VMDistributedCluster CR: orchestrate VMCluster upgrades

[vrutkovs]

Add a new CR - VMDistributedCluster -so that multiple VMClusters could be upgraded in orchestrated fashion, ensuring the read VMAuth is disabled before upgrade and VMAgent (if available) doesn't have pending bytes to send.

See #1515 (comment) for agreed limitations for v1alpha1 version.

Fixes #1515

TODO:

• Add changelog entry
• Description-less CRD should be applied for development only. Rephrase descriptions in existing parts to make it fit for production
• Fix flaking tests
• Squash commits
  Keeping original commits for review as its useful to show how the feature was developed
• Allow objects from other namespaces?
  During development I realized VMAuth / VMClusters may be in different namespaces. The initial version requires all objects to be in the same namespace as VMDistributedCluster. Do we want to keep it that way for API simplicity or worth having the initial version with cross-namespace support?
• Watch VMClusters and run CreateOrUpdate to apply spec overrides accordingly
• Set ownerRefs to managed VMClusters
• Other improvements:
  • Multiple VMAgents per VMCluster - use label selector instead of name?
  • Label selector for VMClusters? Not sure how to select VMAgents then

[AndrewChubatiuk]

initially thought distributed CR is needed for full distributed setup management, but looks like it only performs version upgrade. In this case just curious why we need different CRs for VM, VT and VL?

[vrutkovs]

Yes, so far we're focusing on upgrades - existing CRs provide sufficient flexibility IMO - and we didn't get a request for other actions so far.

In this case just curious why we need different CRs for VM, VT and VL?

VL and VT don't have agents (yet) so their specs would be different. However we can reuse the same approach and probably even some helper functions

[Haleygo]

Yes, so far we're focusing on upgrades - existing CRs provide sufficient flexibility IMO - and we didn't get a request for other actions so far.

I believe users would expect to modify the vmcluster spec value or apply extra flags to the vmclusters.
And since vmclusterSpec.ClusterVersion is optional, users could specify component versions inside vmclusterSpec which overrides the vmclusterSpec.ClusterVersion.

And currently, it seems VMDistributedCluster only covers a limited scenario where resources like vmcluster, vmuser, vmauth are defined and configured as needed.
Could you please provide an example of how to config them to achieve similar topology described in victoria-metrics-distributed chart? I expect VMDistributedCluster to be supported there when released.

[vrutkovs]

I believe users would expect to modify the vmcluster spec value or apply extra flags to the vmclusters.

Yup, setting generic overrideParams would be more flexible and, along with upgrades, would cover other maintenance tasks, i.e., adding replicas or setting flags

[AndrewChubatiuk]

are we going to have a single VMAgent? are there any requirements to amount of replicas it should have according to zones count?

[vrutkovs]

Single VMAgent iiuc, however, later we may want to support zone-specific agents

[Haleygo]

The vmAgentPath uses vmagent service address, what if the vmagent deployment has multiple replicas?

[vrutkovs]

Is it a common configuration? I don't see the value in running several identical replicas of vmagent, usually (redundancy?).

TODO: fetch endpoints to be sure

[Haleygo]

I don't see the value in running several identical replicas of vmagent, usually (redundancy?).

It's common for large setups, for HA or increase cluster capacity.

[Haleygo]

The main role of this vmagent is the global write entrypoint(which buffers data if one of the vmcluster is down). It might not be used to scrape targets(including vmclusters), but only to proxy data.
What about renaming it to something like GlobalWriteEntryVMAgent?

[vrutkovs]

I'd prefer to keep the name short - there is no need to write a long one as there is no other VMAgent to confuse this setting with.

I agree however this should have a better description.

[Haleygo]

zones is ambiguous without contexts, and since it only contains vmcluster resources, I think we can call it something like vmclusterList to be more clear.

[Haleygo]

The feature isn’t limited to vmcluster, it can also be applied to vmsingle.
Later, we can support vmsingle with the same CRD by replacing vmcluster objects under VMDistributedClusterSpec with vmsingle.
What about calling it VMDistributed?

[vrutkovs]

Yes, I think it's fair to extend this to VMSingle too. I think it would be trivial to extend this to VMSingles - by adding VMType to Zones property. We didn't get a request to extend this to VMSingle though, so I'd prefer to focus on VMClusters.

Not quite sure about VMDistributed - its fair to treat multiple zones as a cluster (so VMCluster would be a fantastic name :) ), while VMDistributed doesn't really pinpoint it.

[Haleygo]

Please name the field more specifically.
As I understand, we don't need VMUser objects controlling traffic distribution between multiple VMClusters, but only the vmuser which proxies query requests between two vmcluster.
For example, the vmuser for vmauth-read-proxy in below diagram(without the vmauth-read-balancer since it changes the target for vmauth-read-proxy).

Later, We should also support vmauth's unauthorized_user.

[vrutkovs]

Agree on documentation update, but it would be convenient to keep the property name short (there are no other VMUsers specified there too)

[Haleygo]

So Name and Spec define a new vmcluster, while Ref and OverrideSpec go to an existing one. Please put related fields closer for readability:

	// Name creates a new VMCluster with the below spec.
	// Only one of Ref or Name can be used.
	// +optional
	Name string `json:"name,omitempty"`
	// Spec defines the spec with a new vmcluster.
	// +optional
	Spec *vmv1beta1.VMClusterSpec `json:"spec,omitempty"`
	
	// Ref points to an existing VMCluster object.
	// Only one of Ref or Name can be used.
	// +optional
	Ref *corev1.LocalObjectReference `json:"ref,omitempty"`
	// OverrideSpec specifies spec overrides for the existing vmcluster.
	// +optional
	OverrideSpec *apiextensionsv1.JSON `json:"overrideSpec,omitempty"`

Also the comments are conflicted, it says:

// If Ref is used, this field is ignored.
Name string json:"name,omitempty"

which means Ref takes precedence. But

// This field is ignored if Spec is specified.
OverrideSpec *apiextensionsv1.JSON json:"overrideSpec,omitempty"

means Spec(Name) takes precedence.
Since we don't allow to have both Name and Ref, let's just highlight this in the doc.

[vrutkovs]

Please put related fields closer for readability

Good idea. Rearranged and added better description in 95bc654

[Haleygo]

If the vmcluster was created by VMDistributedCluster, then user changed its spec, the change won't be detected by the check, and the vmcluster won't be updated.

[vrutkovs]

Good catch, we'll need to set up an informer for VMClusters in this controller - do you know if there is some nice example on how to do that?

[Haleygo]

It would be nice to tag the newly created vmcluster as managed by VMDistributed, and not allowed to modify the spec in vmcluster reconcile.

[vrutkovs]

If we setup watchers for VMClusters the users are allowed to modify them (although results may be unexpected).

It is worth setting ownerRef for affected clusters, I agree