New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
object: remove default value us-east-1 as region from s3 client #9754
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is not passing CI.
572bbae
to
e8ba957
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
us-east-1
is still used in the integration tests in ceph_base_object_test.go. How about changing that to something else so we can see the non-default works?
@@ -157,9 +157,9 @@ func (b *BucketOperation) CheckBucketNotificationSetonRGW(namespace, storeName, | |||
s3AccessKey, _ := helper.BucketClient.GetAccessKey(obcName) | |||
s3SecretKey, _ := helper.BucketClient.GetSecretKey(obcName) | |||
if tlsEnabled { | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, "", true) | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, storeName, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a different region is specified in the storage class, will this client connection work with the store name? Or does it need to match the storage class?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn : I wondered magic behind us-east-1
as region value. The actual value for s3 client needs to storeName
and ideally we should have filled same value for storage class. The us-east-1
works for RGW, I am guessing it skips checks(or maybe bug)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn : [Another update]: us-east-1
as a region no longer valid in master, it works with pacific though. So IMO we might see a similar issue when we start using new ceph versions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if we remove region from the default examples in rook, it will work with ceph pacific and master? Or will we need different examples for pacific vs quincy? And to be clear, does the ceph master change also affect quincy, or just post-quincy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it will work, this fills internal by Rook. Earlier we are using us-east-1
from this patch we add the actual zone of the rgw server that's the difference.
The us-east-1
worked in quincy as well, but I don't see much code difference in that path for master and Quincy. Need to have a bit of time to understand that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The documented examples we are working on in the other comments only apply to Quincy and newer, correct? So what is the behavior for region in Pacific? The docs need to give that detail, especially since Pacific is still the default version with Rook.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn : Sorry if I created confusion before for RGW in any versions, region
is the zone group
but (again true for all versions) if we give region as us-east-1
it will bypass some checks in RGW and request succeed. I felt it is kind of a hack. But without knowing much about this context Rook was setting us-east-1
for the internal aws s3 SDK and this was working fine for our use case. But this may create confusion for users when they use us-east-1
works but other region's requests are failing. By this PR we are avoiding hack and using the required value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still confused about how users can understand the region. If us-east-1
is a workaround and a hack, maybe we should just keep that for the simple, local rgw case. What does the user gain by using a different region? Seems like it should only be important for external or multi-site where we need the region name in order to connect. But if it's just the local cluster, can we hide the region from the user so they don't need to worry about it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's find a time to discuss this next week since I'm having such a hard time. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn: Sure :). Sounds good to me
@@ -9,7 +9,7 @@ reclaimPolicy: Delete | |||
parameters: | |||
objectStoreName: my-store | |||
objectStoreNamespace: rook-ceph # namespace:cluster | |||
region: us-east-1 | |||
# region: us-east-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this needs to match with the zone group, perhaps we should add documentation here in the example and also in the official docs to help users set this value correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BlaineEXE : I will try to add #9556 with this change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thotz Since the default is us-east-1
, should we just leave this default uncommented?
# region: us-east-1 | |
region: us-east-1 |
@travisn : do u want to check whether with regions and see s3 client works or not right? It's more or like s3 client kind of test, but I can definitely add those |
Yes sounds to add some testing for this. |
The only |
dcc908a
to
238178d
Compare
@@ -157,9 +157,9 @@ func (b *BucketOperation) CheckBucketNotificationSetonRGW(namespace, storeName, | |||
s3AccessKey, _ := helper.BucketClient.GetAccessKey(obcName) | |||
s3SecretKey, _ := helper.BucketClient.GetSecretKey(obcName) | |||
if tlsEnabled { | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, "", true) | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, storeName, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if we remove region from the default examples in rook, it will work with ceph pacific and master? Or will we need different examples for pacific vs quincy? And to be clear, does the ceph master change also affect quincy, or just post-quincy?
