kyma-project / application-connector-manager Goto Github PK

We need to create new Dashboard in Grafana to monitor the state of Application Connector modules on the whole KCP landscape

The set of displayed metrics is about to be defined.

Description
The module must contain the Compass Runtime Agent

Acceptance criteria

• Application Connector Module contains the Compass Runtime Agent
• The Compass Runtime Agent's deployment is scaled to zero when the secret with the configuration doesn't exist

Description

This issue is a follow-up to #6. The documentation of the AC module must be updated to the current state of the module.

Area

• Application Connector module

Reasons
Currently, not all features are available in the module. As soon as they are, they must be documented.

AC

• describe the new ApplicationConnector CR
• Remove **NOTE:** At this stage of development, the ApplicationConnector Custom Resource Definition (CRD) contains only one parameter for testing. from README
• Update the 01-10-installation.md doc
• Remove mentions of the disableLegacyConnectivity flag
• Update Configurable parameters in the 05-10-application-connector-chart.md doc
• Provide missing descriptions for CompassConnection CRD

Assignees

@grego952

Attachments
#22
#6

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-license_file-1
Explanation: Does it have a license file? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-1
Explanation: Does README mention REUSE? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Description:

• Add descriptions to fields in CRDs
• Modify CRD's README
• Add generation to Makefile

Also described in detail here.

Resources:

• applications.applicationconnector.kyma-project.io
  kyma-project/kyma#17432
• compassconnections.compass.kyma-project.io
  kyma-project/kyma#17428

Related Issues:

• kyma-project/kyma#17347
• kyma-project/kyma#17428
• kyma-project/kyma#17432

At the moment the GH Action running integration tests k3d can fail on PR and it does not prevents the code merge.

• Fix GH Action to be required for merge
• Review other GH Actions if they are setup correctly

Description

The application-connector-manager needs to detect if Istio is installed on the cluster during installation of application-connector.

Acceptance criteria

If Istio is missing application-connector CR must be set to Error state, and provide the clear message what is missing.
After Istio is installed the application-connector-manager should resume installation.

Description

Implement tests integrating external Java application with Kyma.

We do not have an automated test for testing such integrations and we want to track such scenarios.

Reasons

There are some integrations written in Java that are working with Kyma. The main reason is we want to make sure that we do not break any existing integrations.

We need to use the solution Hasselhoff team prepared.

AC

• reconfigurability of all essential field via busola

Description

We need to setup Application Connector Istio Gateway with correct cluster domain name. In existing POC the gateway hostname is statically set to some example value.

      hosts:
        - "gateway.kyma.example.com"

This will require modify yaml object installed by the operator.

Acceptance criteria

• Investigation
  • Investigation is required how the domain name will be provided. Possible approaches might be:
    • In Application Connector CR
    • Read from the Kyma Cluster
    • Provided by control plane
• Implement according to specification

Suggestion:

For the host name use value passed in Module CR, when missing use value from Istio kyma-gateway

This functionality should be implemented if we decide to enable the module with using old reconciler.

That means that Compass Manager was not ready on control plane to create Compass Connection token for enabled module at the checkpoint time.

In such a case we want to install only the Operator that will install all services for the module to avoid dependency to Istio module.

When Istio is missing - we cannot install Application Connector module but at the same time we must ensure that Runtime Agent service is enabled to used one time token before it expires.

We should make sure that operator is able to detect missing Istio install only Runtime Agent service from the module.

Description

I observed following problem with central-application-connectivity-validator service after hpa scales it under high load of events - pods are created correctly but new replicas cannot get any http requests. When initially scaled - all replicas get requests. We need to investigate and fix it.

This issue might be happening because of multiple reasons:

• Testing setup
• Gardener cluster configuration
• Kubernetes configuration
• Bad autoscaler used

This issue can be done as part of the migration of validator into Kyma module

Description

We need to implement Application Connector Operator responsible for deploying Application Connector components.

Acceptance criteria:

• The operator must install the following components:
  • Application Gateway
  • Connectivity Validator
  • Compass Runtime Agent
• Application Connector module configuration CRD must contain all parameters defined in Application Connector's charts
• Application Connector component must not be installed if Istio CRDs such as Istio Gateway or Istio Virtual Service are not available in the cluster
• Application Connector components can be installed even if configuration for Compass Runtime Agent is not available yet
• Module Template CR must contain accurate status information.

