Topicoperator unalterable topic configs #10182
Conversation
Signed-off-by: Kay Hartmann <[email protected]>
kahartma
changed the title
There was a problem hiding this comment.
Thanks for the PR.
Looking back, I think the decision taken in the community call was wrong. I think the default should be set in the Topic Operator itself and not in Cluster Operator? The way it is implemented now would not allow users to override this configuration when deploying Topic Operator through Cluster Operator. WDYT @ppatierno @tombentley @fvaleri?
|
|
||
| var unalterableConfigs = config.unalterableTopicConfig(); | ||
| if (unalterableConfigs != null && alterConfigOps != null && !unalterableConfigs.isEmpty()) { | ||
| if (!unalterableConfigs.equalsIgnoreCase("NONE")) { |
There was a problem hiding this comment.
I consciously excluded the ALL case here, because I didn't see why anyone would want to block all configs, but could be added of course
There was a problem hiding this comment.
A cluster admin wants to provide locked-up topic configs for some critical cluster (no delegation). That's a valid use case, so I would also add support for that.
Should we also change this method name to skipAlterConfigOps and update the Javadoc, as it now deals with both alterable and non-alterable configs?
There was a problem hiding this comment.
I think the decision taken in the community call was wrong. I think the default should be set in the Topic Operator itself and not in Cluster Operator
@scholzj I agree.
The TO already has the knowledge about CC enablement, so changes should be limited to the topic-operator module.
@kahartma thanks for working on this. Some initial comments.
Unalterable and alterable config variables should be mutually exclusive, so we should skip them if they are both set, and also raise a warning (log and status).
We need some more tests in BatchingTopicControllerTest to check the various permutations and invalid configs:
-
Should ignore with Cruise Control throttle config
-
Should reconcile and warn with user and Cruise Control throttle config
-
AlterableConfig (allow list)
3.1. Happy path
3.2. Should reconcile with "ALL", "" (empty string)
3.3. Should ignore and warn with "NONE", invalid config (eg: "sdasdas" or "retention.bytes; retention.ms" - note ";" instead of ",") -
UnalterableConfig (deny list)
4.1. Happy path
4.2. Should ignore and warn with "ALL"
4.3. Should reconcile with "NONE", "" (empty string), invalid config (eg: "sdasdas" and "retention.bytes; retention.ms" - note ";" instead of ",") -
Should ignore and warn when both alterable and unalterable configs are set
Probably, we also need to create a documentation paragraph where we explain how to use these new configurations to delegate topic management in a controlled way, but this can be added later as a separate PR.
| * @param saslUsername, The SASL username for the Admin client | ||
| * @param saslPassword, The SASL password for the Admin client |
There was a problem hiding this comment.
How moving saslUsername and saslPassword is related to this change? Can you please revert?
topic-operator/src/main/java/io/strimzi/operator/topic/TopicOperatorConfig.java
Outdated
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/TopicOperatorConfig.java
Outdated
Show resolved
Hide resolved
| static final ConfigParameter<String> ALTERABLE_TOPIC_CONFIG = new ConfigParameter<>("STRIMZI_ALTERABLE_TOPIC_CONFIG", STRING, "ALL", CONFIG_VALUES); | ||
| static final ConfigParameter<String> UNALTERABLE_TOPIC_CONFIG = new ConfigParameter<>("STRIMZI_UNALTERABLE_TOPIC_CONFIG", STRING, "NONE", CONFIG_VALUES); |
There was a problem hiding this comment.
I think it's important to provide some Javadoc. For example:
/**
* Use {@code alterableTopicConfig} to specify a comma separated list (allow list) of Kafka topic configurations that are reconciled, everything else is ignored.
* The default value is "ALL", which means that all configurations are available; the opposite is "NONE", which means that all configurations are ignored.
* <br/><br/>
* This is useful in standalone mode when you have a Kafka service that restricts alter operations to a subset of Kafka topic configurations.
*/
static final ConfigParameter<String> ALTERABLE_TOPIC_CONFIG = new ConfigParameter<>("STRIMZI_ALTERABLE_TOPIC_CONFIG", STRING, "ALL", CONFIG_VALUES);
/**
* Use {@code unalterableTopicConfig} to specify a comma separated list (deny list) of Kafka topic configurations that are ignored, everything else is reconciled.
* The default value is "NONE", which means that all configurations are available; the opposite is "ALL", which means that all configurations are ignored.
* <br/><br/>
* This is useful when another application changes dynamic topic configurations directly in Kafka, and the operator should not interfere.
