add rbac content and a candidate for more versioning information

[Bradamant3]

Signed-off-by: JENNIFER RONDEAU [email protected]

• fixes Document how to set up a non-cluster-admin role & rolebinding for Ark users #350
• fixes Docs about running Ark locally using Minikube #931
• fixes Document how to view logs when using Minio #387
• fixes No such host when restoring an ark backup #839

Also cleans up a fewe other small usability/style issues not reported separately

[Bradamant3]

New commit adds draft content for issue #387 (can break content out into PRs/branches per issue, but it's getting cumbersome.)

[ncdc]

The NodePort only contains a port, such as 35464. The value of the s3Url needs to be a fully valid URL, including http:// or https://. They can use the DNS name or IP address of any of the nodes in the cluster.

[ncdc]

You have to specify the name of a backup; it is not optional.

[skriss]

Added some thoughts on the minikube/minio stuff. Happy to talk through in person

[skriss]

So, couple things here - (1) the additional steps are not Minikube-specific; this will be necessary for anyone using this "get started" guide. The additional steps are needed because minio is running inside the cluster. . (2) since they'll always be needed, we should revise our example YAML here (make the minio service NodePort by default; update 05-ark-backupstoragelocation.yaml to have an s3Url placeholder that implies it needs to be reachable from wherever the ark client is running). Really the only minikube-specific thing here is how to get that externally-reachable s3Url.

[skriss]

I would split Set up server's Step 1 into some separate steps:

• apply prereqs
• apply minio deployment
• get minio URL (this will be NODE_URL_OR_IP:NODE_PORT, where NODE_URL_OR_IP can be gotten in the way described here if running on minikube, and NODE_PORT will be generated by Kubernetes after the previous step -- we can add a kubectl command to get it)
• update 05-ark-backupstoragelocation.yaml to set s3Url to the minio URL from the previous step
• apply 20-ark-deployment.yaml, 30-restic-daemonset.yaml

Then the Minikube configuration section can go away entirely, since per previous comment it's not really minikube-specific AND it's always going to be required if running minio in-cluster.

[Bradamant3]

this all makes much more sense than what I had before -- it did seem to me that some of the content was not minikube specific but without testing I wasn't sure what.

I have a bit of kubectl for getting the nodeport, but if I'm understanding correctly to get the full URL not on minikube you have to concatenate values? I could use some help with the right commands/script to make this easier on users.

[skriss]

yeah, so if you're not on minikube you need to get the external IP/DNS name of the node that the minio pod is running on. Not sure that we'll be able to provide any kind of generic command for that - we may just have to describe it.

[skriss]

I can help out with relevant commands, though - if you leave placeholders I can pull some things together.

[skriss]

Revisions are looking great @Bradamant3! Couple minor comments. Haven't looked at the RBAC content at all yet, will do that next.

[skriss]

I don't think you need/want the second -f there

[Bradamant3]

I'll make a point of updating the upstream docs, then ;)

[skriss]

looks like I'm wrong here so ignore. For the record you can either do it like you have it, or put a comma (no space) between file names (e.g. -f examples/minio/20-ark-deployment.yaml,examples/minio/30-restic-daemonset.yaml)

[skriss]

Probably should note that this needs to be an external IP (i.e. routable from where the ark client is being run)

[ncdc]

@skriss do you want to make this change, or instead possibly consider #1006 combined with some form of ingress for minio?

[skriss]

I feel like the NodePort path is the lowest-friction one for a quickstart, while #1006 + ingress is probably more of a production-like setup...so I guess both imho?

[ncdc]

I think having both documented would be ideal. Although I would recommend ClusterIP+ingress as one option, and NodePort as the other. In other words, don't make a blanked change from ClusterIP to NodePort.

[skriss]

Fine with me to document both as alternatives. We might want to have 2 alternate sets of YAML in that case.

[skriss]

@Bradamant3 have you seen andy's comment on this re: documenting both a nodeport and an ingress approach here?

