Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kops get --full should not be used for kops create #2290

Closed
justinsb opened this issue Apr 5, 2017 · 7 comments
Closed

kops get --full should not be used for kops create #2290

justinsb opened this issue Apr 5, 2017 · 7 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@justinsb
Copy link
Member

justinsb commented Apr 5, 2017

As discussed on slack:

If you want to see the complete spec, you also pass --full ... but ...
We just discovered that some people are doing a get with --full and then feeding this back into kops create -f
I am not sure if anyone else is doing this. Things will not go well.
Here's what happens ... you see every field as populated, and then kops will assume you want to actively specify those fields.
So - for example - kops sets a bunch of flags for you based on the networking or kubernetes version you are using
That is the difference between the default and the --full spec
The --full spec is after the inference
The problem is e.g. if you upgrade kubernetes, if a flag changed, we will assume you want to override the flag value, and we won't use the new logic
So you'll end up passing deprecated flags, for example

I'm wondering if other people may have also fallen into this trap. I can see two ways around it:

  • the "carrot" - provide a single command to export everything (nodes & igs). kops get -oyaml. I want this anyway 🙂
  • the "stick" - add an annotation to anything exported with kops get --full so that it cannot be directly used in kops create -f. We would log an explanation, and if you really want to do it, you could just remove the annotation.
@chrislovecnm
Copy link
Contributor

chrislovecnm commented Apr 6, 2017

Low hanging fruit is put in nasty warning message

kops get cluster $CLUSTER_NAME --full -o yaml
# WARNING - THIS IS FOR DIAGNOSTIC ONLY - USE AT YOU OWN RISK FOR CLUSTER CREATION
# ONLY USE REQUIRED AND MODIFIED ELEMENTS
# kop get cluster -o yaml will display the required elements.

@goraxe
Copy link

goraxe commented Apr 20, 2017

Some folks are even more sneaky and grab the config directly from the state bucket and feed that back into kops. How about a validate mode, which can be fed a set of config and emit some warnings / errors. That can be worked into our CI/CD system. I want a stage in there anyway which does some validity checks to make sure noone is trying to delete the master instance group or other mistakes.

@chrislovecnm
Copy link
Contributor

@goraxe grabbing it out of the STATE_STORE can cause all kinds of problems :(

A linter built into kops would be awesome. We have issues around helm functionality as well. Contributions are always appreciated!

@goraxe
Copy link

goraxe commented Apr 24, 2017

@chrislovecnm gotta love users right? I was kinda aware I was violating a backend. It was a result of some fairly nasty shell script and makesfiles being wrapped around kops and needing to come up with a process for managing changes to clusters a little better. I'm more of a fan of revisioned config then revisioned nested scripts wiring through env variables. Especially when needing to review said changes. The lower the cognitive friction the better. Now I'm aware there could be issues I will slim things down to the minimum set we require.

I will see what I can do on the contributions front, my current manager seems pretty keen for some of the things we are building to be opened up. I also try to participate in opensource communities which I'm working with, just need signoffs from certain folks etc. May also come from a different identity more associated with $work ... depends a little on legal, policy, etc.

@chrislovecnm
Copy link
Contributor

chrislovecnm commented Apr 24, 2017

@goraxe we always appreciate the help! FYI - we have developer office hours ever other Friday. See the Readme for the details.

I think multiple issues are causing this problem

  1. We do not have a way to way to run a single command and get a full yaml - we need a get command that outputs a yaml - clusterspec and ig.
  2. We are missing good docs for our API - we need to figure out if we can leverage the swagger doc gen that code now has.
  3. People have requested a helm like functionality - really cool idea
  4. We need to warn users that they are doing something that is dangerous "--full"

I did it, number 4, and I really should know better.... I write this code..

How do you think we can make kops more awesome?

k8s-github-robot pushed a commit that referenced this issue Aug 4, 2017
Automatic merge from submit-queue

adding warning about --full

This starts work on #2290.  Adds a warning to deter users from using YAML generated by --full.
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 23, 2017
@chrislovecnm
Copy link
Contributor

We have a warning now

/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

5 participants