*/
static final ConfigParameter<String> UNALTERABLE_TOPIC_CONFIG = new ConfigParameter<>("STRIMZI_UNALTERABLE_TOPIC_CONFIG", STRING, "NONE", CONFIG_VALUES);```|
|
||
| var unalterableConfigs = config.unalterableTopicConfig(); | ||
| if (unalterableConfigs != null && alterConfigOps != null && !unalterableConfigs.isEmpty()) { | ||
| if (!unalterableConfigs.equalsIgnoreCase("NONE")) { |
There was a problem hiding this comment.
A cluster admin wants to provide locked-up topic configs for some critical cluster (no delegation). That's a valid use case, so I would also add support for that.
Should we also change this method name to skipAlterConfigOps and update the Javadoc, as it now deals with both alterable and non-alterable configs?
| readOnlyConfigs.add(key); | ||
| } | ||
| }); | ||
| if (unalterableConfigs != null) { |
There was a problem hiding this comment.
I would extract this logic in a separate method, for example addAlterableConfigWarning, and maybe rename addNonAlterableConfigsWarning to addUnalterableConfigWarning.
| @@ -1236,7 +1236,7 @@ private static TopicOperatorConfig topicOperatorConfig(String ns, KafkaCluster k | |||
| useFinalizer, | |||
| 100, 100, 10, false, new FeatureGates(""), | |||
| false, false, "", 9090, false, false, "", "", "", | |||
| "all", false); | |||
| "all", "none", false); | |||
There was a problem hiding this comment.
Can we use uppercase here like in the other tests?
There was a problem hiding this comment.
I will then also update all->ALL for alterableTopicConfig to keep it consistent
| @@ -1990,7 +1990,7 @@ public void shouldTerminateIfQueueFull( | |||
| true, | |||
| 1, 100, 5_0000, false, new FeatureGates(""), | |||
| false, false, "", 9090, false, false, "", "", "", | |||
| "all", false); | |||
| "all", "none", false); | |||
There was a problem hiding this comment.
Can we use uppercase here like in the other tests?
…eratorConfig.java Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: kahartma <[email protected]>
…eratorConfig.java Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: kahartma <[email protected]>
@fvaleri Okay, then I would extend this PR a bit more to distinguish between the user-provided |
If they are both set at the same time, we go with defaults and raise warnings. I would say that throttle configurations will be always ignored when CC is enabled, unless the user explicitly set them in |
I think raising the warning sounds reasonable. But why not allow it? What if the user is using Cruise Control, but at the same time wants to manage the replication throttling for some reason personally through the Topic Operator? I think it is a reasonable default, and reasonable thing to warn against when configuring or in the docs. But not sure I see really a reason to prevent it. |
Maybe I wasn't clear, but that's what I meant. We always allow. If CC is enabled AND the user explicitly sets throttle configs, we allow and raise a warning, as we may have a race condition (there is no race when running rebalances without throttling, which is the default). If CC is NOT enabled, we allow with no warning. We can extract this CC throttle fix and related unit tests in a separate PR, as it does not involve the new |
|
@fvaleri I think that's reasonable. Better to avoid adding another config if we can avoid it. And the behaviour you describe would do that, so +1 from me. |
|
@kahartma so this would actually reduce the scope of this PR. No need to add another environment variable to fix the issue caused by the TO-CC race condition during throttled rebalance. We can simply add a private constant to BatchingTopicController (e.g. THROTTLING_CONFIG) which contains the two throttle config properties. The logic should be:
The interaction between ALTERABLE_TOPIC_CONFIG and THROTTLING_CONFIG requires careful testing. There is a general need for setting policies to restrict which topic configurations can be changed by normal users (config management delegation), but we think that this requires a formal design proposal to discuss API changes and how this would work in practice. Sorry for the change in plans. Let me know if you still have time to work on this, or do you want me to continue. |
|
@kahartma Are you still planning to get back to this? Or should someone else have a look at it? |
|
As there was nor response for a long time, we are closing it in favour of #10241 |
Type of change
Select the type of your PR
Description
This MR adds a new env var
STRIMZI_UNALTERABLE_TOPIC_CONFIGto the TopicOperator, similar to the existingSTRIMZI_ALTERABLE_TOPIC_CONFIG. It can be used to specify topic configs that should not be reconciled by the TopicOperator.If CruiseControl is enabled in the cluster, it will automatically be set to
follower.replication.throttled.replicas,leader.replication.throttled.replicaswhich are used and updated by the partition reassignment process. See follower.replication.throttled.replicas,leader.replication.throttled.replicasChecklist
Please go through this checklist and make sure all applicable tasks have been done