Description

Rafter manages buckets in MinIO and in remote storage by Bucket CR. Unfortunately, it is not possible to communicate with MinIO by Bucket CR name. The problem is that changes in buckets may generate new names in storage and client needs to monitor CR to be up-to-date.

We need to create a simple proxy service that will be able to translate Bucket CR to remote names and will be still compatible with S3 API. Thanks to that you can use any S3 client and communicate by Bucket CR names.

Whats need to be done:

• A proxy that translates Bucket CR names to remote names and is still compatible with S3
• Link in Bucket CR should point to proxy with nice Bucket CR name (goodbye hash)
• Define a label on Bucket CR that determines if bucket should be migrated or recreated during switching to MinIO Gateway mode
• Documentation updated
• Tutorial updated

Reasons

It will definitely simplify the usage of Rafter and links generated by it. You will no longer see ugly hashes in links and also the link will be static, not regenerated with changes on remote bucket names.

Another benefit is that it will be possible to use Rafter as storage for in-cluster Docker Registry.

Description

After moving Rafter to a separate repo, it should have README.md docs explaining Rafter services and the controller. Reuse the existing README.md docs from the kyma repository (+remember about renaming).

Related issue(s)
kyma-project/kyma#5585

Description

AssetGroup is not only a new name for DocsTopic, but it also provided a new functionality - the possibility to provide Bucket reference for created Assets. Labels should be also improved.

More details: kyma-project/kyma#5585 (comment)

Reasons

Give a more control on buckets when working with AssetGroup

Related issue(s)
kyma-project/kyma#5585

Description

After migration from Asset Store and hCMS we left some mentions of asset-store in source code, due to the fact that we had to hurry and it just worked. This has to be updated.

Reasons

Improvements in source code and quality of Rafter as a project

Description

It's become very hard to update MinIO images as the dependencies are very old (minio/mc image is almost a year old), and the minio subchart is very old too (we have v2.5, newest is v5.0.15!!!). Minio-go is out of date also, but in this case I've tried updating it and no breaking changes were encountered.

The charts here and in Kyma repo are also old.

Reasons

If we want to develop this project in the future we need to work with most patched version.
Also the reason I've tried to update Minio was security -> minio images use vulnerable images, old alpines etc

Attachments

Description

Improve the AssetGroup custom resource lifecycle document in the Rafter documentation - its structure should actually more resemble the structure of two other similar docs Asset custom resource lifecycle & Bucket custom resource lifecycle which show what happens when you create, modify, and remove the given custom resource.
So far, the document shows AssetGroup CR dependencies and details so perhaps it would be better to extract its current content to a separate document and provide the create, modify, and remove subsections with proper diagrams instead.

Description

Add tracing to Asset Store.

Reasons

It will help us to monitor, debug and optimize Asset Store code.

Attachments

https://github.com/m00g3n/kyma/tree/cbs-tracing%23849

Description

• Get instruction on how to writch Rafter to use AWS S3 through Minio Gateway mode
• Have a testing pipeline that always tests any changes to asset store against gateway mode with AWS S3

Reasons

We expect users to use Rafter with Minio Gateway. Minio supports many providers but we should always make sure they are supported within Asset Store and then we need to officially mention it in documentation

Description

• Tag repo with v0.1.0 - important
• Create a release in GitHub with changelog
• specify what docker images are considered to be part of 0.1.0
• Make sure docs point to rafter and not asset store any more
• Push release helm chart to our gcs bucket with current chart
• specify in a release that what is blocking us from 1.0 release is lack of support for private buckets and not standard contract on extraction webhook
• Document release process

Reasons

it is a mature project that is already used in production for over 6months so it is time to release it officially

Description

Currently, the Asset Upload Service gives nice functionality for uploading content to Minio.

We need to have also an option to remove that uploaded content. For example, it could be done manually by making DELETE call on resource endpoint or automatically garbage collected if none of ClusterDocsTopics/DocTopics are using that.

