Add "ignored paths" for the proxy #38
Conversation
vbehar
requested review from
jeremyrickard,
krancour and
yaron2
as code owners
|
|
Expose a new proxy config for a list of "ignored paths". Requests to such paths won't be counted by the proxy. Our use-case is the `/metrics` path used to expose prometheus metrics, and which is keeping our pods up all the time.
Codecov Report
@@ Coverage Diff @@
## master #38 +/- ##
=======================================
Coverage 59.09% 59.09%
=======================================
Files 11 11
Lines 638 638
=======================================
Hits 377 377
Misses 232 232
Partials 29 29
Continue to review full report at Codecov.
|
|
@vbehar thanks for this contribution (and your others as well)! In this case, I am a little reluctant to feel that ignored paths should (always / only) be globally configured. This would make all proxies for all Osiris-enabled pods ignore the configured paths. For your use case, if your use of Prometheus is global and consistent, this may make sense, but my sense is that cases where specific paths needs to be ignored for specific deployments' pods wouldn't be out of the ordinary either. What would you think about leaving this globally configurable (as it is now), but adding the ability to amend it (not override it) with an annotation? The reason I suggest amending rather than overriding is that this allows the operator to configure paths that should be globally ignored based on their knowledge of the environment. (i.e. It is the operator who is more likely to be aware of Prometheus being in use within the cluster than the developer.) And then it allows developers to add to the ignored paths based on their understanding of the application. lmk what you think. |
|
hi, yes, it sounds good to me. I can add a new annotation on the deployment, such as |
|
Thanks @vbehar! Appreciate the contribution! |
the deployment annotation `osiris.deislabs.io/ignoredPaths` can be used to append custom paths to the list of "ignored paths" - that won't be counted in the metrics. this allow to configure a platform-wide list of ignoredPaths in osiris configuration (helm chart for example), and to add more paths on a per-deployment basis. same as for the global configuration, the list of paths should be written as a comma-separated string.
example/hello-osiris.yaml
Outdated
| annotations: | ||
| osiris.deislabs.io/enabled: "true" | ||
| osiris.deislabs.io/minReplicas: "1" | ||
| osiris.deislabs.io/ignoredPaths: "/first/path,/second-path" |
There was a problem hiding this comment.
Just checking... does k8s actually allow a comma here?
There was a problem hiding this comment.
yes, and some people/tools even store JSON in annotations
There was a problem hiding this comment.
I could have sworn there were some limitations on characters used in annotation values, but double-checking here myself, I only see limitations mentioned on the characters used in the keys. 👍
README.md
Outdated
|
|
||
| ### Features | ||
|
|
||
| #### Counting requests at the proxy level |
There was a problem hiding this comment.
I'm not sure if this feature is sufficiently important to warrant its own section, especially given that relevant config options are already covered in the tables above.
Could we consider dropping this section?
| Value: strings.Join(ignoredPaths, ","), | ||
| }) | ||
| } | ||
|
|
There was a problem hiding this comment.
I'm having a hard time understanding what this bit of patching accomplishes. I might be missing something, but it looks as if it's patching the deployment's ignored paths annotation with values retrieved from the deployment's ignored paths annotation. Isn't this like saying let x = x?
There was a problem hiding this comment.
Nevermind. I see it now. You're copying the annotation from the deployment to the the pod spec template within the deployment.
There was a problem hiding this comment.
in fact it's reading from the deployment's annotations, and writing to the pod's annotations. because later to inject the proxy, we will only have access to the pod's annotations, not the deployment's annotations
| ignoredPaths, | ||
| kubernetes.GetIgnoredPaths(pod.Annotations)..., | ||
| ) | ||
|
|
There was a problem hiding this comment.
I'm perplexed about how this is meant to work. It looks like this is meant to find the values later used in setting the IGNORED_PATHS env var, but it's retrieving some of that from the pod's ignored paths annotation... and I can't see how that annotation ever got set.
There was a problem hiding this comment.