[ncdc]

@Bradamant3 if merging this PR will close out various issues, please update this PR's description so that each issue is listed individually as "fixes #xyz" or "closes #xyz". This has to be done once per issue - you can't write "fixes #abc #def #ghi", unfortunately.

[ncdc]

This should also close #839

[Bradamant3]

@Bradamant3 if merging this PR will close out various issues, please update this PR's description so that each issue is listed individually as "fixes #xyz" or "closes #xyz". This has to be done once per issue - you can't write "fixes #abc #def #ghi", unfortunately.

See changes in description -- is this what you mean?

[ncdc]

@Bradamant3 perfect, thanks (you'll also notice that GitHub underlines the word "fixes" to indicate it's picking up on it).

[skriss]

Added some comments on RBAC; the main thing to address is @ncdc's comments re: documenting an additional approach for getting minio logs (which will require #1006 to merge first).

[skriss]

I'm not exactly sure what this sentence is intending to convey?

[Bradamant3]

Removed. I only sorta recall/understand what I was trying to say; I'll add it back in later if/when I get it clearer.

[skriss]

There's no reason a user couldn't set up a Role/Binding for a single namespace, and a ClusterRole/Binding that allows ark to back up any PV in the cluster. The limitation is really that it's all-or-none for each cluster-scoped resource type.

[Bradamant3]

yeah, took me a few readings to see what you meant. But I think I got it in latest commit?

[skriss]

doesn't look like 26 is used anywhere?

[ncdc]

Service of type NodePort is not recommended for production. might be worded a bit too strongly/broadly? I think it might be better to say that configuring Minio for a production-quality setup is out of scope here (e.g. you'll want to configure Minio for backups / high availability).

[ncdc]

This needs to include http:// or https:// - if it's just 1.2.3.4:31234, I'm pretty sure it won't work.

[ncdc]

Add period at end of line

[ncdc]

Capitalize Change

[ncdc]

Suggested change

	kubectl apply -f examples/minio/20-ark-deployment.yaml examples/minio/30-restic-daemonset.yaml
	kubectl apply -f examples/minio/20-ark-deployment.yaml -f examples/minio/30-restic-daemonset.yaml

[ncdc]

Suggested change

	apiVersion: rbac.authorization.k8s.io/v1beta1
	apiVersion: rbac.authorization.k8s.io/v1

[ncdc]

Suggested change

	apiVersion: rbac.authorization.k8s.io/v1beta1
	apiVersion: rbac.authorization.k8s.io/v1

[ncdc]

Suggested change

	- kind: User
	- kind: ServiceAccount

[ncdc]

Suggested change

	name: YOUR_USER_HERE
	name: YOUR_SERVICEACCOUNT_HERE

[ncdc]

Are you thinking of writing an example ClusterRole and ClusterRoleBinding for PVs?

Another RBAC issue if Ark isn't running as cluster-admin: it can't grant privileges it doesn't currently have. It can't create and bind roles or cluster roles beyond its abilities (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping).

[Bradamant3]

Wasn't planning to write another example for this release, but could do for an interim docs release before 1.0. Added a bit of text to clarify the issue in the meantime.

[Bradamant3]

latest commit pushed as candidate for merge but also for discussion (get-started.md)

[skriss]

@Bradamant3 I'm wondering if we should put steps 1, 3, 4 under a single "Optional, but recommended" step just after current step 2, with a note that it's not strictly necessary to do, but ark backup/restore logs and ark backup/restore describe won't work properly without it.

Then, under that step, have "Option A" (NodePort) and "Option B" (Ingress/ClusterIP). Option A will include current step 1, 3a, 4 (bullet 1), while Option B will include Step 4 (bullets 2 & 3, clarifying that the URL should be the ingress URL). And, for both options, let's assume #1006 merges, so for both of them, we should tell users to add a publicUrl value rather than changing the s3Url value.

I think this helps with keeping things simple while making it a little clearer what's going on with the nodeport/ingress/publicUrl stuff.