Reasons

This issue is a part of this epic.

Description
Application Gateway must cache Kubernetes API server calls to improve performance. The following objects data must be cached:

• Application CRD objects
• Credentials

Reasons
Some experiments were performed to understand the performance characteristics of the Application Gateway. Mock target API deployed inside Kubernetes cluster was used to measure operations performed by the Application Gateway. The experiments were performed with ddosify tool.

Although Application Gateway uses Horizontal Autoscaling, the experiments revealed that the maximal number of request per second was much smaller than expected. Analysis shown that the problem is directly caused by long response time of Kubernetes API server calls.

Depends on
#118 - if load test shows we are performing well, adding a caching layer could become obsolete

Description

We need to fix the repository code to make it reuse compliant.

More details be found on the page

Copyright and licensing information must be added some files in the project.

Description

After Enabling Compass Manager on KCP we are finally ready to make Runtime Agent the part of Application Connector module.

This task will include:

Required for first release:

• Insert manifests for Runtime Agent to .yaml file managed by application-connector-manager
• Add code to enable and disable Runtime Agent deployment based on the existence of a secret compass-agent-configuration (the Compass Runtime Agent's deployment is scaled to zero when the secret with the configuration doesn't exist)
  • PR-202
  • code-review
• fixes of tests #17 (@koala7659 , @m00g3n )
• (can be done in parallel)
  • todo #207 (@grego952 )
  • code-review (@mvshao)

Rollout of ACM:

• #212
• Cleanup
  • Remove Compass Runtime Agent helm chart from installed Kyma Resources (make sure they are not installed an any more)
    • PR-208 - Move ACM CRDs from kyma repository
    • PR-18606 - Remove compass-runtime-agent from kyma resources
    • code-review
  • #195

Since Kyma 2.15 ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA cipher suites are deprecated because of Kyma security team recommendations.
In Kyma 2.19 they were removed from kyma-gateway.

We should follow that change and adjust Application Connector Istio gateway to remove deprecated cipher suites from it .

For more details:
Kyma 2.19 release notes - https://github.com/kyma-project/kyma/releases/tag/2.19.0
Issue for Kyma Gateway - kyma-project/kyma#17616
Pull request for Kyma Gateway - kyma-project/kyma#18085

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-3
Explanation: Is it registered in REUSE? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Acceptance criteria

• Move tests from Kyma repo to Application Connector module repo.
• Ensure the tests are run in a pipeline

At this point we think there is no need to do anything. The migration is not needed as:

• the only thing that changes is the tool that applies AC components (Reconciler->AC module Operator)
• the contents of the chart used by the Reconciler is identical with the yaml applied by the AC module Operator

Description

Components in kyma-system must have sidecar.istio.io/inject set to true by default to work correctly. After installing Central-Application-Gateway on the cluster, we can observe that the deployment (on the cluster) in the labels section has the entry sidecar.istio.io/inject: "false", and in the annotations section has sidecar.istio.io/inject: "true". The deployments.yaml file for Central-Application-Gateway contains only an entry for Istio sidecar in the annotations section set to true. This condition makes Central-Application-Gateway have sidecar disabled by default.

Central-Application-Gateway deployment.yaml

    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
      labels:
        app: {{ .Chart.Name }}
        release: {{ .Release.Name }}

Actual deployment on cluster

    metadata:
      creationTimestamp: null
      labels:
        app: central-application-gateway
        release: application-connector
        sidecar.istio.io/inject: 'false'
      annotations:
        sidecar.istio.io/inject: 'true'

After investigating, I discovered that in Busola, in the deployment edit window, there is a switch that can change the value of the sidecar.istio.io/inject entry from true to false. However, it adds/modifies the Istio entry only in the label section.

Kyma version: 2.7.0
Kubernetes version: v1.22.12

Expected result

sidecar.istio.io/inject is set to true by default

Actual result

sidecar.istio.io/inject is set to false by coincidences

Steps to reproduce

Deploy a Kyma on the fresh cluster, and check if the Istio sidecar is properly configured and enabled on Central-Application-Gateway

Description

There is a bunch of fields in Application CRD that were introduced before Kyma 2.x and are no longer used (e.g. fields previously used by Application Broker). Those fields must be removed and Application CRD client regenerated.

