we would need to then have a "post-processable" output for the I know that the single-hosted instance would still require a cert at this stage - in my mind, that's a separate issue which, whilst related, I would like to do work on improving in the new year Holding whilst we get different use-cases is a legitimate option. @community - please add your use-cases down below I guess |
mrsimonemms
force-pushed
the
sje/installer-custom-ingress
branch
from
ff69a02 to
a064784
Compare
This will allow users to create their own ingress controller. An example for NGINX Ingress is shown
mrsimonemms
force-pushed
the
sje/installer-custom-ingress
branch
from
a064784 to
762b350
Compare
|
After having issues bringing up the workspace at all, after removing the annotation |
Do you have the flag If not, it means |
|
@aledbf This is how my ingress-nginx is installed: |
|
Replaced with #7364 |
Description
This will allow users to create their own ingress controller. An example for NGINX Ingress is shown.
The thinking behind this is due to the number of corporate users who have said that using
ServiceType: LoadBalanceris not possible for them. If the ingress is disabled, theServiceType: ClusterIPis used and the expectation is that the user will configure their own ingress controllerAn example for NGINX Ingress is provided (in a gist)
This introduced the
metaconfig object (similar toworkspace) andingress.serviceType, which defaults toLoadBalancerHow to test
Create a deployment and set the config:
Deploy your installation of Gitpod
Install ingress-nginx:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml helm upgrade \ --atomic \ --cleanup-on-fail \ --create-namespace \ --install \ --namespace ingress-nginx \ --reset-values \ --repo https://kubernetes.github.io/ingress-nginx \ --set defaultBackend.enabled=false \ --set controller.extraArgs.enable-ssl-passthrough=true \ --wait \ ingress-nginx \ ingress-nginxCreate your ingress controller:
Release Notes
Documentation