AC

• there is an option to remove content uploaded via Asset Upload Service

Description

• Support private storage in Asset Store
• Support private storage in Asset Store Upload Service
• Support private storage in Headless CMS:
  • have default private bucket for hcms
  • mark on docstopic and clusterdocstopic info that it is private
• Provide proper documentation/tutorials/diagrams
• upload service - validate proposal against current upload service functionality that returns external url to uploaded asset. We need to decide which way to choose, external or internal and if it will even work with private buckets

Reasons

There are use cases when you want to use the Asset Store to store files privately. You should be able to store files in a bucket and allow to read it only if the reader is authorized. Some kind of proxy is needed

Description

All services have a problem with counting returned status codes other than 200 on the Grafana dashboard.

I observed this issue when I was trying to cause errors on the Upload Service then the Grafana didn't count their

Description

After consolidation, we have to simplify the codebase:

• add missing unit tests

Reasons

Improve the maintainability and extensibility of Rafter

Related issue(s)
kyma-project/kyma#5585

Description

Create a new main README.md that explains what Rafter is. Follow the official template.

Related issue(s)
kyma-project/kyma#5585

Description

• check and adjust Asset Store and Headless CMS custom metrics & Garafana dashboards.

Description

Create a Helm Chart that will work without Kyma, but can be reused in Kyma.

AC:

• All exposed values are described in chart Readme

• Leader election is enabled when controller deployment has more than one instance

• Globals from Kyma are not used

• Chart should also install CRD by default, but there should be a way to disable it with a value like install_crd true or something like that

• Once above points are done and accepted - Have it in Helm Repo (create PR). We know we depend on helm people to approve it, but still, we need to do it.

Reasons

Improve Rafter adoption in Kubernetes users.

Related issue(s)
kyma-project/kyma#5585

Description

• Asset spec should make it possible for a user to specify that he wants a default bucket created for him, so he doesn't have to do it on his own by creating Bucket CR
• Evaluate how such automated bucket creation might look like, to what extent. Maybe only for public buckets as for private the definition would be too complicated?
• Should we define a specific field in a spec or maybe best practice is to use spec.template standard and specify that the user can provide a full Bucket definition?

Reasons

Sometimes you just need to store 1 or 2 assets using an application and creating a bucket separately might be overhead.

Description

Write integration tests for Rafter:

• Private system buckets
• Mutations
• Validation

Reasons

This part of functionality hasn't been covered with integration tests. We have to make sure that it works properly.

This is a follow-up of kyma-project/kyma#2656

Description

After consolidation and migration to the new repository, makefiles probably not work and we don't have pipelines that build whole Rafter applications.

AC:

• Makefiles are adjusted to the new repository structure
• All components are built on PR/merge. Make sure PR images land in pr folder in docker registry
• Unit tests and formatters are executed and checked

Reasons

Having everything as automated and simplified as possible.

Related issue(s)
kyma-project/kyma#5585

Description

• Update docs and diagrams to describe AssetGroup instead of DocsTopic
• merge two topics into one topic, for now the proposal is Content Management
• update links to docs in rafter/readme.md
• update example in the example repo

Reasons

• We have now all features in one component
• Make logical split between Rafter without Kyma and Rafter in Kyma

Description

This task is followup to kyma-project/kyma#5085 - what needs to be done:

• follow https://istio.io/docs/tasks/telemetry/metrics/querying-metrics/ to enable istio metrics, enable sidecars if needed https://github.com/kyma-project/kyma/blob/master/resources/assetstore/charts/asset-metadata-service/templates/deployment.yaml#L15

Copy pasted stretch, which is now in scope too:

• have tracing enabled so I can see time spent on asset between fetching and uploading to minio, to measure which step is a bottleneck in performance. Make sure sampling is set to 100 in performance cluster (check if possible)
• have sidecars where needed for tracing if needed

Reasons

Have metrics for controllers and services to be able to see how solution behaves and if the load handling matches the defined SLO

TL;DR;

Remove defining webhooks by custom ConfigMap and switch to CRs - Cluster(WebHook) and Cluster(WebHooksScenario).

