disable jenkins auto-deployment #10260
Conversation
|
[test] |
bparees
force-pushed
the
disable_autojenkins
branch
2 times, most recently
from
c9d31a3 to
e410633
Compare
|
@csrwng ptal |
bparees
force-pushed
the
disable_autojenkins
branch
from
e410633 to
a2ab01f
Compare
| @@ -293,7 +293,7 @@ var ( | |||
| "ProjectRequestLimit", | |||
| "OriginNamespaceLifecycle", | |||
| "PodNodeConstraints", | |||
| "JenkinsBootstrapper", | |||
| //"JenkinsBootstrapper", | |||
There was a problem hiding this comment.
Removing it this way makes it essentially impossible to turn back on. If you want it off by default, use the code here: https://github.com/openshift/origin/blob/master/pkg/cmd/server/start/admission.go#L43
There was a problem hiding this comment.
when we're ready to turn it on, it will be part of a new release that enables the feature. we're not going to ship doc to customers about how to turn on a feature we deemed not ready for consumption.
|
I don't want to disable the admission controller. We should be using the enabled flag, and having ansible set it to "off" for enterprise. |
bparees
force-pushed
the
disable_autojenkins
branch
from
a2ab01f to
8464a8d
Compare
|
@smarterclayton @deads2k admission controller has been restored, but i'm not sure what template to have it instantiate. The problem:
So we can: any preference? (b) seems like the right answer but it's inconsistent with how we name all the other ephemeral vs persistent templates. |
bparees
force-pushed
the
disable_autojenkins
branch
from
8464a8d to
66fe1bf
Compare
| @@ -41,6 +41,7 @@ var ( | |||
|
|
|||
| func init() { | |||
| defaultOffPlugins.Insert("AlwaysPullImages") | |||
| defaultOffPlugins.Insert("JenkinsBootstrapper") | |||
There was a problem hiding this comment.
@deads2k i've disabled it via your preferred mechanism, but given that this mechanism exists, how do you feel about removing this field:
https://github.com/openshift/origin/blob/master/pkg/cmd/server/api/types.go#L325-L328
because it seems redundant to me.
There was a problem hiding this comment.
I don't want to default this off. I want enabled to default to false.
There was a problem hiding this comment.
you want what enabled setting to default to false?
There was a problem hiding this comment.
@deads2k i've disabled it via your preferred mechanism, but given that this mechanism exists, how do you feel about removing this field:
Yes, lets remove that flag.
There was a problem hiding this comment.
I don't want to default this off. I want enabled to default to false.
Let's say we default it on (that allows it be set to off). How would you distinguish between cases where ansible set the value to false and people were just waiting for it to be ready and the case where someone said "don't turn this on"? That would eliminate the ability for us to enable the feature when its ready.
Defaulting to off now, does not preclude defaulting to on later.
There was a problem hiding this comment.
Allow jenkins auto-creation to be disabled from a single spot.
item 2 is still possible using the admission on/off mechanism
Default the entire config so an admin can see what is used
This is a general problem with admission plugins, why should jenkins be special in this case? The whole stanza has been reduced to an admission plugin (I think).
There was a problem hiding this comment.
Why don't you want to remove the enabled flag? what's the difference between enabling this feature via the admission controller's config, and enabling it by enabling the admission controller itself?
Isn't enabling/disabling the controller what @deads2k's suggestion (which i've accepted) allows for?
There was a problem hiding this comment.
moving @smarterclayton's comment to the right thread:
I don't consider the admission on off interface acceptable. The enabled flag was specifically put in to give all cluster admins a single, explicable point of control for jenkins auto creation. Admission fiddling is not usable, discoverable, or safe.
so are we going to remove the "disable random admission controllers" feature? because it's pretty confusing if we're going to have it and then not let people use it.
There was a problem hiding this comment.
also i consider "disable this admission controller" more usable than "hey you want to disable this thing, well first you have to create a configuration for it, just to turn it off, because it's on by default if you don't configure it"
There was a problem hiding this comment.
so are we going to remove the "disable random admission controllers" feature? because it's pretty confusing if we're going to have it and then not let people use it.
