theatre's Introduction

Theatre

This project contains GoCardless' Kubernetes extensions, in the form of operators, admission controller webhooks and associated CLIs. The aim of this project is to provide a space to write Kubernetes extensions where:

Doing the right thing is easy; it is difficult to make mistakes!
Each category of Kubernetes extension has a well defined implementation pattern
Writing meaningful tests is easy, with minimal boilerplate

API Groups

Theatre provides various extensions to vanilla Kubernetes. These extensions are grouped under separate API groups, all of which exist under the *.crd.gocardless.com namespace.

RBAC

Utilities to extend the default Kubernetes role-based access control (RBAC) resources. These CRDs are motivated by real-world use cases when using Kubernetes with an organisation that uses GSuite, and which frequently onboards new developers.

DirectoryRoleBinding is a resource that provisions standard RoleBindings, which contain the subjects defined in a Google group.

Note: In a GKE Kubernetes cluster this may soon be superseded by the Google Groups for GKE functionality.

Workloads

Extends core workload resources with new CRDs. Extensions within this group can be expected to create or mutate pods, deployments, etc.

Consoles: Provide engineers with a temporary dedicated pod to perform operational tasks, avoiding the need to provide pods/exec permissions on production workloads.

Vault

Utilities for interacting with Vault. Primarily used to inject secret material into pods by use of annotations.

secrets-injector.vault.crd.gocardless.com webhook for injecting the theatre-secrets tool to populate a container's environment with secrets from Vault before executing.

Command line interfaces

As well as Kubernetes controllers this project also contains supporting CLI utilities.

theatre-consoles

theatre-consoles is a suite of commands that provides the ability to create, list, attach to and authorise consoles.

Run: go run cmd/theatre-consoles/main.go

theatre-secrets

See the command README for further details.

Run: go run cmd/theatre-secrets/main.go

Getting Started

Theatre assumes developers have several tools installed to provide development and testing capabilities. The following will configure a macOS environment with all the necessary dependencies:

make install-tools-homebrew
make install-tools-kubebuilder
make install-tools
sudo mkdir /usr/local/kubebuilder
curl -fsL "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH).tar.gz" | \
  sudo tar -xvz --strip=1 -C /usr/local/kubebuilder
export KUBEBUILDER_ASSETS=/usr/local/kubebuilder/bin

Local development environment

For developing changes, you can make use of the acceptance testing infrastructure to install the code into a local Kubernetes-in-Docker (Kind) cluster. Ensure kind is installed (as per the [getting started steps][#getting-started]) and then run the following:

make build
make test
make acceptance-e2e

You can also run the individual commands, check the Makefile for more details,

Example: get the kind cluster read for the acceptance tests

go run cmd/acceptance/main.go prepare # prepare the cluster, install theatre

At this point a development cluster has been provisioned. Your current local Kubernetes context will have been changed to point to the test cluster. You should see the following if you inspect kubernetes:

$ kubectl get pods --all-namespaces | grep -v kube-system
NAMESPACE        NAME                                        READY   STATUS    RESTARTS   AGE
theatre-system   theatre-rbac-manager-0                      1/1     Running   0          5m
theatre-system   theatre-vault-manager-0                     1/1     Running   0          5m
theatre-system   theatre-workloads-manager-0                 1/1     Running   0          5m
vault            vault-0                                     1/1     Running   0          5m

All of the controllers and webhooks, built from the local working copy of the code, have been installed into the cluster.

As this is a fully-fledged Kubernetes cluster, at this point you are able to interact with it as you would with any other cluster, but also have the ability to use the custom resources defined in theatre, e.g. creating a Console.

If changes are made to the code, then you must re-run the prepare step in order to update the cluster with images built from the new binaries.

Tests

Theatre has test suites at several different levels, each of which play a specific role. All of these suites are written using the Ginkgo framework.

In order to setup your local testing environment for unit and integration tests do the following:

$ make install-tools
$ # install setup-envtest which configures etcd and kube-apiserver binaries for envtest
$ # https://book.kubebuilder.io/reference/envtest.html#configuring-envtest-for-integration-tests
$ # https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest#envtest-binaries-manager
$ # Configures envtest to use k8s 1.24.x binaries, in your shell (if required)
$ eval $(setup-envtest use -i -p env 1.24.x)

Unit: Standard unit tests, used to exhaustively specify the functionality of functions or objects.

Invoked with the ginkgo CLI. (requires setup-envtest variable)

make test

Example unit test.

