Manifest templates

[spikecurtis]

Description

Reworks generation of various calico.yaml and canal.yaml manifests to be generated with Jekyll's templating system.

Todos

• Tests

Release Note

None required

[spikecurtis]

@ozdanborne you can just look at the second commit in this series

[ozdanborne]

@spikecurtis Just wanted to bring up whitespace trimming:

In Liquid, you can include a hyphen in your tag syntax {{-, -}}, {%-, and -%} to strip whitespace from the left or right side of a rendered tag.

There's some places in the manifest where you've put if statements on their own line. By adding a whitespace trimmer, there won't be a blank line in the rendered manifests.

Other places, some of the if logic can be indented and on different lines if you use the whitespace trimmers, making it easier to read.

I'll make some individual comments to point out examples.

[ozdanborne]

When do you plan to get this in? You may want to announce a freeze on manifest changes soon, otherwise you'll have a hard time rebasing.

[ozdanborne]

How about a jekyll comment at the top of each of these include manifests that explains which .include flags it accepts. For this manifest, for example:

{% comment %}

calico-config.yaml acccepts the following include flags:

| Name        | Accepted Values |
|-------------|-----------------|
| datastore   | kdd, etcd       |
| typha       | true, false     |
| network     | calico, flannel |
| calico_ipam | true, false     |

{% endcomment %}

[spikecurtis]

I planned on getting it in ASAP. I'm assuming that CNX doesn't use these manifests (or not master, at any rate).

[ozdanborne]

I think jekyll is going to try to render this. So you'll need to put it in a {% raw %}{{ .MeshConfig.ProxyListenPort }}{% endraw %}

[ozdanborne]

Never mind! Looks like you did above 👍

[ozdanborne]

I'm worried that Canal and Calico are too different to control with if/else. Perhaps we want to split the configmap into calico-config.yaml and canal-config.yaml, and consider doing the same for the Daemonset as well.

Edit: I'm less certain about splitting the daemonset but the calico-config and canal-config seem like it would be a clean way to simplify it.

[spikecurtis]

Canal + etcd seems to be the odd one. Canal + KDD is very similar to Calico + KDD.

I was wondering if it is really necessary to be that way, and maybe Canal + etcd just never got updated...

[ozdanborne]

This 'else' is for the if include.network == 'calico' on line 112. It is quite difficult to track that down since these if statements aren't indented.

Since I don't think jekyll has a way for us to indent the if/else logic, perhaps we should avoid nested if statements and long if/else conditions when possible, instead opting to end them and explitly starting a new if with its exact conditions. Does that make sense?

[spikecurtis]

I've indented nested logic and used {%- to prevent the nesting whitespace from showing up in the final rendered file.

[ozdanborne]

Any reason this is in manifests/ instead of manifests/app-layer-policy?

Same for the other few manifests here...

[spikecurtis]

Good idea

[ozdanborne]

not super important, but this is smushing with typha_service_name in the kdd manifest:

data:
  # To enable Typha, set this to "calico-typha" *and* set a n
  # below.  We recommend using Typha if you have more than 50
  # essential.
  typha_service_name: "none"
  # Configure the Calico backend to use.
  calico_backend: "bird"

[ozdanborne]

never mind, forget i mentioned this. there's a few places i'm seeing this, but we can fix it later.

[ozdanborne]

interestingly, looks like canal etcd used https instead of http. I wouldn't have thought that https would work...

[ozdanborne]

looks like the name of the daemonset changes to canal (instead of canal-node) in the new manifests. This would break upgrades for existing users applying our manifests directly...

[ozdanborne]

looks like we lost this toleration in the new canal manifest. Not sure what our stance is on running kube-controllers on master...

[spikecurtis]

Casey's stance is

¯\_(ツ)_/¯

[ozdanborne]

The pool is still needed when net=none, as felix uses it to identify container traffic. So this needs to be moved into its own if statement where include.network == "calico" || include.network == "none"

[ozdanborne]

looks like we've dropped this field in the new system. which feels right. but just pointing out for the record 👍

[ozdanborne]

Ok I've manually gone through all the diffs and pointed out all the major differences I found.

I've also attached the bash script I used to generate local manifests for comparisons, in case anyone else wants to compare them. (uploaded as .txt since github doesn't like .sh. just rename it).
render-comparable-manifests.txt

[ozdanborne]

Nit: this block and the previous block could be combined, since they share the exact same verbs and apiGroups:

- apiGroups: [""]
  resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
  verbs: ["get", "list", "watch"]

[ozdanborne]

should be [""]

[spikecurtis]

I'd rather not modify the istio.yaml since it's mostly taken from the Istio project directly, so us fixing it up is going to make merges difficult in the future.

[ozdanborne]

this could be combined with the previous group as well

[ozdanborne]

I don't think this raw is needed at all. It's currently rendering like this, which doesn't seem right:

        secret:
          optional: true
          {{ if eq .Spec.ServiceAccountName "" }}secretName: istio.default{{ else }}secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}{{ end }}

[ozdanborne]

If this is supported my mind is going to explode. Does kubectl support templating of the manifests themselves?

[spikecurtis]

No, kubectl doesn't but the pod that consumes this configmap is itself a kind of templating engine. That's why this configmap has template tags in it that need to be escaped.

[ozdanborne]

ohh, i didn't notice this was just technically a string inside a configmap. phew. Though i kind of wish it did work that way 😄

So we can dismiss the original comment, it's fine as is.