We can't remove that feature. It's the only sane way to remove a plugin from admission. The alternative (user takes ownership of the entire chain) is incredibly dangerous for a customer to do and is terrifying during upgrade (see the bugs I've gotten about clusterquota not enforcing because they took ownership of the admission chain).
|
We should change the default config to point to jenkins-ephemeral |
|
AT the same time we disable the enabled flag. |
you want the default config to expect to find a template named "jenkins-ephemeral" in the openshift namespace? I don't like that approach because it means an admin who wants to switch to a persistent template must stop their cluster and change the cluster config to point to different template name, or they must replace the "jenkins-ephemeral" template with one that's still named "jenkins-ephemeral" but is not actually ephemeral. Better to use a generic name so the admin can swap out the template w/o having to reconfigure the admission controller.
define "disable" and define which flag you're talking about. I still think we should be removing the "enabled" field that is part of the jenkins admission controller config because it's redundant to simply disabling the entire admission controller via the mechanism this PR is currently using. maybe we need to chat in person so i can understand what you're proposing. |
I'd rather not do this. I'd like to have an empty config be handled the same way we handle When it is specified, it is a |
| ${EXAMPLES}/db-templates/... \ | ||
| ${EXAMPLES}/jenkins \ | ||
| ${EXAMPLES}/jenkins/pipeline \ | ||
| ${EXAMPLES}/quickstarts/... |
There was a problem hiding this comment.
While we're touching it we might as well make it pretty :)
output="${OUTPUT_PARENT}/pkg/bootstrap/bindata.go"
"${GOPATH}/bin/go-bindata" -nocompress \
-nometadata \
-prefix "bootstrap" \
-pkg "bootstrap" \
-o "${output}" \
-ignore "README.md" \
-ignore application-template.json \
"${EXAMPLES}/image-streams/..." \
"${EXAMPLES}/db-templates/..." \
"${EXAMPLES}/jenkins" \
"${EXAMPLES}/jenkins/pipeline" \
"${EXAMPLES}/quickstarts/..."There was a problem hiding this comment.
Yeah, that makes all the difference when dealing in bash......
There was a problem hiding this comment.
lol. and @stevekuznetsov sure, I thought I was already improving it, but i can go the rest of the way, just for you.
Although I see advantages to that approach, I don't think I want to bake a template into code. Right now admins/users can use "oc get template jenkins" to see the template we're instantiating on their behalf. Baking the default template into code makes that much harder (as you say, we would have to add a special command just for this capability that people would need to learn). Also it should probably be an admin choice whether to change the template that's being instantiated when you move to a new release, otherwise you get projects with old and new templates and the admin may not even be aware that has happened (ie that they should go back and recreate jenkins in older projects because we patched something). It also means we can't patch clusters in the field w/o either
|
I don't think that most people would even go looking for it. You'd get a "works out of the box" behavior (which doesn't happen today) and you'd still have all the power to being able to create your own template if you care. People who care wouldn't bother looking at what's created automatically, they'd grab the recommended template for their situation as they have to today. The only big difference is that people who don't care wouldn't get greeted with failures they can't fix as an end user. |
you get works out of the box behavior today for any "real" install that will have installed the expected templates (including oc cluster up). Backdooring resources into the system seems wrong to me.
to you that's the only big difference. to me the big difference is all the things i listed. new tooling, non-standard approach, less discoverable, harder to perform maintenance/patching on. |
bparees
force-pushed
the
disable_autojenkins
branch
from
66fe1bf to
edcd36a
Compare
| "iconClass": "icon-jenkins", | ||
| "tags": "instant-app,jenkins" | ||
| } | ||
| }, | ||
| "message": "A Jenkins service has been created in your project. The username/password are admin/${JENKINS_PASSWORD}.", | ||
| "message": "A Jenkins service has been created in your project. The username/password are admin/${JENKINS_PASSWORD}. The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.", |
There was a problem hiding this comment.
should you make the link a parameter so you can (more easily) point to a different one for OSE?
There was a problem hiding this comment.
that's going to be a weird parameter since you're not actually expecting a user to provide their own value for it. (and OSE would still need to carry a patch to the template to use a different default value for the parameter?)
if OSE wants to point elsewhere, they can carry a patch to the template.
openshift-bot
added
the
needs-rebase
|
Allowing users to disable admission controllers is useful. But my point is Jenkins is a premier, user focused feature. I want to say "turn Jenkins On Wed, Aug 10, 2016 at 4:22 PM, OpenShift Bot [email protected]
|
both things are part of the same kubeconfig file, no? i don't see how one is any easier than the other to figure out. |
|
jenkins.enabled = false is about as clear a config flag as I can
possibly imagine.
|
openshift-bot
removed
the
needs-rebase
I think that's a reasonable change to make if they haven't expressed a preference.