1b7bcce
to
cd70ca5
Compare
cd70ca5
to
380dd49
Compare
@@ -157,9 +157,9 @@ func (b *BucketOperation) CheckBucketNotificationSetonRGW(namespace, storeName, | |||
s3AccessKey, _ := helper.BucketClient.GetAccessKey(obcName) | |||
s3SecretKey, _ := helper.BucketClient.GetSecretKey(obcName) | |||
if tlsEnabled { | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, "", true) | |||
s3client, err = rgw.NewInsecureS3Agent(s3AccessKey, s3SecretKey, s3endpoint, storeName, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The documented examples we are working on in the other comments only apply to Quincy and newer, correct? So what is the behavior for region in Pacific? The docs need to give that detail, especially since Pacific is still the default version with Rook.
380dd49
to
89a7cbe
Compare
Currently s3 client apis sets default value as `us-east-1`. This patch removes that, region need to map with zonegroup in the RGW server so we set that accordingly Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
The default value for region in RGW is us-east-1, if users want to use other regions then they need to create zone/zonegroup accordingly before defining it in storage class. Fixes: rook#9486 Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
89a7cbe
to
5a2f5ad
Compare
bucketName: ceph-bucket [4] | ||
reclaimPolicy: Delete [5] | ||
``` | ||
1. `label`(optional) here associates this `StorageClass` to a specific provisioner. | ||
1. `provisioner` responsible for handling `OBCs` referencing this `StorageClass`. | ||
1. **all** `parameter` required. | ||
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we mention the default here? Otherwise, I'm not sure what it means for Rook to "fill this value".
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. | |
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, the default is `us-east-1`. Please check example at the end of the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn : I don't what I missed earlier if the user does not define the region, Rook will fill it from Zonegroup
from ceph object store context
and don't use us-east-1
at all(at least that was my first intention of PR).
us-east-1
is not the default value from RGW(at least not in RGW code base). It is a value that always works mysteriously. Maybe because a lot of s3 clients use this as default for region
, but again not defined as default by RGW
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, does that mean rook can just take care of this internally? Why do we need to expose the region
setting at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn : The region
defined in storage class
of libbucket provisioner. Not sure whether Rook can hide it from user, maybe we can ignore the value. But this was available earlier release not sure whether it right to remove the variable. AFAIR I have sent #8766 as per request from the user, he wants to set the custom region for his use case.
@@ -9,7 +9,7 @@ reclaimPolicy: Delete | |||
parameters: | |||
objectStoreName: my-store | |||
objectStoreNamespace: rook-ceph # namespace:cluster | |||
region: us-east-1 | |||
# region: us-east-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thotz Since the default is us-east-1
, should we just leave this default uncommented?
# region: us-east-1 | |
region: us-east-1 |
@@ -8,7 +8,7 @@ reclaimPolicy: Retain | |||
parameters: | |||
objectStoreName: my-store # port 80 assumed | |||
objectStoreNamespace: rook-ceph # namespace:cluster | |||
region: us-east-1 | |||
# region: us-east-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# region: us-east-1 | |
region: us-east-1 |
} else { | ||
s3client, err = rgw.NewS3Agent(s3AccessKey, s3SecretKey, s3endpoint, "", true, nil) | ||
s3client, err = rgw.NewS3Agent(s3AccessKey, s3SecretKey, s3endpoint, storeName, true, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the storeName used here, but the zonegroup is used in the example for using a different region? Shouldn't this use the zonegroup as well? Or in the test, the storeName and zonegroup are the same anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this should be zone group, since we testing only internal ceph cluster without multisite, I just set directly storeName
which is value of zonegroup
as well
1. `bucketName` is required for access to existing buckets but is omitted when provisioning new buckets. | ||
Unlike greenfield provisioning, the brownfield bucket name appears in the `StorageClass`, not the `OBC`. | ||
1. rook-ceph provisioner decides how to treat the `reclaimPolicy` when an `OBC` is deleted for the bucket. See explanation as [specified in Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#retain) | ||
+ _Delete_ = physically delete the bucket. | ||
+ _Retain_ = do not physically delete the bucket. | ||
|
||
##### Example: Custom Region | ||
If user is providing the `region` value other than `us-east-1` then additional CRDs for zonegroup/zone/realm need to be created. For example, here user is providing `region` value as `us-west-1`. So make sure following [multisite related CRDs](ceph-object-multisite-crd.md) are defined as well. The Rook Operator will create required `zonegroup` for RGW server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If user is providing the `region` value other than `us-east-1` then additional CRDs for zonegroup/zone/realm need to be created. For example, here user is providing `region` value as `us-west-1`. So make sure following [multisite related CRDs](ceph-object-multisite-crd.md) are defined as well. The Rook Operator will create required `zonegroup` for RGW server. | |
To specify a `region` other than `us-east-1`, a custom zone group must be created that matches the desired region name. In the following example, the `region` is set to `us-west-1`. For more details, see the [related multisite CRDs](ceph-object-multisite-crd.md). |
if len(sc.Parameters[key]) > 0 { | ||
p.region = sc.Parameters[key] | ||
} else { | ||
// If user does not define, then set region to Zonegroup, since RGW internally maps | ||
// aws region to ZoneGroup | ||
p.region = p.objectContext.ZoneGroup | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little bit confused. What is the point of overriding region
if the default is mapped to ZoneGroup
and if the user has to create a ZoneGroup resource if they want to override region? Would it be simpler to just remove this parameter and rely on users to create a ZoneGroup
instead?
