Toggle Copied CSVs

[njhale]

Propose a feature toggle for Copied CSVs to alleviate associated resource consumption issues on large clusters.

[kevinrizza]

Does it make sense for us to project the install mode the operator was installed in for the purpose of providing some watch namespace metadata?

[njhale]

I don't think we want to leak old abstractions into our newer APIs if we can help it. I think the OperatorGroup is already considered a component of the Operator resource and it's conditions are aggregated generically. Can we make use of that instead of adding a first-class field?

[timflannagan]

What does that extended logic looks like, especially in the context of upgrading from an OLM release that doesn't contain this feature toggle? I'm likely missing some context on the copied RBAC process - are the copied CSVs placing owner references on the underlying RBAC for a particular namespace, or is the OG resource that owner?

[bparees]

at least one or exactly one? when would there be multiple?

[njhale]

at least one -- we don't preclude users from adding Subscriptions to Operator resources manually, but other than that I don't think there are situations where OLM would generate more than one itself.

[bparees]

but when would there be more than one operator resource for a given CSV, or more than one operator resource for a given subscription object?

it sounds like you're saying there could be multiple subscriptions for a given operator resource, not multiple operator resources for a given subscription?

[spadgett]

@njhale Thanks for the heads up. I suspect this is quite a large impact to console. We'll need to investigate. Adding @TheRealJon who knows the console OLM code best.

cc @kdoberst @alimobrem @jwforres

[tlwu2013]

AFAIK other than the "Installed Operators" piece, the console (both admin and dev perspectives) relies heavily on Copied CSVs for rendering "Operands-related" pages.

The info arch in the admin console is:

"Installed Operators" page (i.e. a list of Copied CSVs) 
└── "Operator Details" page (e.g. Copied CSV of Strimzi)
            └── "Operand List" page (i.e. instance list of provided APIs through Copied CSV)
                        └── "Operand Details" page (e.g. kafka instance details through Copied CSV)

(For dev console: end-users directly create Operand instance from Dev Catalog page through Copied CSV)

So the risk of Copied CSVs being removed/toggled off is that the end-users (who only have access to their namespaces) would lose the ability to create/manage/delete Operand instances in the console.

e.g. if Copied CSV of Strimzi Operator is gone, as regular users who only have access to “dev” namespace, they can’t create kafka instance in the console through:
/k8s/ns/dev/clusterserviceversions/strimzi-cluster-operator.v0.26.0/kafka.strimzi.io~v1beta2~Kafka/~new

I think it's worth calling out the UI impact when toggled off Copied CSV in the doc:

• if toggle off the Copied CSV, basically all UI workflows for end-users to manage Operand instances are crippled, so cluster admins are well-aware of this side-effect

• (I assume this "Copied CSV toggle" is meant for a short-term way to reduce the cluster-loading) so it's important to let cluster admins know they can toggle Copied CSV back on to re-enable Operand instance managing workflow in the console for end-users.

[njhale]

@tlwu2013 Thanks for this!

I used your comment to flesh out the Risks/Mitigations. Now, between this section and the "Loss of Operator Discovery" section before it, I think I've captured your concerns. PTAL.

[dmesser]

Do we have evidence for that? AFAIK packagemanifest is such a aggregated API service. Is it known to be instable?

[njhale]

I think the chief complaint is that aggregated APIs can break k8s discovery, badly. I can try to dig up the k8s issues that reference this for posterity.

To answer your other question: No, to my knowledge packageserver hasn't been a troublemaker 😄

[dmesser]

I think we could enable users to opt-out of this feature in such a case, which would only put the burden on those users, which require that feature. Many platforms also come with on-board certificate management and rotation.

[njhale]

Fair points; although, I was under the assumption that we've already discussed and dismissed this approach in other venues. Is that not the case?

[bparees]

it feels like a big hammer of a solution to use in the short term, given the longer term direction we are taking in solving this problem.

[kevinrizza]

/approve

[bparees]

and presumably the Operator resource will be deleted when all the CSVs associated with it go away?

[njhale]

No -- it was an explicit design decision for "componentless" Operator resources to stick around to:

• support situations where Operator resources are created manually
• prevent eventual consistency from causing controllers to flap Operators; i.e. if components exist but have yet to be noticed up by the Operator controller, the respective Operator shouldn't be deleted only to be created again once components are noticed

"component" = resource associated with a given Operator resource

[bparees]

is this better, or will it be more confusing the user that they see some, but not all, of the installed operators?

[njhale]

I think it will be more confusing, but I've received feedback in other venues along the lines of "the confusion is worth the benefit of retaining discovery for users of Single/MultiNamespace operators"

I thought this was reasonable, which is why I changed the EP.

[bparees]

ok. eventually having the console provide some indication that this is the situation would definitely be useful.

[bparees]

not clear from this EP if the plan is to have the console do this as part of implementing this EP, or not?

[njhale]

These are just suggestions from my side. I didn't have any expectations about when/if they would be implemented.

[bparees]

it feels like a big hammer of a solution to use in the short term, given the longer term direction we are taking in solving this problem.

[joelanford]

Add an example of how one would toggle this feature on with a flag?

[joelanford]

Not necessarily opposed, but what's the motivation for having two ways to set the toggle? Seems like it would lead to user confusion due to precedence ambiguity (i.e. does anyone actually read the docs?! 😛)

[njhale]

This is a fair point.

My thinking at the time I wrote this:

• lets you set config atomically; i.e. if I don't want to impose ordering rules between OLM's deployment and the config api
• you could compose a config controller that updates an independent controller, rather than watching directly in OLM
  • this also gives you the option of making all command-line options opaque in the config schema (for better or worse)
• feature toggles are typically implemented as command line options (as far as I'm aware)

Granted, that's all pretty watery. I'd be inclined to remove it if you feel it will negatively impact UX.

[awgreene]

Having started implementing this feature with both the flag and the CRD, I support removing the flag. The existing implementation leads to a non-intuitive user experience.

[joelanford]

Another mitigation: could we generate a Kubernetes Event in each namespace that lists the operators that are watching that namespace whenever the set changes?

[njhale]

Good idea! I'll add it.

[joelanford]

Just to confirm, updating this custom object when OLM is already running will cause OLM to reconfigure itself on the fly?

[njhale]

Yup.

[bparees]

@njhale can we at least get the follow-up Jira created on the console team board for what we want to see them do here? I just want something to give me confidence we're not going to drop the ball on next steps after we land this.

[bparees]

this looks ok to me.

[kevinrizza]

Some small things still to address (mostly around the future of observability and not expressly with a toggle that just disables this behavior) but I am going to merge this now, and follow up conversations can happen during implementation