Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(MADR): meshexternalservice routed through the specific zone #11853

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

docs(MADR): meshexternalservice routed through the specific zone #11853

wants to merge 5 commits into from

Conversation

lukidzi
Copy link
Contributor

@lukidzi lukidzi commented Oct 24, 2024
edited
Loading

Motivation

There is a use case where a service is not part of the mesh and is only accessible or resolvable within a single Datacenter (DC). Without the proposed functionality, there is no way to expose this service to other zones.

Implementation information

MADR https://docs.google.com/document/d/12YrUy-kV3JZu9K4tSv6V6q4Dx8v7mp41_SdxJ0kQ_tc/edit?tab=t.0#heading=h.n6cmlf1eel2z

Supporting documentation

part of #11071

@lukidzi lukidzi added ci/skip-test PR: Don't run unit and e2e tests (maybe this is just a doc change) ci/skip-e2e-test PR: Don't run e2e tests labels Oct 24, 2024
@lukidzi lukidzi requested a review from a team as a code owner October 24, 2024 20:38
@lukidzi lukidzi requested review from jijiechen and Automaat and removed request for a team October 24, 2024 20:38
@lukidzi lukidzi changed the title docs(madr): meshexternalservice routed through the specific zone docs(MADR): meshexternalservice routed through the specific zone Oct 25, 2024
@jijiechen
Copy link
Member

I would prefer creating the resource on global CP with a label.

Because when we ask the user to create a resource in the zone, it implies the resource is "owned/maintained" by the zone. But this is not the case here.

Zones are phsically located at different clusters/places, so they may have very different permissions when considering the underlying Kubernetes/VM cluster. However, an external service that is only accessible through a zone does not belong to the zone. When the mesh admin/operator decides to open this accessiblity to other zones in the mesh, the responsibility of managing/maintaining this relationship with the external service should be shared by the whole mesh. So the MeshExternalService should be shown/managed through the global CP.

Let me raise an example scenario:

When the external service fails because of the IP address had been changed by it owner and the consumers within the mesh just found it. So they want to correct the address in MeshExternalService defined in the mesh.

In this case, I think they should go to the global CP admin, instead of the zone admin.

It's slightly different than the MeshService case. MeshServices are normally generated automatically and it originates from the Service objects on a Kubernetes cluster.

So it's reaonable for MeshServices to be "owned" by zones, because:

  1. They originate from Services, which are owned by zones
  2. People don't need to manage/maintain MeshServices directly, so the operational cost is low

@lukidzi
Copy link
Contributor Author

lukidzi commented Oct 25, 2024

That makes sense I can agree with most of this. I have another use case that could involve a dedicated database team maintaining a cluster independently. In this scenario, permissions for exposing services from other zones would be managed by the Mesh Operator, while the database team could handle the creation and maintenance of MeshExternalService resources. This setup would provide flexibility, allowing the database team to manage their resources without impacting broader mesh configurations.

@lukidzi
Copy link
Contributor Author

lukidzi commented Oct 28, 2024

I am going to move it to the google docs

@lukidzi lukidzi marked this pull request as draft October 28, 2024 10:46
@lukidzi
change to google docs
0bce4b1 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@lukidzi lukidzi marked this pull request as ready for review October 28, 2024 13:27
slonka
slonka reviewed Nov 26, 2024
View reviewed changes
Copy link
Contributor

@slonka slonka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lukidzi I feel like there is nothing to add more from my side but there are some discussions that are not closed. Should we create a meeting and talk through them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slonka slonka slonka left review comments

@jijiechen jijiechen jijiechen approved these changes

@Automaat Automaat Awaiting requested review from Automaat Automaat is a code owner automatically assigned from kumahq/kuma-maintainers

@johncowen johncowen Awaiting requested review from johncowen

@lahabana lahabana Awaiting requested review from lahabana

@johnharris85 johnharris85 Awaiting requested review from johnharris85

@michaelbeaumont michaelbeaumont Awaiting requested review from michaelbeaumont

@jakubdyszkiewicz jakubdyszkiewicz Awaiting requested review from jakubdyszkiewicz

@bartsmykla bartsmykla Awaiting requested review from bartsmykla

@lobkovilya lobkovilya Awaiting requested review from lobkovilya

@Icarus9913 Icarus9913 Awaiting requested review from Icarus9913

Assignees
No one assigned
Labels
ci/skip-e2e-test PR: Don't run e2e tests ci/skip-test PR: Don't run unit and e2e tests (maybe this is just a doc change)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lukidzi @jijiechen @slonka