Reasons

At the moment webhooks are applied in Rafter by custom ConfigMap or inline in (Cluster)Assets (this is not a problem). Problems with ConfigMap (and not only):

• webhooks (for (Cluster)AssetGroups) are applied in global scope (in meaning: applied for all cluster and namespaces resources), and user cannot disable webhook for appropriate ClusterAssetGroup or AssetGroup.
• poor configuration for scenario (in meaning: order in which Rafter processes them) - at the moment we have hardcoded this part: first is mutation, then validation, and at the end metadata (extractor).
• we haven't Procedural webhook for custom action (not only for mutation, extractor or validation) - for examples: request to another service if asset will be md file. So from my perspective, user should have possibility to write custom hook.
• we have hardcoded external ports through which Rafter communicate with services (and user cannot change it) - I would like to ask for correction because I did not find anything about it in the code, but I have heard it several times and I am not sure now whether it is true

New types

Rafter would have such webhooks:

• Mutation webhook - modifies fetched assets before the Asset Controller uploads them into the bucket.
• Extraction webhook - extract metadata from assets and inserts it under the status.assetRef.files.metadata field in the Asset/ClusterAsset CR.
• Procedural webhook - perform custom actions like checking if content of file meets some criteria (like an old validation hook).

and CRs pointed to character of webhooks:

• ClusterWebHook/WebHook CR - specific characteristic of webhook with fields:
  • spec.type - type of webhook (types are describe above): mutation | extraction | procedural.
  • spec.sourceTypes - array of types admitted to the webhook (based on type field of source in (Cluster)AssetGroup CR and in (Cluster)Asset - we must also fix it, because we have only type field on sources of AssetGroup CR). OPTIONAL field, because user can allows all types.
  • endpoint - endpoint to perform action. Example https://example.com/v1/convert.
  • spec.serviceRef - reference to service which exposes endpoint for mutation/extraction/other actions.
  • spec.serviceRef.name - name of service.
  • spec.serviceRef.namespace - namespace of service.
  • spec.serviceRef.endpoint - endpoint of service to perform action.
  • spec.parameters - additional parameters (in object) which are passed to endpoint. OPTIONAL field.
  • spec.filter - determines what files are to be sent from the asset to the webhook by regex. OPTIONAL field.

NOTE: One of spec.endpoint or spec.serviceRef must be specified. Otherwise an error will occur.

Examples:

apiVersion: rafter.kyma-project.io/v1beta1
kind: ClusterWebHook/WebHook
metadata:
  name: asyncapi-converter
  namespace: kyma-system # if kind is WebHook
spec:
  type: "mutation"
  sourceTypes:
    - asyncapi
  endpoint: https://example.com/v1/convert
  filter: "\\.yaml$"
  parameters:
    foo: bar

apiVersion: rafter.kyma-project.io/v1beta1
kind: ClusterWebHook/WebHook
metadata:
  name: asyncapi-converter
  namespace: kyma-system # if kind is WebHook
spec:
  type: "mutation"
  sourceTypes:
    - asyncapi
  serviceRef:
    name: rafter-asyncapi-service
    namespace: kyma-system
    endpoint: "/v1/convert"
  filter: "\\.yaml$"
  parameters:
    foo: bar

• ClusterWebHooksScenario/WebHooksScenario CR - scenario of webhooks (in meaning: order in which Rafter processes them):
  • spec.scenario - list of webhooks pointed by name. Element of list must contains:
    • webhookRef - reference to ClusterWebHook/WebHook CR.
    • webhookRef.kind - ClusterWebHook or WebHook type.
    • webhookRef.name - name of webhook.
    • webhook - implementation of spec field of ClusterWebHook/WebHook.

Example:

apiVersion: rafter.kyma-project.io/v1beta1
kind: ClusterWebHooksScenario/WebHooksScenario
metadata:
  name: sample-webhook-scenario
  namespace: kyma-system # if kind is WebHooksScenario
spec:
  scenario: 
  - webhookRef: 
      kind: ClusterWebHook
      name: markdown-front-matter-extractor
  - webhookRef:
      kind: WebHook 
      name: asyncapi-converter # WebHook in kyma-system namespace
  # we can also create anonymous WebHooks in scenario with this same fields like in `ClusterWebHook/WebHook`
  - webhook:
      type: "mutation"
      sourceTypes:
        - asyncapi
      serviceRef:
        name: rafter-asyncapi-service
        namespace: kyma-system
        endpoint: "/v1/convert"
      filter: "\\.yaml$"
      parameters:
        foo: bar
  - webhook:
      type: "mutation"
      sourceTypes:
        - asyncapi
      endpoint: https://example.com/v1/convert
      filter: "\\.yaml$"
      parameters:
        foo: bar

As we can see, we have a limitation for scenarios:

• for WebHooksScenarios we can bind ClusterWebHooks and WebHooks (of course with this same namespace as WebHooksScenario).
• for ClusterWebHooksScenarios we can bind only ClusterWebHooks.

Failure of one hook in the scenario interrupts further operations and sets resource status to Failed.

Procedural webhook

I introduce Procedural webhooks, because they allow custom actions independent of the webhook type and I think that separating the validation process into a separate one (webhook type) is not necessary, so validation hook will be implemented in a procedural hook from now.

Binding WebHooks in (Cluster)Assets and (Cluster)AssetGroups

As I mentioned in Reason section, webhooks defined in ConfigMap are applied in global scope (in meaning: applied for all cluster and namespaces Assets CR) and user cannot disable webhook for appropriate ClusterAssetGroup or AssetGroup.

So, my proposition is inject webhooks by ClusterWebHooksScenario/WebHooksScenario and/or single ClusterWebHook/WebHook:

For ClusterAsset/Asset

apiVersion: rafter.kyma-project.io/v1beta1
kind: Asset
metadata:
  name: sample-asset
  namespace: kyma-system
spec:
  ...
  webhooks:
    - scenarioRef:
        kind: WebHooksScenario
        name: sample-webhook-scenario
    - webhookRef:
        kind: ClusterWebHook
        name: markdown-front-matter-extractor
    - webhook:
        type: "mutation"
        endpoint: https://example.com/v1/convert
        filter: "\\.yaml$"
        parameters:
          foo: bar

For ClusterAssetGroup/AssetGroup

apiVersion: rafter.kyma-project.io/v1beta1
kind: AssetGroup
metadata:
  name: sample-assetgroup
  namespace: kyma-system
spec:
  ...
  webhooks:
  - scenarioRef:
      kind: WebHooksScenario
      name: sample-webhook-scenario
  sources:
  - ...
    webhooks:
      - webhookRef:
          kind: ClusterWebHook
          name: markdown-front-matter-extractor
      - webhook:
          type: "mutation"
          endpoint: https://example.com/v1/convert
          filter: "\\.yaml$"
          parameters:
            foo: bar

In case, when user defines webhooks for single assets, then webhooks injected in ClusterAssetGroup/AssetGroup will be completely overwritten for them (this same behavior like now).

Service specification requirements

• service for Mutation webhook must expose endpoints that:

  • accept parameters and content properties, where parameters is additional parameters defined in ClusterWebHook/WebHook CR or inline in ClusterWebHooksScenario/WebHooksScenario CR, and content is a content of file.
  • return the 200 response with new file content.
  • return the 304 response informing that the file content was not modified.

• service for Extraction webhook must expose endpoints that:

  • accept parameters and content properties, where parameters is additional parameters defined in ClusterWebHook/WebHook CR or inline in ClusterWebHooksScenario/WebHooksScenario CR, and content is a content of file.
  • return the 200 response confirming that validation succeeded.
  • return the 422 response informing why validation failed.

• service for Procedural webhook must expose endpoints that:

  • accept parameters and content properties, where parameters is additional parameters defined in ClusterWebHook/WebHook CR or inline in ClusterWebHooksScenario/WebHooksScenario CR, and content is a content of file.
  • return the 2** response with custom message about successful operation.
  • return the 4** response with custom message about failed operation.

Comments and suggestions are welcome!

I am still thinking about the 4th type of webhook: StatusWebhook, which would perform custom action like Proceural, but based of status of (Cluster)Asset or (Cluster)Asset, but I know it can be done in a different way, unrelated to the Rafter himself, so for now I abandoned investment in this case.

