Open johnbelamaric opened 1 year ago
/cc @henderiw @tliron @s3wong
/sig automation /area workload-cluster /area package-management
I think you're exactly right, but there's a lot of detail to go over. I suggest a presentation during a meeting so that the community is on the same page. I would also suggest that it's a bit late in the release cycle, so that maybe that can wait for soon after R1. But still, strong yes, we are not using Config Sync "correctly".
Hi @johnbelamaric, what I have observed is that ConfigSync removes the RootSync from the workload cluster after we remove RootSync from the deployed-packages but it does not removes the associated resources from the cluster.
Hi @johnbelamaric, what I have observed is that ConfigSync removes the RootSync from the workload cluster after we remove RootSync from the deployed-packages but it does not removes the associated resources from the cluster.
Ooh. Interesting. That could be an issue. I thought it tagged everything to say it was managed by that root sync and would delete it.
Hi @johnbelamaric, what I have observed is that ConfigSync removes the RootSync from the workload cluster after we remove RootSync from the deployed-packages but it does not removes the associated resources from the cluster.
Ooh. Interesting. That could be an issue. I thought it tagged everything to say it was managed by that root sync and would delete it.
pointing the rootsync to an empty repo deletes the associated resources.
pointing the rootsync to an empty repo deletes the associated resources.
Ok, great to know. So, we may need to do that first somehow. Maybe have a repo (or branch?) we can point at that represents a deletion, and then finally remove it once the resources are all cleaned up.
pointing the rootsync to an empty repo deletes the associated resources.
Ok, great to know. So, we may need to do that first somehow. Maybe have a repo (or branch?) we can point at that represents a deletion, and then finally remove it once the resources are all cleaned up.
The challenge here is to monitor the resources created by the rootsync (for cleanup).
pointing the rootsync to an empty repo deletes the associated resources.
Ok, great to know. So, we may need to do that first somehow. Maybe have a repo (or branch?) we can point at that represents a deletion, and then finally remove it once the resources are all cleaned up.
Config Sync version 1.16.0 and later supports delete propagation to all the previously-applied objects. We need to add the below annotation : configsync.gke.io/deletion-propagation-policy: Foreground
Currently, we setup ConfigSync with a single "RootSync" that slurps in the entire repository on the main branch into the cluster. This is not how it is typically used. It also leads to a problem due to how Porch manages package revisions, because when you "delete" a package revision in Porch, it deletes the tag but leaves the underlying directory in the main branch. So, the workload is not removed by ConfigSync.
To fix this, I propose we change how use ConfigSync. This change will actually set up us up for a couple of things better in the future:
So, what's the change? It's as follows:
Our per-workload cluster RootSync installed by the bootstrap controller would thus look like this (this is identical to what we used in the workshop, except the addition of directory):
So, how do we manage the contents of
/deployed-packages
? We can populate it by deploying a package of that name to that repository. This can be automated, not something the user has to do. That package would contain additionalRootSync
(and maybe at some pointRepoSync
which are scoped to managing resources in a namespace) resources. Those would point back to the same repo, but specify a particular package, like:Notice the
revision
field. This tells ConfigSync to pull from that tag and apply the resources in that directory - in other words, to apply that specific package revision. Thus, as we publish new revisions of the package, they do not roll out automatically. We must ALSO update this RootSync. To remove the package from the workload cluster, we delete the RootSync from thedeployed-packages
package, ConfigSync then removes the RootSync from the workload cluster, and removes the associated resources as well. The actual package still remains in the workload cluster repository; it's just not actually deployed.Use of a R*Sync per workload is a more standard use of ConfigSync than what we are doing today.
The next question is how we can automate the creation and management of the per-cluster
deployed-packages
package. For that:To simulate "Publish == Deploy", we could, the controller could auto-propose and auto-approve the deployed-packages package, if we want.
If you want to implement Argo instead of Config Sync, you can have the controller emit Argo Application resources instead of a "package of RootSyncs".
So in the end, to implement this we need:
dir
.deployed-packages
package for each cluster.