Is this only useful if there are multiple zone groups? What happens in the case where there are multiple zone groups? Then what is the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BlaineEXE : region
is an optional value for storage-class. If it is not defined then we need to fill up with Zonegroup
from object store context, This value changes in different scenarios:
1.) normal cluster, it is name of object store
2.) external cluster it is default
3.) if multiple zones are configured then it depends on value set in object-store CR.
If the user wants to use a custom region then he defines Zonegroup
that's different scenario. Hope this avoids the confusion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In all three of those cases, I don't think we need to have the region
parameter.
- If external cluster with no zone group defined, use
default
- If external cluster with external zone group defined, use the zone group
- If internal cluster with no zone group defined, use name of object store
- If internal cluster with zone group defined, use the zone group
Is this not correct? Are there any cases missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BlaineEXE : Please see #9754 (comment) why the region is needed.
Above cases are right, but please note 2.) is not support in Rook atm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we can fill in a default value for "region" from the zone group, is region even a valid parameter?
bucketName: ceph-bucket [4] | ||
reclaimPolicy: Delete [5] | ||
``` | ||
1. `label`(optional) here associates this `StorageClass` to a specific provisioner. | ||
1. `provisioner` responsible for handling `OBCs` referencing this `StorageClass`. | ||
1. **all** `parameter` required. | ||
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. | |
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to the [zone group](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. |
bucketName: ceph-bucket [4] | ||
reclaimPolicy: Delete [5] | ||
``` | ||
1. `label`(optional) here associates this `StorageClass` to a specific provisioner. | ||
1. `provisioner` responsible for handling `OBCs` referencing this `StorageClass`. | ||
1. **all** `parameter` required. | ||
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still not very clear. What is the region set to if the user doesn't define it? "Accordingly" isn't clear enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BlaineEXE : earlier version was Rook Operato fill this value from object store context internally
. But @travisn suggested it better not to give internal code details for the end-user. Hence changed like this. I can revert back the change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even the text "fill this value from object store context internally" doesn't explain to the user what the value will be. In order for the user to understand when they need to modify the value, they must understand what the default value is. In words good for a user, what value will be the default?
This is also assuming that region
is even a necessary parameter to have still.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay will update it again next push
bucketName: ceph-bucket [4] | ||
reclaimPolicy: Delete [5] | ||
``` | ||
1. `label`(optional) here associates this `StorageClass` to a specific provisioner. | ||
1. `provisioner` responsible for handling `OBCs` referencing this `StorageClass`. | ||
1. **all** `parameter` required. | ||
1. `region`(optional) defines the region in which the bucket should be created. For RGW, this maps to [zonegroup](https://docs.ceph.com/en/latest/radosgw/multisite/#zone-groups) of the server. If user does not define `region`, Rook will fill this value accordingly. Please check example at the end of the doc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a link to the example in the doc for users.
