-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support an alternative proxy implementation: KubeIngressProxy with an external k8s Ingress controller #1673
Conversation
This reverts commit 50759be.
Here is a minimal config file for testing :
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for opening this PR! I haven't had time to try it yet, but what are your impressions of using it so far? Are you planning to use it in production?
proxy.externalIngressController
modifies the hub RBAC role but based on your configuration you still need to manually set c.JupyterHub.proxy_class = 'kubespawner.proxy.KubeIngressProxy'
. Can you explain why you made this choice?
There's some ongoing work to refactor the C2JH CI system #1664
Do you have any thoughts on adding a test scenario for externalIngressController
after the CI work is completed?
{{- if .Values.proxy.externalIngressController }} | ||
- apiGroups: [""] # "" indicates the core API group | ||
resources: ["endpoints", "services"] | ||
verbs: ["get", "watch", "list", "create", "delete", "patch"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To help with review could you say whether you figured these out by going through the K8s API calls, or is it a guess?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additive hardworking way. I added permission according to hub error logs.
I used it on test deployment with both traefik and nginx ingress controller with no pb so far. We would use it in production if merged.
That's indeed a good question ;)
I need a deeper look but my first feeling is that I can add a test scenario for that case. |
I simplified logic as @manics suggested, relying only on proxy.externalIngressController value. New minimal config file : hub:
image:
name: remche/k8s-hub
tag: ingress-extv1b1
proxy:
externalIngressController: true |
Thanks for thorough and interesting work @remche! I'd like to see the Helm chart configuration option be more obvious, as the boolean I'm not great a reviewing this PR without any experience of using the KubeIngressProxy myself, but I think this can be merged without too much consideration if there is agreement to maintain support for this. I don't have a clear idea of this, and would like to know if @yuvipanda who has worked on KubeIngressProxy thinks this is worthwhile to support in Z2JH. What do you think @yuvipanda? My overview of the PRThis PRs goal is to let the JupyterHub Helm chart support using another proxy implementation than the default. In the default proxy implementation, we run a configurable-http-proxy within the k8s deployment named proxy, and let it be controlled through the ConfigurableHTTPProxy class. To use another proxy implementation, we update both:
Overall, I think what is important for this PR to get merged is that we lock in sensible configuration. I'd also like to see documentation to help future maintainers maintain this as part of Z2JH without for example being active users of this proxy implementation themselves. I think this comment takes us a bit along the way, but it would be great to have a section that introduce this configuration option properly in the z2jh.jupyter.org documentation both for users and maintainers. My technical considerations
|
Thank you for this interesting work @remche. I tested it, and here are the remaining problems I found:
IMHO, this PR mainly depends of jupyterhub/kubespawner#406 and should be reworked after the latest is merged. |
@remche I'll opt to close this PR at this point as I perceive it as KubeIngressProxy isn't a well enough maintained project for z2jh to support integration against it with all the complexity that follows of testing, documenting, and adding to the general maintenance burden of the z2jh repo. Thank you for your work on this nevertheless! |
@consideRatio I agree and I'm really sorry not to have much time to spend on this. |
No worries at all, thank you for pioneering work on this in the open!! |
The goal of this PR is to enable the use of native k8s ingress controller as described in #1642.
Changes :
Adds a way to skip proxy deployment :
proxy.chp.enabled
value (default to true)jupyterhub_config.py
Patch the
Role
manifest whenexternalIngressController
is enabled to allow (get, watch, list, create, delete, patch) (endpoints, services, ingresses).