I still think we should follow the project-template pattern to work out of the box and provide flexibility. But I'm also tired of arguing. |
|
Here are the things that I want - I don't have time to read the PR right
If this PR does those three things (or just 1 and 3) I'm ok with that. On Fri, Aug 12, 2016 at 7:36 AM, David Eads [email protected]
|
bparees
force-pushed
the
disable_autojenkins
branch
from
69a199c to
70c66e8
Compare
@bparees can you think of way to do this that doesn't involve manual configuration or using the existing project-template pattern? |
this PR does not currently do that because @danmcp and I discussed and both think the default behavior should be consistent across origin/OCP/online. We probably need an in person discussion to get to a conclusion on that.
done.
this PR doesn't do that itself, of course, but the mechanism is in place such that ansible can configure it off or on. But that is not currently needed pending the resolution of (1). |
not sure what you mean. Today (since the default is that this behavior is off) there are two things you must configure to enable the feature:
(1) is pending the discussion with @danmcp and @smarterclayton |
That's the classic: "it's installed and enabled, but it won't work unless you complete a series of configuration steps". Technically true, technically enabled about the of box, guaranteed to fail 100% of the time without additional non-out-of-the-box steps. |
it's part of the install for oc cluster up and OCP. hardcoding it for origin does not make sense to me. (hardcoding resource definitions period strikes me as horrible) |
Just because there's a default doesn't mean people have to use it. They can choose to do something else. Things that do this today to make them reasonable to use:
Those could all take the approach: "nothing will work by default because we don't want to code in a default", but instead they took the approach of "I'll code up a default. You can do someone different if you want, but this gets you started easily". |
and i'd argue that was wrong for those too. we have an open, flexible, resource definition based system and then we've decided instead of making that easily consumable for a new installation, we'll just hardcode stuff into an opaque static binary and sideload it via a separate mechanism instead because that was convenient for us. What does the default registry template look like for a cluster? who knows! go instantiate one and find out or go look at the go code. And for a practicality argument: I am not maintaining this template in 2 places (one hardcoded and another as a "sample" for people who want to have a starting point for customization). And then when people have issues, have to guess at what version of the hardcoded template they have because they can't easily inspect it. And tell them that because we shipped broken code, they now have to override the hardcoded template by going down a path they weren't going down previously to register a new template, instead of just updating an existing template. |
I'll note that we've never ever actually had that problem in the places we've done this and the solution to double maintenance is as simple as just serializing out your template. |
would you at least agree that hardcoding the template definition into the binary would not be your preferred solution if we had a better install experience that could handle auto-registering templates that were part of the product? |
I'm honestly unsure. It's a thing I hated so much at IBM, nothing worked out of the box and you had to use some blessed installer or spend forever wiring it up by hand. I think that I'd come down on the side of, binary should just work (hard coded defaults if necessary) and I'd allow an installer to wire up and auto-register templates if it wanted to. I think that would resolve both the "I want it to work case" and the "I want ansible installs to always wire up a template" cases. |
openshift-bot
added
the
needs-rebase
bparees
force-pushed
the
disable_autojenkins
branch
from
70c66e8 to
3c98c43
Compare
|
@danmcp @smarterclayton ok i'm about as happy w/ the state of this PR as i'm likely to get:
Docs updates pending. Barring a last minute veto, i'll be merging this tonight. Things people won't be happy with:
So i think everyone has given up something here. :) |
openshift-bot
removed
the
needs-rebase
bparees
force-pushed
the
disable_autojenkins
branch
from
3c98c43 to
67b51bf
Compare
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/8267/) (Image: devenv-rhel7_4882) |
I didn't see @danmcp in there, I'll be he's happy with everything! |
|
@deads2k Ignorance is bliss. |
|
[merge] |
|
Evaluated for origin merge up to 67b51bf |
|
Evaluated for origin test up to 67b51bf |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/8270/) |
also fixes #10257