Integration: Integration tests run the custom controller code and integrates this with a temporary Kubernetes API server, therefore providing an environment where the Kubernetes API can be used to manipulate custom objects.

This environment has no Kubernetes nodes, and does not run any other controllers such as kube-controller-manager, therefore it will not run pods.

These suites provide a good balance between runtime and realism, and are therefore useful for rapid iteration when developing changes.

Invoked with the ginkgo CLI.

Example integration test.
Acceptance: Acceptance is used for full end-to-end (E2E) tests, provisioning a fully functional Kubernetes cluster with all custom controllers and webhooks installed.

The acceptance tests are much slower to set up, and so are typically used sparingly compared to the other suites, but provide essential validation in CI and at the end of development cycles that the code correctly interacts with the other components of a Kubernetes cluster.

Invoked with: make acceptance-run

Example acceptance test.

theatre's People

Contributors

Stargazers

Watchers

theatre's Issues

Labels aren't preserved from DirectoryRoleBinding -> RoleBinding

We should pass the labels from the DirectoryRoleBinding resource onto the RoleBindings that it owns, to make filtering and searching easier.

Building manifests depends on controller-gen being in your path

https://github.com/gocardless/theatre/pull/14/files#r250241456

E2E tests in acceptance

Ideally we want to be able to run full end-to-end tests in the acceptance environment, to ensure that our controllers behave properly in something better resembling the real world.

Kubebuilder v2 improvements + ideas

This issue collects several improvements and general ideas that were either out of the scope for the upgrade to kubebuilder v2 or were things we noticed while doing the upgrade.

Manager resource type: Transition the deployment model from using StatefulSet to use multiple Deployment replicas + leader election. This was removed from the upgrade to minimize risk as we didn't have the time to test all the functionality around leader election.
Metrics: The managers are producing new Prometheus metrics that we should dedicate some time to understand and see how we get some value from them. We might have duplicate metrics in the sense that some of the API webhook calls are already covered by these default metrics so our custom metrics might be no longer be needed.
Organizational: Review placing webhooks under a root webhooks/ folder as we do for controllers/. This will be going against kubebuilder v2 convention but it should improve code layout and discoverability. Kubebuilder has reasons for doing this so we should make sure we understand the trade-offs if we were to do this.
Project layout: Review how we structure the different components (API groups). It's not easy to use just one of the components (reduce adoption and increase maintainability complexity). During the upgrade to kubebuilder v2, we were forced to upgrade all the components at once.
Acceptance test improvements:
- Make which acceptance test to run selectable vs running all of the runners.
- Rethink how we build the binaries and docker image so it's not required to compile and rebuild all the binaries and all parts of the docker image to run an individual acceptance test where only a small change has been made.
Webhooks: Upgraded webhooks to use admissionReviewVersions/v1. We're using the v1beta1.
CRDS validation and defaulting: https://book.kubebuilder.io/reference/markers/crd-validation.html . Adopt new CRDS validation and defaulting. We've our custom validation and defaulting that doesn't follow the same conditions and not play nice with OpenAPI Schema either.
Kubectl: Make kubectl explain work for our CRDS. This is supported now in Kubernetes but it is not working with Theatre.

~~- Kubernetes upgrades: Upgrading to kubernetes 1.18 is blocked at the moment. CRDS generated with controller-gen are incompatible with this version. See details here kubernetes/kubernetes#91395.~~

~~- Improvement testing: There are a few flaky tests that we should review and improve; appear to primarily be a result of the timeouts we set for eventually and on slow/busy machines tests fail.~~

Manifests: Adding a jsonnet mixin that helps define the CRDS objects and also to deploy theatre as well. We might want to keep Kustomize as well which play nice with controller-gen.
Logging: Zap is the new default however it doesn't really behave the way we would like it to (primarily the Error logging and stack traces is annoying). Other binaries such as theatre-envconsul and theatre-console are still using go-kit/log. We should review our logger choice.
Graceful shutdown of manager in integration tests: We have deviated slightly from the standard suite_test.go integration test layout as the recommended way doesn't shut down the manager gracefully. We should keep an eye on how this is fixed and update our tests. kubernetes-sigs/controller-runtime#904
Opensource maturity: We should decide on how mature we want this project to be from an opensource perspective and then ensure we move towards it.
- Reviewing the docs from an outsider looking in with no context would be a great start. Some sections of the docs are incomplete and assume context that someone external would not have. Approaching this from the divio style would perhaps be useful. https://documentation.divio.com/
- There aren't docker images available to the public. Making them open will help drive adoption.

Recommend Projects

gocardless / theatre Goto Github PK