Nevermind. I see how this gets set now.
|
Added a couple comments about specific pieces of code. I think what might be helpful here is if you can just drop a response to this comment with a general overview of the flow through this so I can understand it high-level. |
|
hi, so the flow is:
I'm doing that for 2 reasons:
|
Yes. I see that now. The steps here could be consolidated into just one. The admissions controller (injector) could take info from the annotation on the deployment and directly set the env var in the deployment's pod spec template. i.e. We could cut out the step of copying the annotation from the deployment down to the deployment's pod spec template. All that said... there was a reason I used the pattern you are emulating. Except now I can't remember what it was. (D'oh! Comment fail!) I totally get what you're doing now. Thanks for taking the time to explain. Give me a little bit to see if I can figure out why I did it the other way to begin with and whether it's necessary to do it the same way here.
Yes. Totally, completely agree with this. |
|
@vbehar ok... I remember the reason for that pattern now. If you Pods were a different story. There's a very, very limited set of modifications that Kubernetes even permits to a running pod. Make sense? So... there's a gotcha lurking in there still... If you edit an Osiris-enabled deployment to remove the annotation that makes it Osiris-enabled, the mutating webhook doesn't get involved (as I mentioned) and therefore the annotation never gets stripped from the deployment's pod spec template. (In fact, this is why there is no code in there for removing the annotation. It's just a thing that can't really happen.) With no change to the pod spec template, existing pods never get replaced. i.e. Stripping that annotation from the deployment does not disabled Osiris on existing pods. The same problem is applicable to your scenario as well. If you edit the ignored paths annotation on a deployment, the bit of code that copies that down to the annotations in the pod spec template never gets triggered. The pod spec remains unchanged. Existing pods remain. You never get new ones with the right annotation that will subsequently be patched to have the right env var. Now... all this being said... everything is just fine if people simple never I'm thinking there are two possible paths forward.
I am leaning towards option 2 because I think reliability trumps ease of use and the inconvenience is minor. It's a breaking change, but Osiris hasn't even had a single release yet, nevermind a GA release. Option 2 simplifies things a bit for your new code as well as my existing code. Now... all that said... (sorry... I know this response got really long)... I think you still have a problem lurking in here. You're combining global/Osiris-system-level configuration with deployment/pod-level configuration. If the former changes, there is no process here that rebuilds the full set of ignored paths properly on existing pods. We might just have to remove the global option, unfortunately. |
|
ok, we can live with no global config for ignored paths, and just set the annotation on every deployment. I'll rework this PR next week to remove all the global config part |
Great. Start there. In the meantime, I will think about how to address the unexpected behavior when |
we'll only configure "ignored paths" on a per-deployment basis to avoid refreshing issues
instead of on the deployment. this makes the code simpler, and safer because we don't have to ensure every change of the deployment needs to be reflected on the pod
|
@krancour ok I removed a lot of code on this one ;-) so no more global config, and the annotation should now be written directly on the pod. |
|
@vbehar thanks for this. This is looking really good. I am going to see about straightening out how we handle the existing annotation that gets copied from the deployment to the pod spec template. This might need a little rebase after that, but it won't be too bad and I think we have this almost where we'd want it. Thanks again, not only for the contribution, but also for your patience. |
|
@vbehar thanks for all the hard work on this. I am very happy with where it ended up. |
backport deislabs#38 Expose a new proxy config for a list of "ignored paths". Requests to such paths won't be counted by the proxy. Our use-case is the `/metrics` path used to expose prometheus metrics, and which is keeping our pods up all the time. This is configured by adding a pod's annotation `osiris.dm.gg/ignoredPaths`, as a comma-separated string value: ``` apiVersion: apps/v1 kind: Deployment spec: template: metadata: annotations: osiris.dm.gg/ignoredPaths: "/first/path,/second-path" spec: containers: ... ```
4 participants
Expose a new proxy config for a list of "ignored paths". Requests to such paths won't be counted by the proxy.
Our use-case is the
/metricspath used to expose prometheus metrics, and which is keeping our pods up all the time.This is configured by adding a pod's annotation
osiris.deislabs.io/ignoredPaths, as a comma-separated string value: