-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ingress class docs #811
Conversation
As of today, this documents ingress.class in general with a concept doc. It still needs reference doc updates to indicate which resources do/do not require class info. |
The following resources _require_ this annotation by default: | ||
|
||
- Ingress | ||
- KongConsumer | ||
- TCPIngress | ||
- KongClusterPlugin | ||
- Secret resources with the `ca-cert` label |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd replace this with a table. Such table would be an authoritative source as to whether an ingress class annotation is effective and/or obligatory. This would solve the problem stated in the PR description:
worst case a user adds an annotation and it does more or less nothing
| Kind | Ingress class setting |
| Ingress (networking.k8s.io/v1beta1 ) | `kubernetes.io/ingress.class` annotation must be set |
| Ingress (networking.k8s.io/v1 ) | `spec.ingressClassName` annotation must be set |
| Knative Service | ingress class must be specified by Knative installation <link> |
| SomeOtherResource | `kubernetes.io/ingress.class` annotation is optional |
| YetAnotherResource | must not be set |
| YetAnotherResource | must not be set |
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I chose to write this as I did because it's brief--we require this annotation or similar only on a small set (5 total) of resources. An exhaustive list would not be brief:
kubectl api-resources | wc -l
116
For the vast majority, it simply does nothing, and there are no functional consequences to accidentally adding it elsewhere.
User confusion is a possible concern, but not one I see enough evidence for to warrant an exhaustive list: anecdotally, existing user confusion is more centered around resources that require the resource, where the user wasn't aware that was the case or didn't understand the nuances of the "empty allowed, but only if you didn't override the default controller class, and also not during updates for some things because bugs" legacy behavior. I have not seen questions around annotating a resource with a non-matching class and still seeing the controller load it; if we do start receiving those in the future, we can revisit this. Leaving as-is for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed elsewhere, KIC operates using ~12 object kinds (judging by informers registered in the code), not 116, so it should be sufficient only to cover those 12.
there are no functional consequences to accidentally adding it elsewhere.
But there are consequences to making an effectively non-functional configuration change by mistake, and one expectation I have (and, I believe, we should have in this case - we can discuss if that seems unreasonable) from documentation is to prevent such mistakes. This one seems very simple to prevent.
I chose to write this as I did because it's brief
I do not see how a table with 12 entries is not brief, keeping in mind the complexity of the subject. Table is not a format I'll strongly enforce here. My requirement is that we have an authoritative source which answers the question whether a specific resource requires an ingress class or not (with an equally strong "yes" and "no"), and how to set it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted, left as-is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I request that we do (in whatever form, if the table suggested above does not work) provide an answer to the question Does resource X require an ingress class annotation? in our docs, especially given the fact, that there are at least 4 different ways for Kong to decide whether to include a resource in config or not (the annotation, the ingressv1 way, the knative way, the dependent resource way)
docs/concepts/resource-classes.md
Outdated
Most resources use a [kubernetes.io/ingress-class annoration][class-annotation] | ||
to indicate their class. There are several exceptions: | ||
|
||
- v1 Ingress resources have a dedicated `class` field. | ||
- Knative Services [use the class specifed][knative-class] by the | ||
`ingress.class` key of the Knative installation's `config-network` ConfigMap. | ||
You can optionally [override this on a per-Service basis][knative-override] | ||
by adding a `networking.knative.dev/ingress.class` annotation to the Service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could be more consistent and brief by removing this section and putting this information in the reference table, as explained in my other comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rainest, resolved because duplicate of https://github.com/Kong/kubernetes-ingress-controller/pull/811/files#discussion_r479298310 ?
It would be simpler to navigate resolved comments if marking as resolved came with an reason for marking as such. At least when the author does not apply the suggestion.
docs/concepts/custom-resources.md
Outdated
_This resource requires the `kubernetes.io/ingress.class` annotation. Its value | ||
must match the value of the controller's `--ingress-class` argument, which is | ||
"kong" by default._ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_This resource requires the `kubernetes.io/ingress.class` annotation. Its value | |
must match the value of the controller's `--ingress-class` argument, which is | |
"kong" by default._ | |
_This resource requires the [`kubernetes.io/ingress.class` annotation](../README.md#resource-classes)._ |
The definition of what an ingress class means is already present in the docs. Let's link to it instead of repeating it over and over.
This comment applies to all repetitions of such pattern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment applies to all repetitions of such pattern.
Note that there are two other repetitions in this file still left.
docs/concepts/resource-classes.md
Outdated
Specifying a class is optional for some resources. Although specifying a class | ||
is recommended, you can instruct the controller to process resources without a | ||
class annotation using flags: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds very complicated because of the passive voice.
I suggest something along those lines:
For many resource kinds <link to table>, Kong excludes from processing all objects of those resources which do not have a matching ingress class set. For certain resource types <url or list>, you can instruct Kong to include objects with no class by setting the following flags:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overruled; it isn't; diatribe explanation elsewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please at least make a short explanation as to why specifying a class is recommended, or link to such. Also, please be specific, for which resources specifying a class is not optional. The table mentioned in my other comment could help with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Such explanation follows within 4 lines. Objection noted and dismissed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, please be specific, for which resources specifying a class is not optional. (...)
I don't see how this was fixed.
To further clarify my point: I request that in this situation, making a general claim about "some resources" being such as such, I request that we enable the user to navigate to the right part of the reference.
On a side note, it's a part of the reference I've asked for in another comment.
- Resources referenced by some other resource, where the other resource is | ||
directly translated into Kong configuration. | ||
|
||
For example, an Ingress is translated directly into a Kong route, and a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For example, an Ingress is translated directly into a Kong route, and a | |
For example, an Ingress is translated directly into a [Kong route](https://docs.konghq.com/latest/admin-api/#route-object), and a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unnecessary here. The focus of this content isn't to discuss basic Kong proxy concepts, and we may reasonably assume many readers are familiar with them: they're part of the basic set of configuration introduced in our getting started guides.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Three arguments against not including it here:
-
It costs nothing to add (because the link just changes a term into a hyperlink, and the likelihood of the link rotting is low)
-
we may reasonably assume many readers are familiar with them
This is a harmful and (imo unnecessary) assumption: some people will come here from a Google search, some people will be only 90% sure about the relationships between routes, services and upstreams.
-
Wikipedia would cross-link in such situation. Take for example the Molotov-Ribbentrop pact article. The reader may be reasonably assumed to be familiar with terms "Soviet Union" and "Germany", but the article has them linked nonetheless.
Add a "kubernetes.io/ingress.class: kong" annotation to all example Ingress resources. This aligns them with the 0.10 default behavior, which requires an ingress class (most previously had no class annotation). Examples should still be valid for versions <0.10, as those versions only allowed classless Ingresses when the controller was set to use the default "kong" class.
Similar to 9897078 but for KongConsumer. Adds a "kubernetes.io/ingress.class: kong" annotation to KongConsumer resources in examples to conform to 0.10+ default behavior, which requires it.
Several examples in the custom resource reference use generic placeholder values for some fields. Align kubernetes.io/ingress.class example with this pattern for examples that use it.
Indicate when the `kubernetes.io/ingress.class` annotation is required, and when that requirement can be disabled. Update mTLS instructions to use "must" for several requirements that previously said "should" although they were not actually optional.
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
e53e95a
to
cfd292b
Compare
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
Co-authored-by: Michał Flendrich <michal@flendrich.pro>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move on with what we have now and iterate on the reference part and cross-linking as needed 👍
What this PR does / why we need it:
Adds documentation describing how the controller handles ingress.class annotations.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #677Special notes for your reviewer:
ingress.class
under https://github.com/Kong/kubernetes-ingress-controller/blob/a72ba9c03f542aa8af6e16cb7d459a30c2c26bba/docs/references/annotations.md#kubernetesioingressclass