Allow to update status of related objects

[sathieu]

This is somewhat a follower of #236.

I have a CompositeController which:

• has parent Ingress2IstioGenerator resource (which describes in which namespace gateways and virtualservices should be generated, and selector for Ingresses)
• has related objects as Ingress
• has child object being istio's Gateway and VirtualService

Feature request: I want to update the ingress status (to fill status.loadBalancer.ingress: [ip: '10.20.30.40']).

Alternative:

What about adding a boolean like namespaceAsOwner to the operator spec and if set to true, set the owner reference the the namespace owning the parent object?

[sathieu]

Note: This status.loadBalancer.ingress is needed for ArgoCD to work correctly.

[grzesuav]

hi @sathieu , as I understand CertificateGenerator are cluster scope ?

The issue I see here metcontroller does not own related objects. How those Ingreses are created ?

[grzesuav]

I think none of the existing primitive in metacontroller (Decorator/Composite controllers) and in design one (https://metacontroller.github.io/metacontroller/design/map-controller.html) would fit for this use case tbh.

[sathieu]

(NB: I've updated the description to my real use-case: Ingress to Istio)

Hi @grzesuav,

How those Ingreses are created ?

Those are mostly created by Helm charts from FLOSS projects.

I think none of the existing primitive in metacontroller [...] and in design one [...] would fit for this use case tbh.

I thought about a workaround: Use to composite controllers. One having the Ingress2IstioGenerator as parent, Ingresses as related and Certificates as children. Another Istio2IngressStatusGenerator having Ingress as parent, nothing as children and Gateways as related. This second composite controller would set the ingress status based on the related Istio gateway. WDYT?

[grzesuav]

The thing is, CompositeController is suppose to work with user defined CRD's, not the ones handled by other controller. I am usnure how it would work when configured like that, I will try to ask on operators channel on kubernetes slack what would be good fit for this situation

[sathieu]

@grzesuav Digging deeper, my usecase is as follow:

Given an Ingress, I need to create a Gateway and a VirtualService, potentially in another namespace. But for this, I may need information from Services (in the same namespace as the ingress) and I always need to access the IngressClass of the ingress. I also need to sync the Ingress status from the Gateway's status.

I've tried the following:

• CompositeController with parent=ingress, related=services+ingressclass,children=gateway+virtualservice: This doesn't work (Allow to create resources in another namespace #236)
• CompositeController with parent=ingressClass, related=ingresses,children=gateway+virtualservice. This doesn't work when a named port is used. Also another controller is needed to sync status.
• CompositeController with parent=ingressClass, related=ingresses,children,services=gateway+virtualservice. This may work, but we'll need to get all services from all namespaces (because /customize is called with only the parent, and we don't have access yet to ingressesd. Also another controller is needed to sync status.

Any other idea?

I think I'll end up by writing an operator from scratch 😱.

[grzesuav]

@sathieu I am still checking, but it seems that DecoratorController is able to update parent status and labels/annotations - https://github.com/metacontroller/metacontroller/blob/master/pkg/controller/decorator/hooks.go#L39-L41 and https://github.com/metacontroller/metacontroller/blob/master/pkg/controller/decorator/controller.go#L590-L597.

I wonder if you can do sth like GlobalConfigMap - let's say IngressMaker - cluster scope CRD which :

apiVersion: examples.metacontroller.io/v1alpha1
kind: IngressMaker
metadata:
  name: someName
spec:
  sourceIngress: ingrsss
  sourceIngressNamespace: someNamespace
  sourceService: nameOfTheService

with the CompositeController definition:

---
apiVersion: metacontroller.k8s.io/v1alpha1
kind: CompositeController
metadata:
  name: ingress-maker-controller
spec:
  generateSelector: true
  parentResource:
    apiVersion: examples.metacontroller.io/v1alpha1
    resource: IngressMaker
  childResources:
  - apiVersion: istio
    resource: VirtualService
    updateStrategy:
      method: InPlace
  - apiVersion: istio
    resource: Gateway
    updateStrategy:
      method: InPlace
  hooks:
    sync:
      webhook:
        url: http://globalconfigmap-controller.metacontroller/sync
    customize:
      webhook:
        url: http://globalconfigmap-controller.metacontroller/customize

1. in customize hook:

• get given Ingress
• get given Service

2. In sync hook, you will get parent object, and related Ingress and Service (and IngressClass if needed). As parent CRD (Ingress maker) is global, it can create resources in any namespace

Do you see any issues here ? You may want to take a look at https://github.com/metacontroller/metacontroller/tree/master/examples/globalconfigmap

[sathieu]

I managed to handle my usecase:

• Ingresses has parents
• Gateways and VirtualServices as children

So, I'm able to update Ingress status (not done yet). The code is here: https://gitlab.com/kubitus-project/kubitus-ingress-operator/-/tree/902ca26cbf045d0367f6239c1461786f8746fc0a

I'm now hitting another limit, I want to access IngressClasses which are cluster-scoped: #345.

[grzesuav]

I need to consider if this is something we want to implement, related objects are owned by other controllers and the purpose was to have them to calculate the state of children etc.

I am afraid that this feature can lead to undesirable behavior, like controllers constantly changing the related objects