In addition, we must define the option of defining default hooks per namespace or cluster (at the moment we have injecting them in all Cluster(AssetGroup) by ConfigMap). A labels probably will be the best for that case, but we can think about that together :)

@derberg commented on Tue Jun 18 2019

Description

• Status of the ClusterAssetGroup and AssetGroup should change whenever the resource is updated and underlying Asset cr is processed again
• Check if the same is not the case with Asset resources

Reasons

At the moment status of resources is not properly updated. If you for example remove one source, or do some other changes and at the end you know that Asset resource is processed, the status should switch to Pending and then again to Ready or Failed.

Description

It happened really often that tests for Gateway mode are failing on CI. We should make them more resilient.

Things to consider:

• retry in gateway mode - communication with GCP/Azure
• force Kind version

Expected result

Tests are stable

Actual result

Tests are failing on communication with GCP/Azure

Steps to reproduce

Execute tests on PR

Troubleshooting

Description

Implement integration tests and pipelines for whole Rafter. Execute tests on Kind.

Be careful with credentials in Gateway modes.

AC:

• Reuse integration tests we have on Kyma
• Tests are working in and outside the cluster
• For CI Kind is used
• Gateway modes are also tested
• Make sure we generate JUnit reports

Reasons

Automated validation if Rafter works.

Related issue(s)
kyma-project/kyma#5585

Description

This task is a follow up to this PR which introduced the possibility of adding the source files of (Cluster)Assets CRs as ConfigMaps.

Find a good place in Rafter docs (here as it is not used in Kyma, or just a general remark in Kyma docs that such an option is possible) to document:

• the new configmap mode in Asset CRs and ClusterAsset CRs.
• info that filtering on those CRs also works for this mode (regex)
  (+) - proper tutorial/example - extend the website example and Katakoda tutorials

Reasons

Document the new functionality that allows you to add sources of (Cluster)Asset CRs in a ConfigMap.

Description
Currently, the Asset has no readable and unique name. We need it to distinguish different assets in ServiceCatalog UI (tab titles, to be precise).
Please read kyma-project/console#1617 to deeper understand the problem.

Reasons

Related issue(s)

Rafter PR: #72
Documentation + Bumpss in Kyma: kyma-project/kyma#7864
Console issue: kyma-project/console#1617

Description

• upload service docs and spec should not mention private buckets at all as there is no point to store private data if controller anyway cannot access them
• in main overview make clear note statement that at the moment Rafter supports only public storage
• in gateway mode docs specify that we suggest using separate subscriptions in cloud providers to not configure with minio existing subscription where some buckets not managed by Rafter are already created, to make sure that admin of rafter has access only to data managed by rafter

Reasons

Make sure customers do not misunderstand the scope of the component and do not store private data with Rafter

Recently, I noticed that all issues were closed with the message:

We dont want to invest in rafter within Kyma organisation.
The rafter use case is no longer valid for kyma runtime

For example #50 (comment)

What that it means for the Rafter? Is there a plan to move it to a different organization? Or maybe it will be archived?

Since the beginning, Rafter was designed to work as a standalone project that doesn't require Kyma, so maybe it is no longer valid for Kyma, but it still can be used by someone in the community.

Description

We will be implementing all of the logic for pipelines in bash, as it is faster to do so right now, and we really need to get it asap, but it is not a good solution overall. This POC shows that it is possible, and not that hard to achieve.

Reasons

Bash is sick magic, Go is more testable/easier to read/less error prone etc, etc, so we should migrate to that eventually in every aspect of development.

Description

This issue is a follow-up of issue 9 for adding README.md files to Rafter components under the cmd folder.

The following need to be verified and added in these README.md files:

• Tables with environment variables - some of them can be outdated
• The section in each README.md on how to verify your code when developing a given component - this depends on the testing approach we accept for Rafter - whether we decide to test given make targets or test the whole Rafter each time.
• Remove the testing section from the controller manager doc as this part is generic and should be included in the development guide

Issue(s)
Follow-up of #9