Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revise default config #2444

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Revise default config #2444

wants to merge 14 commits into from
+606 −27

Conversation

davidumea
Copy link
Contributor

@davidumea davidumea commented Feb 20, 2025
edited
Loading

Warning

This is a public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request, nor
  • business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • [kind/adr](set-me)

Release notes

Default Opensearch setup has been changed. Opensearch is now configured to use 3 master nodes, 0 data nodes and 0 client nodes by default. There's no easy migration path for the new configuration, if the old default Opensearch setup is used it should be added to the override config.
Proxy protocol is now enabled by default in ingress-nginx when using ElastX as infrastructure provider.
Fluentd audit is now enabled by default.
Log retention is now 30 days by default.

Platform Administrator notice

Default Opensearch setup has been changed. Opensearch is now configured to use 3 master nodes, 0 data nodes and 0 client nodes by default. There's no easy migration path for the new configuration, if the old default Opensearch setup is used it should be added to the override config.
Proxy protocol is now enabled by default in ingress-nginx when using ElastX as infrastructure provider.
Fluentd audit is now enabled by default.

What does this PR do / why do we need this PR?

Changed some default configuration

Information to reviewers

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
    • The change updates CRDs
    • The change updates the config and the schema
  • Documentation checks:
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
    • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
  • Logs checks:
    • The logs do not show any errors after the change
  • PodSecurityPolicy checks:
    • Any changed Pod is covered by Kubernetes Pod Security Standards
    • Any changed Pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
  • NetworkPolicy checks:
    • Any changed Pod is covered by Network Policies
    • The change does not cause any dropped packets in the NetworkPolicy Dashboard
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Bug checks:
    • The bug fix is covered by regression tests

@davidumea davidumea added the kind/improvement Improvement of existing features, e.g. code cleanup or optimizations. label Feb 20, 2025
@davidumea davidumea force-pushed the david/move-config branch 2 times, most recently from f96418b to d317cf9 Compare February 21, 2025 07:07
@davidumea davidumea changed the title wip: update default config Revise default config Feb 21, 2025
@davidumea davidumea marked this pull request as ready for review February 21, 2025 14:18
viktor-f
viktor-f approved these changes Feb 21, 2025
View reviewed changes
Copy link
Contributor

@viktor-f viktor-f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice changes

aarnq
aarnq reviewed Feb 24, 2025
View reviewed changes
config/providers/elastx/sc-config.yaml Outdated
Comment on lines 88 to 91
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
topologyKey: topology.kubernetes.io/zone
weight: 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come these have preferred while the rest is strict?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, is there a reason why we don't set the default opensearch setup with only master nodes?

Copy link
Contributor Author

@davidumea davidumea Feb 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, is there a reason why we don't set the default opensearch setup with only master nodes?

I thought of that and asked around a bit, and I think the main issue would be that there's no known migration path.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come these have preferred while the rest is strict?

I don't know, but it should be aligned. Do you think we should have preferred or strict everywhere?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The easy migration path is to inform and preserve the config for existing environments.
So merge and lift any of the config that has changed to the override config.

I think we want to prefer a strict one, else we might get strange scenarios where we have a skew. Because this will mostly impact during the creation of new ones, as afterwards the PVCs will control which zone they land on.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidumea do you intend to write a migration snippet to preserve the opensearch setup if one already uses dedicated nodes?
Which would be to yq_dig and then yq_add the results for those options into the override config before init runs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I added something for that 6302a38

@davidumea davidumea requested a review from a team as a code owner February 24, 2025 08:51
@davidumea davidumea requested a review from a team as a code owner February 24, 2025 12:35
@davidumea davidumea requested a review from aarnq February 24, 2025 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktor-f viktor-f viktor-f approved these changes

@Zash Zash Awaiting requested review from Zash

@lunkan93 lunkan93 Awaiting requested review from lunkan93

@OlleLarsson OlleLarsson Awaiting requested review from OlleLarsson

@aarnq aarnq Awaiting requested review from aarnq

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
kind/improvement Improvement of existing features, e.g. code cleanup or optimizations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidumea @viktor-f @aarnq