TEP-0009: Trigger CRD

[khrm]

This proposal is to extract out Trigger definition from EventListener Spec into its own CRD
to resolve the problem of Multitenant EventListener.

This is a TEP for the implementation of the Trigger CRD that were
discussed in the following docs:

• Trigger Listener CRDs
• Multitenant EventListener

[bobcatfish]

Thanks for putting this together @khrm ! I think there are a few more sections to flesh out before we'd be able to properly evaluate this proposal.

[bobcatfish]

im not sure this is technically true since afaik the triggers CRD is already merged? 😬

[khrm]

Yes, but it isn't being used by Triggers but cli. So don't what to put there except proposed.

[dibyom]

I think proposed is the right status here. While there is a Trigger CRD type, its main use is for experimentation with the CLI and it not usable by an end user. If we decide to withdraw this proposal for any reason, we can do it without any changes to the API. In addition, there is more to this proposal than just adding the CRD type (e.g. selectors, path based triggers etc.)

[vdemeester]

I tend to agree with @dibyom and @khrm 😉

[bobcatfish]

I don't totally agree; fortunately nothing in the controller is operating on the new CRD, but it is committed to the codebase - while we haven't explicitly created an API compatibility policy for our Go libs (tektoncd/pipeline#2748) I think it's probably going to end up being in there. So removing or changing this type would be a breaking change imo

A different way of handling this could have been in a branch or a fork?

[bobcatfish]

could you expand a bit on the motivation and goals? in my opinion these are one of the most important sections in the TEP because they help the reader understand the problem being solved fully. it's hard to judge a proposal if you don't fully understand why the thing is being proposed.

Maybe you could elaborate on each of the points you already have, e.g.:

Today, EventListener commonly are created for every namespace and handle TriggerBinding and TriggerTemplate in that same namespace.
Creation of EventListener causes pod proliferation.

Can you explain a bit more, maybe with some examples? e.g. how many namespaces you are dealing with, how many pods.

For every namespace that requires handling of webhook, we need EventListener which in turns lead to
this pod proliferation and causes excess resource consumption.

Does 'handling a webhook' here mean instantiating resources within that namespace?

Can you elaborate on "resource consumption"?

[dibyom]

Another goal - separation of concerns. Today listeners are the type that a user creates. Say I have a git repo and I want to create a push trigger, I create an EventListener for it. Next, if I want to add an additional trigger, (say a pull req trigger, or an image push trigger), do I create a new EL or do I add an additional trigger to an EL? What if I add a new repo? A new EL means a new Pod/Deployment/Service. Besides just the resource consumption, there are other concerns. Usually you'd have to expose your EL via an Ingress or some other means. The more ELs I have the more additional configuration I need - in some cases this additional bit of configuration is something that a cluster admin/operator would perform not an user/app developer.

For declarative config as code scenarios, it would be easier for a user to have create the Trigger configuration part as part of config with code. The cluster admin/operator can create the EventListeners, expose it to a public address, etc. And the same listener can be shared among many Triggers. This does reduce the number of listener Pods but also allows for a better separation of concerns among the user and the operator.

[dibyom]

Instead of just a namespace selector, why not use a label based selector mechanism:
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

[dibyom]

khrm has some YAML for the label selector scenario: https://gist.github.com/khrm/4f189926a62fcbed72fb4dd4273e21d1#file-label-selector-el-L9

One question with label selectors is -- is it possible to limit the selection to a single namespace if needed? I tried looking into other k8s resources that use selectors -> NetworkPolicy, for instance, uses both an explicit namespaceSelector and a podSelector : https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource

So, if we want to support the use case where an EL is limited to only one namespace, it seems like we'd want to have something similar i.e. both a namespaceSelector and a podSelector.

Another question I have is that for the kinds of multi-tenanted scenarios that we are considering, do users usually have access to add labels to their namespaces? If not, maybe we'd need to have some way of selecting by namesapceName (like this proposal already states).