[skriss]

Happy to pair on this this afternoon. I think it's close and getting it right will be really great for the v0.10 release!

[Bradamant3]

Pushed a variation on your approach, @skriss, with some SOMETHINGSOMTHING placeholders where I'm not sure what to say about why you'd find a particular config or approach the right choice.

[skriss]

The first sentence reads a little strangely to me. Maybe something like "These instructions start the Ark server and a Minio instance that is accessible from within the cluster only. To be able to access logs and run ark describe commands, you need to be able to access Minio from outside the cluster. See the following section..."

[skriss]

The title here is pretty generic, I'd prefer something more like "expose Minio outside the cluster" (to be able to run ark logs and ark describe)

[skriss]

Instead of "With Minio, you can...." I'd say something like "To be able to access these URLs from outside the cluster (i.e. from your laptop running the ark client), you need to expose Minio outside the cluster. There are two primary ways to do this: by making the Minio service a NodePort service, or by setting up an Ingress..."

[skriss]

Whether the user goes with a NodePort service or Ingress, the action they will take is updating the publicUrl field in the backup storage location config. So this section is kind of weird as-is. I'd modify it to cover the case of exposing Minio via Ingress (and probably move it below the NodePort section since this is a quickstart).

[skriss]

Re: details of what we want to cover for the Ingress option, I'll defer to what you and @ncdc discussed.

[skriss]

This section should be re-titled to indicate it's for exposing Minio via a NodePort service (not Minikube-specific),.

[skriss]

Yes, NodePort is a super-easy way to expose an in-cluster service externally, though not necessarily the thing you'd do in a production scenario. Assumes that you can directly access the node from wherever you're running the ark client.

[skriss]

let's change this line to be publicUrl: ... -- they'll leave the s3Url as-is, and only change publicUrl

[ncdc]

you can also?

[ncdc]

you can provide?

[ncdc]

You can technically configure s3Url to the NodePort url without using the publicUrl.

[ncdc]

to either the NodePort-based URL (which isn't strictly required, because both the ark server and command line tools should be able to reach the NodePort-based URL from s3Url), or the appropriate url and port associated with the ingress.

[skriss]

IMHO it's confusing to say you can specify either but not explain why or what (if anything) would change, this is why I wanted to just be updating publicUrl. I'd either explain that in this case you can change either because Ark inside the cluster should be able to access the nodeport URL, or change the text to specify changing one of them (personally I'd choose publicUrl).

[skriss]

IMHO it's confusing to say you can specify either but not explain why or what (if anything) would change, this is why I wanted to just be updating publicUrl. I'd either explain that in this case you can change either because Ark inside the cluster should be able to access the nodeport URL, or change the text to specify changing one of them (personally I'd choose publicUrl).

Previous comment applies here too

[skriss]

. at end of sentence.

[skriss]

I would leave this commented out by default, with a brief comment.

[skriss]

@Bradamant3 couple new comments but overall I think this is looking pretty good!

[ncdc]

With s3, we assume the s3 endpoint is accessible from both inside the cluster and from wherever you're running the ark CLI.

I know we've had a lot of users run into the Minio accessibility issue. How important do we think it is to add this publicUrl support? Could/should we instead make it a requirement that Minio be accessible in the same manner as s3? I know I wrote the pending publicUrl code, but is this an example where we're being too accommodating? Or should we just merge it because it's helpful?

[skriss]

I think it's helpful and solves short-term pain, so I'd opt to move ahead for now. We could look at more significantly revamping our get-started guide to use something besides an in-cluster Minio, in which case we might be able to avoid the issue altogether, but IMHO we can do that later.

[ncdc]

Works for me

[Bradamant3]

Responded to @skriss's latest comments. We can revisit after release, too. Might ultimately be better to put all the "make external access happen with the getting started example" in its own topic/section, but not until after release ;)

[skriss]

This LGTM and I'm ready to merge, pending any further input from @ncdc

[ncdc]

No further comments. Thanks!