Reasons

We must clean up Application CRD to reduce maintenance effort

Description

Configure a markdown link checker that will ensure that links we use in our *.MD files are valid.

Reasons

• Documentation consistency
• Good developer experience

Attachments

• kyma-project/community#834
• kyma-project/compass-manager#26
• kyma-project/infrastructure-manager#34

/area documentation
/area application-connector
/kind feature

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-license_file-1
Explanation: Does it have a license file? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Description

We need to create validation logic for the cluster domain provided in App Connector Custom resource.

It is a good idea to build such a logic as validation webhook inside application-connector-manager service with endpoint

If there is no provided domain value, or provided domain cannot be parsed, we replace it with cluster domain taken from the kubernetes cluster.

Reasons

We need to provide fallback mechanism for setting the correct cluster domain if user does not provide any.

Attachments

It is follow up story of #23

We need to define this task after Operational Awareness workshop is complete.

Description

Application-connector-module-manager must react on the change of app-connector CR and update application-connector module deployments accordingly.

For this feature we may need to make a dedicated templating mechanism for applied yaml objects.

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-vulnerability_alerts-1
Explanation: Are vulnerability alerts enabled? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-4
Explanation: Is it compliant with REUSE rules? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Reason
We want to be secure and compliant with the release process

Description
Connect Application Connector Manager to security scanners

Acceptance Criteria

• Application Connector Manager is scanned regularly with other modules and vulnerabilities are visible on security dashboards
• All obligatory security tools are supported (probably Mend/Blackduck/Checkmarx)

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-vulnerability_alerts-1
Explanation: Are vulnerability alerts enabled? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Description

We must introduce benchmarks that exercise Application Connector including all authorisation methods. The benchmarks should have similar structure and test cases to the Application Connector tests.

Reasons

In order to be able to spot performance regression we need to automate benchmarking. Some part of the existing tests can be used, such as mock services.

Related issues: #150 .

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-2
Explanation: Does it have LICENSES directory with licenses? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Description

At the moment application-connector-manager does not use any custom linter configuration for checking the code on GH Action CI. As a result GH Action golangci-lint job is running with default settings. We should create our own configuration and put it into golangci.yml file in the root of the project.

As a base we can use existing configs from lifecycle-manager , nats-manager or compass-manager as a base.

We should make sure that all linter checks are passed, and adjust the code accordingly.

Reasons

Custom linter configuration will allow us to maintain higher standards of the code quality.

When Application Connector Module finalizers block deleting of istio module to remove, the user should be notified about it.

Description

In POC of the Application connector module metrics are not correctly collected by Horizontal Pod Autoscaler objects. Following errors are logged in HPA object status section:

Warning FailedComputeMetricsReplicas 2s horizontal-pod-autoscaler invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: unable to get metrics for resource cpu: no metrics returned from resource metrics AP

Acceptance criteria

Metrics should be correctly collected and deployments should be scaled according to HPA configuration.

Ensure there is no expired issues in the Security dashboard for Application Conenctor Module and provide screenshot as evidence for release process

Acceptance criteria:

• AC module CR contains all the overrides that are available in the yamls

PR: #45

Description

Application Connector needs to be moved to the modular architecture according to this concept.

Reasons

Application Connector should be more independent so that it must be possible to install, upgrade and operate it separately without dependencies on other Kyma modules.

Acceptance criteria

Release 1.0.0:

• Application Connector module must have self-healing properties.
• Operator's configuration must be defined dedicated CRD
• Module must contain legacy Application Connector Components : Application Gateway and Connectivity Validator.

Release 1.1.0:

• Module must contain all Application Connector Components : Application Gateway, Connectivity Validator, and Compass Runtime Agent.