Adding both namespaceSelector as well as individual pod selectors initially seems complex. So, what I'm thinking is perhaps something like:

# intial release - just select on name
spec:
  namespaceSelector:
     matchName: [ns-1, ns-2]

and then later we could add the label seelctors:

spec:
  namespaceSelector:
     matchName: [ns-1, ns-2]
     matchLabels: 
       - someLabel: value
  triggerSelector:
    matchLabels:
      - someLabel: value

What do you think?

https://groups.google.com/forum/#!msg/kubernetes-sig-network/4Q1Xk1Jm4-M/UyNIW53XBAAJ

https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

[khrm]

Yes, this looks quite promising.

[khrm]

I added this in Design section.

[dibyom]

great thanks! what I'm thinking is we get started with just a namespaceSelector with matchName to start off with and then proceed to have the more complex selectors as needed

[dibyom]

I think proposed is the right status here. While there is a Trigger CRD type, its main use is for experimentation with the CLI and it not usable by an end user. If we decide to withdraw this proposal for any reason, we can do it without any changes to the API. In addition, there is more to this proposal than just adding the CRD type (e.g. selectors, path based triggers etc.)

[dibyom]

Another goal - separation of concerns. Today listeners are the type that a user creates. Say I have a git repo and I want to create a push trigger, I create an EventListener for it. Next, if I want to add an additional trigger, (say a pull req trigger, or an image push trigger), do I create a new EL or do I add an additional trigger to an EL? What if I add a new repo? A new EL means a new Pod/Deployment/Service. Besides just the resource consumption, there are other concerns. Usually you'd have to expose your EL via an Ingress or some other means. The more ELs I have the more additional configuration I need - in some cases this additional bit of configuration is something that a cluster admin/operator would perform not an user/app developer.

For declarative config as code scenarios, it would be easier for a user to have create the Trigger configuration part as part of config with code. The cluster admin/operator can create the EventListeners, expose it to a public address, etc. And the same listener can be shared among many Triggers. This does reduce the number of listener Pods but also allows for a better separation of concerns among the user and the operator.

[dibyom]

My understanding is that we'd still recommend one EL per namespace (though if one wants they could setup an EL to cater to a whole cluster). This should still be beneficial from a resource consumption standpoint since currently we have many ELs per namespace (one per repo/trigger etc.)

[khrm]

Yes. Should I rephrase this?

[dibyom]

In this model, is there a way to serve multiple Triggers from the same webhook without having to deliver the webhook twice?

[khrm]

No. I don't think so.

[dibyom]

Hmm, so this is a breaking change in how Triggers works today i.e. the lack of support of multiple triggers from the same webhook event. We should highlight this and document possible alternatives/workarounds.

• one idea: Maybe one Trigger CRD can contain multiple triggers?

[khrm]

I found a workaround on this. We can pass label information using query in url to select TriggerCRD. Will that work?

[dibyom]

That's an interesting alternative....we can try out an example maybe like creating a GitHub webhook with query params and see if that works?

[dibyom]

If the labels change, we'd have to reconfigure the webhook.

[khrm]

I tested Github Webhook with query params and it works with the query params.

[dibyom]

Thanks, query params seem like an interesting idea though I still think it might be worth exploring if we can put multiple configs in the same Trigger or other alternatives which do not require label manipulation. I do think that we can work on this iteratively i.e we can get this TEP merged as proposed and then work on this part of the design more?

[khrm]

Yes, that works for me.

[gabemontero]

Observation: specifying just the SA name here, with the implication that the SA is in the same namespace as the Trigger is a change from https://github.com/tektoncd/triggers/blob/master/pkg/apis/triggers/v1alpha1/trigger_types.go#L40-L42 where a "full" object ref, including namespace was provided.

Now, from a "security" perspective, this is a positive move IMO.

That said, in our prior discussions on this, I am not sure if we nailed down the existing scenarios that required a full object reference there.

Do any of the reviewers recall?

From a TEP perspective, calling out that difference is probably important.

I still somewhat wonder if independent of this TEP, we should switch that ref from global to namespace scope ...

[gabemontero]

The implication being that a SA from a privileged namespace could be specified with a ObjectReference vs. a LocalObjectReference.

[dibyom]

That said, in our prior discussions on this, I am not sure if we nailed down the existing scenarios that required a full object reference there.