1. `bucketName` is required for access to existing buckets but is omitted when provisioning new buckets. | ||
Unlike greenfield provisioning, the brownfield bucket name appears in the `StorageClass`, not the `OBC`. | ||
1. rook-ceph provisioner decides how to treat the `reclaimPolicy` when an `OBC` is deleted for the bucket. See explanation as [specified in Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#retain) | ||
+ _Delete_ = physically delete the bucket. | ||
+ _Retain_ = do not physically delete the bucket. | ||
|
||
##### Example: Custom Region | ||
If user is providing the `region` value other than `us-east-1` then additional CRDs for zonegroup/zone/realm need to be created. For example, here user is providing `region` value as `us-west-1`. So make sure following [multisite related CRDs](ceph-object-multisite-crd.md) are defined as well. The Rook Operator will create required `zonegroup` for RGW server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do users need to create all of the resources, or only zone group?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly zonegroup
is not an independent resource. Rooks mandates to have realm
for zonegroup
and in RGW does not make sense to have zonegroup
without zones
(zonegroup is collection of zones and zone is collection of RGW servers in short)
@thotz I was taking at glance at this PR and I don't quite understand the use case/problem this is trying to solve, even after reading the doc changes. Could you summarize what the object-store/obc's couldn't do before this PR was written and what the PR solves? |
|
@BlaineEXE @travisn : I have minor nits need to address in this PR. But before refreshing the PR I want to make sure everyone is on the same page |
It is still unclear what is wrong currently. The description in #9754 (comment) isn't quite enough for me to understand. Please be very clear about whether behavior is broken or not. Is there broken behavior? Can you make a test case that causes any failures? If yes, outline the failing case. Once we understand what is wrong, we can do a much better job of reviewing the PR for behavior and usability and not merely code. |
The second part is clear I guess. The reason for the why Now talking about the first part, most of the cases will work with current(i.e using |
@thotz as I explained in the message you replied to, it is not clear to those of us trying to understand what is going on. Please summarize again, and be thorough. Several of us have concerns about this approach, and we need better information to make sure we are applying the correct fix for this.
From that discussion, it has become clear to me that there is something wrong with the
I should have been more clear. I am not interested in seeing a unit test. Unit tests cannot show the actual behavior of a running RGW. I want to see the details for creating an end-to-end scenario where there is a failure. From the discussion linked, it seems that we are be able to induce some failure by setting In order to determine if we need changes other than removing the value entirely, we want to need to have a failing scenario with Once we have better defaults, the question becomes: can we make another failing scenario (internal or external ceph cluster) such that we can't compute the default ourselves? If we can, then users will need an option to override |
This documentation for RHCS 3 states that the RGW now uses the terminology "zone-group" instead of "region". https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html/object_gateway_guide_for_red_hat_enterprise_linux/rgw-multisite-rgw Since Rook now has multisite configs zone/zonegroup/realm, I think we probably no longer need the "realm" option in the OBC storageclass. I think it's probably vestigial. I think that we likely only need to figure out what the zone group is and use that value. My best guess at what a failing scenario would be is to :
I suspect this scenario will cause a failure because the S3 client in cluster B won't be able to connect properly to the RGW in cluster A since the zone group in cluster A is not "default". (This PR did some related work recently: #9751) From the information I have, I think the most appropriate fix for this would be to make sure that creating a zone and zone group that reference the external cluster are created in cluster B. And we must also update docs and examples to remove the "realm" config. @alimaredia has an open PR to better allow configuring zone/zonegroup endpoints for external clusters. I'm not sure if that PR is directly related to this discussion. #9622 @alimaredia does this breakdown make some sense to you? |
After discussing with developers from Rook and RGW planning to close this PR infavour of #9906 |
Currently s3 client apis sets default value as
us-east-1
. This patchremoves that, region need to map with zonegroup in the RGW server so we
set that accordingly
Signed-off-by: Jiffin Tony Thottan thottanjiffin@gmail.com
Description of your changes:
Which issue is resolved by this Pull Request:
Resolves #
Checklist:
make codegen
) has been run to update object specifications, if necessary.