Prerequisites:

• kyma-project/kyma#15915
• kyma-project/kyma#16169
• kyma-project/kyma#15526 - Not needed for GA

Workplan:

• kyma-project/kyma#15864
• Prepare pipeline for building, testing, linting
• /issues/29

Until the end of September, Release MVP:

• /issues/18
• /issues/24
• /issues/6
• /issues/23
• #7
• /issues/31
• /issues/64
• /issues/34
• /issues/21
• /issues/19
• /issues/36
• #88

Release required tasks, until 25 October: Milestone 1.0.0

• Testing on stage completed
• 4 Golden signals agreed to be treated as monitoring dashboard
• /issues/20
• Complete all microdelivery tasks
• kyma-project/kyma#18312

Release hardening, until mid of November: Milestone 1.1.0

• /issues/87
• /issues/104
• /issues/48
• /issues/53
• /issues/27
• /issues/17
• /issues/41
• /issues/86

Until the end of November: Milestone 1.2.0

• /issues/25
• /issues/26
• /issues/89
• /issues/90
• [ ]/issues/91
• /issues/105

Stretch:

• Add Integration tests to makefies (no issue yet)
• /issues/114
• /issues/49
• /issues/30

Consider to close as non-relevant:

• kyma-project/kyma/issues/17993
• /issues/40
• kyma-project/kyma/issues/17992

Additional information

• Related issues for delivery process E2E and making the module production ready for KEDA:
  • kyma-project/kyma#16494
  • kyma-project/kyma#16550

Description
There are some small documentation bugs in the README file that could be improved.

Area

Reasons

Assignees

@grego952

Attachments

Description

To be ready for the go-live, we have to create an on-call guide for the Application Connector Manager. This is also a pre-requisite for the Microdelivery of the Application Connector Manager.

Possible location for the on-call guide: https://github.tools.sap/kyma/documentation/tree/main/kyma-internal/on-call-guides/mps

AC:

• Document the common use-cases / possible incidents we have to expect when the Application Connector Manager runs in a productive context

Area

• Application Connector Manager

Reasons

Mandatory pre-requisite before we can go-live and part of the SAP Product Standards.

Assignees

@kyma-project/technical-writers

Attachments

• How to disable reconciliation
• Consider if it would be possible to see if Kymas are healthy (e.g. see if there are issues with other modules)

Include all charts of Compass Runtime Agent into yaml file of the application-connector Kyma module .

Acceptance criteria

• Compass Runtime Agent should be running without errors as part of application-connector module.

Description

It'd be useful for our users to have a more detailed doc describing the AC Validator

Area

• Application Connector
• Documentation

Reasons

Assignees

@grego952

Attachments

Goal

Integrate our module with module-manager.

Reasons

Testing module on SKR

Attachments

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-4
Explanation: Is it compliant with REUSE rules? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Description

The code of the application connector-manager reconciller in the directory kyma-project/application-connector-manager/pkg/reconciler should be fully covered with Unit Tests

Description
For the new modularization approach, we need documentation that is common for all the modules, e.g. general description (landing page), getting started, module configuration, etc.

AC

• Your audience is the end-user so the documentation must be written for them (not for the team that builds this module, or other SAP teams that wish to build a module, not for SRE, etc). Remember about the context. How much user knows by now (probably just high level knowledge about Kyma as a whole and that there are modules).
• The documentation must be consumable by the kyma-project.io home page (split into several information types/md files)
• Create a docs folder following the standard structure proposed in -> this issue
• In each module's documentation include:
  • General description of the functionality (if the module is mandatory, mention it!)
  • Getting Started - instructions on how to use the module. The module docs must mention the prerequisite that the module must be enabled. They must also include instructions on how to install/enable a module.
  • Module configuration
  • Instructional documents (currently called "dev tutorials" and "operational guides") - must be isolated, i.e. no dependencies on other tutorials or modules. An example.
  • If needed, troubleshooting
  • Instructions on how to give feedback

Reasons

Assignees

@kyma-project/technical-writers

Attachments
kyma-project/kyma#16421

Acceptance criteria

• Move testing pipelines for application-connector-manager from prow to Github Actions
• Ensure the testing pipelines are run on the PR after every commit

PR

We need to document the release process for the Application Connector module,

Acceptance criteria

• Must be reliable

• Must be documented

• Must be quick - be able to release in 2h since the fix is prepared

• Must be finally discussed and approved with @zhoujing2022

• Technical review

• Language review (in progress)

• adapt to review remarks

• @zhoujing2022 review (in progress)

• adapt to review remark

• Process verification