I think you are correct. And I agree we should call this out. We should discuss this - this has come up in tektoncd/triggers#679 maybe we can continue the discussion there?

[dibyom]

we can call this section end users and describe how it works for end users? In addition to what you already have, maybe we can add how a end user goes about using it once a trigger is created i.e. getting listener address from status, setting up webhook of the form http(s)://url/namespace/trigger . Also, how they can find the logs - find listener pod and then get logs for those?

[gabemontero]

Yeah I would have expected something like "As an end user, I am only concerned with defining the Trigger* objects in my namespace in order to have my SCM system trigger my Tekton pipielines, and do not want to have to manage the event listener sink myself."

And then "As a cluster administrator, I want to be able to manage the ingress points into my cluster's various use of tekton triggers, minimizing the amount of EventListerners/Sinks needed, and thus be able to absolve my end users from managing these http endpoints."

[khrm]

I updated this section.

[dibyom]

Similar to above, this section looks like that the user story would be for an operator user. We could describe that an operator can create one or more listeners and then use a combination of namespace and trigger selectors to "select" which triggers/namespaces to serve. They can expose the Listener via Ingress/LoadBalancer and can retain write access to the Listener objects. They can choose to restrict write access to Listener objects while allowing users with read access to use the Listener/get logs etc.

[gabemontero]

+1 on the user story feel .... "As a cluster administrator, I want ot control which namespaces the HTTP endpoints needed for tekton triggers reside in".

[khrm]

I updated this section.

[dibyom]

Some comments mainly on the user stories section. But beyond that, I'd like to get a few other folks to review this as well!
maybe @bobcatfish since you already did a first pass. And @wlynch @gabemontero @bigkevmcd @vdemeester ?

[gabemontero]

Finally able to give this more of a thorough read. Apologies for the delay. High level, perhaps still a few blind spots where folks of the WG may know the specifics/details, but the uninitiated reader would not.

[gabemontero]

Yeah I would have expected something like "As an end user, I am only concerned with defining the Trigger* objects in my namespace in order to have my SCM system trigger my Tekton pipielines, and do not want to have to manage the event listener sink myself."

And then "As a cluster administrator, I want to be able to manage the ingress points into my cluster's various use of tekton triggers, minimizing the amount of EventListerners/Sinks needed, and thus be able to absolve my end users from managing these http endpoints."

[gabemontero]

+1 on the user story feel .... "As a cluster administrator, I want ot control which namespaces the HTTP endpoints needed for tekton triggers reside in".

[gabemontero]

Indicated by some of the questions/comments below, some detail in this section on what exactly this URL gets the Trigger author, etc. is needed.

Is it simply and identifier? Is it the URL the trigger author configures in their SCM (github/gitlab, etc) webhook configuration? If the trigger author does a curl against that URL, what should they expect?

[gabemontero]

I know in WG we discussed some form of trigger specific log snippet from the EL log into the trigger status ... did you decide to abandon this @khrm ?

[khrm]

Yes, we decided to abandon it. It might require another CRD itself.

[gabemontero]

Just a minor comment on user story wording, but I'm deferring if everybody else is OK, and merging this as proposed.

[gabemontero]

Still not using the classic user story wording of "As a , I want ..."

But I won't block on that if everybody else is ok with it. The separation of concerns that is at the heart of the user stories and different roles is written down / captured in some form.

[dibyom]

Looking good! Like @gabemontero said, there are a couple of minor things we could fix. But that can be done once this is merged as proposed as well -- I'm happy to volunteer if you want :)

In terms of next steps, I think:

1. Merge this PR

2. Make any minor fixes to the PR

3. Open a new PR to change status to "implementable".

4. Gather feedback on that PR (I think we should call it out in the API WG and the Tekton WG on Wednesdays as well)

5. If we absolutely need to (though hopefully not 🤞), we can reduce some of the scope around paths/selectors and only proceed with the Trigger CRD with references and open new TEPs for those!

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• teps/OWNERS [dibyom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dibyom]

A few minor comments on the Table of Contents but otherwise 👍 from me!

[vdemeester]

nit: I think this messes up the GitHub render, there should be only one backtic instead of three.

[vdemeester]

/lgtm