Manage the Portable Resource Classes at a higher level in a single namespace

[prasek]

What problem are you facing?

From: Dylan Griffith
https://gitlab.com/groups/gitlab-org/-/epics/1866#note_223600767

@prasek:

@tkuah and I were discussing this just in time stuff the other day and I'm curious to know if it's necessary to create these "Crossplane policy yamls" in each namespace.

I was curious to know if Crossplane has some way to manage these at a higher level in a single namespace and still allow all namespaces to create the crossplane resource claims. It would be preferable if we didn't need to update the GitLab backend code to add all of these resources to every namespace we create.

I would also think that the downside of installing all of these policies into every namespace is that it's tricky to keep them updated.

Background

The bulk of the managed service config (resource class templates, provider config, etc.) is typically stored in a single infra namespace (per environment e.g. aws-infra-dev) and used by multiple app project namespaces.

The policy yamls (portable resource classes) are very simple mappings that make classes-of-service available for use in an app project namespace, and to configure default classes-of-service.

apiVersion: database.crossplane.io/v1alpha1
kind: MySQLInstanceClass
metadata:
  name: mysql-standard
  namespace: app-project1-dev
  labels:
    default: true
classRef:
  kind: RDSInstanceClass
  apiVersion: database.aws.crossplane.io/v1alpha1
  name: rds-mysql-standard
  namespace: aws-infra-dev

In an AWS environment offering multiple classes of service, the following Kubernetes objects would result:

namespaces
└── aws-infra-dev
      └── provider                 # AWS provider configuration
      └── provider-creds           # AWS provider account credentials
      └── rds-mysql-standard       # RDS-specific class, non-portable config
      └── rds-mysql-replicated     # RDS-specific class, non-portable config
      └── rds-postgres-standard    # RDS-specific class, non-portable config
      └── rds-postgres-replicated  # RDS-specific class, non-portable config
└── app-project1-dev
      └── mysql-standard           # portable MySQL class of service
      └── mysql-replicated         # portable MySQL class of service
      └── postgres-standard        # portable PostgreSQL class of service
      └── postgres-ha              # portable PostgreSQL class of service
      └── mysql-claim              # portable MySQL claim for mysql-standard class of service
      └── mysql-claim-secret       # generated secret to access database
      └── wordpress-deployment     # standard Kubernetes deployment
      └── wordpress-service        # standard Kubernetes service
└── app-project2-dev
      └── mysql-standard           # portable MySQL class of service
      └── mysql-replicated         # portable MySQL class of service
      └── ...
└── app-project3-dev
      └── mysql-standard           # portable MySQL class of service
      └── mysql-replicated         # portable MySQL class of service
      └── ...

https://github.com/crossplaneio/crossplane/blob/master/docs/services-guide.md#b-onboard-app-projects-in-a-shared-cluster-1

How could Crossplane help solve your problem?

Manage the Portable Resource Classes at a higher level in a single namespace and still allow all namespaces to create the Crossplane resource claims.

Option A:
Perhaps introducing a claim resolver that points to the portable classes in an alternate namespace.

namespaces
└── aws-infra-dev
      └── provider                 # AWS provider configuration
      └── provider-creds           # AWS provider account credentials
      └── rds-mysql-standard       # RDS-specific class, non-portable config
      └── rds-mysql-replicated     # RDS-specific class, non-portable config
      └── rds-postgres-standard    # RDS-specific class, non-portable config
      └── rds-postgres-replicated  # RDS-specific class, non-portable config
      └── mysql-standard           # portable MySQL class of service
      └── mysql-replicated         # portable MySQL class of service
      └── postgres-standard        # portable PostgreSQL class of service
      └── postgres-ha              # portable PostgreSQL class of service
└── app-project1-dev
      └── claim-resolver           # points to aws-infra-dev portable classes
      └── mysql-claim              # portable MySQL claim for mysql-standard class of service
      └── mysql-claim-secret       # generated secret to access database
      └── wordpress-deployment     # standard Kubernetes deployment
      └── wordpress-service        # standard Kubernetes service
└── app-project2-dev
      └── claim-resolver           # points to aws-infra-dev portable classes
└── app-project3-dev
      └── claim-resolver           # points to aws-infra-dev portable classes

where claim resolver could be something like:

apiVersion: core.crossplane.io/v1alpha1
kind: PortableClaimResolver
metadata:
  name: claim-resolver
  namespace: app-project1-dev
classRef:
  namespace: aws-infra-dev

Option B:
Alternatively, Crossplane could add claim.spec.classRef.namespace so claims could target portable classes in alternate namespaces

apiVersion: database.crossplane.io/v1alpha2
kind: MySQLInstance
metadata:
  name: mysql-claim
  namespace: app-project1-dev
spec:
  classRef:
    name: mysql-standard
    namespace: aws-infra-dev
  writeConnectionSecretToRef:
    name: mysql-claim-secret
  engineVersion: "5.6"

[prasek]

One potential issue with option (a) above is that portable class names in the local namespace and those in the resolver namespace probably shouldn't be combined, since the names would no longer be unique. So if a class-resolver namespace was provided it should be an either-or proposition: claims should either resolve to the local namespace if no class-resolver is specified or only resolve to the class-resolver namespace if provided.

As a result, would avoid option (a).

Option (b) is simpler and more easily understood by a new user, as it just adds a claim.spec.classRef.namespace attribute:

apiVersion: database.crossplane.io/v1alpha2
kind: MySQLInstance
metadata:
  name: mysql-claim
  namespace: app-project1-dev
spec:
  classRef:
    name: mysql-standard
    namespace: aws-infra-dev
  writeConnectionSecretToRef:
    name: mysql-claim-secret
  engineVersion: "5.6"

If we also add back the ability to reference a non-portable claim.spec.classRef then a non-portable claim would specify:

apiVersion: database.crossplane.io/v1alpha2
kind: MySQLInstance
metadata:
  name: mysql-claim
  namespace: app-project1-dev
spec:
  classRef:
    name: rds-mysql-standard
    namespace: aws-infra-dev
    kind: RDSInstanceClass
    apiVersion: database.aws.crossplane.io/v1alpha1

  writeConnectionSecretToRef:
    name: mysql-claim-secret
  engineVersion: "5.6"

/cc @negz @hasheddan

[negz]

If we also add back the ability to reference a non-portable claim.spec.classRef

I'd really like to avoid going down this path of having claims support either a portable or a non-portable class reference (especially as part of the same field). It feels like it takes an already complicated model and just makes it more complicated.

Option (b) is simpler and more easily understood by a new user

I agree this is probably the most straightforward way to handle this. As @hasheddan pointed out, another option would be to add cluster scoped portable resource classes, that would not exist in any namespace.

[prasek]

@negz thanks for the feedback, makes sense.

additional feedback from GitLab:

Thong Kuah commented on a discussion:
@pprasek I don't have strong preference. It would seem option (b) is simpler in that we don't have to manage another resource.

The other option that was brought up in that ticket too was a cluster-wide resource. Similar to how cert-manager has ClusterIssuer and Issuer

[negz]

@prasek I think this is fixed by the implementation of #926. I'm going to optimistically mark it as resolved - please reopen if you feel I'm jumping the gun.