|
| 1 | +# Provide a facility to automatically obtain updated specs |
| 2 | + |
| 3 | +## Background |
| 4 | + |
| 5 | +Troubleshoot is limited in that when folks write an update or a new spec for data collection and analysis, that upgrade is not available when Troubleshoot is invoked from within the kots application manager, or from specs stored in a file. Updating the local file is simple enough, but updating the specs supplied by kots requires an upgrade to kots in order to collect updates to the default spec supplied by kots, and/or an update to the application which is deployed if the spec supplied by the application is changed. This update requirement delays folks from accessing updated Troubleshoot specs and therefore discourages people from writing new/updated specs. |
| 6 | + |
| 7 | +It is also difficult to justify the tight coupling of Troubleshoot configuration, which is intended to be an entirely client-side concept, and the application manager which is installed to a Kubernetes environment. |
| 8 | + |
| 9 | +## Goals |
| 10 | + |
| 11 | +* Provide the ability to automatically obtain a spec from a source that receives updates, whenever Troubleshoot is run |
| 12 | +* Decouple the provision of default specs from the kots application manager, so that kots upgrades are not required in order to get access to updated specs |
| 13 | + |
| 14 | +## Non Goals |
| 15 | + |
| 16 | +* Maintain the ability for Troubleshoot to run in an airgapped environment |
| 17 | +* maintain compatilbility with existing Troubleshoot specs |
| 18 | + |
| 19 | +## High-Level Design |
| 20 | + |
| 21 | +Add a new field to the Troubleshoot spec definition, which includes a URI used to locate the current spec online. |
| 22 | + |
| 23 | +If the field is populated, Troubleshoot is to attempt to download the additional spec(s) from the source online, and add to the spec already provided. |
| 24 | + |
| 25 | +Add a CLI flag to prevent any attmept to download, for use in airgap environments and/or when we simply do not want to download. |
| 26 | + |
| 27 | +Update the [default spec included with kots](https://github.com/replicatedhq/kots/blob/main/pkg/supportbundle/defaultspec/spec.yaml) to include a URI pointing at [the troubleshoot-specs repo](https://raw.githubusercontent.com/replicatedhq/troubleshoot-specs/main/in-cluster/default.yaml). |
| 28 | + |
| 29 | +URI's provided may be any of the URI types already accepted by Troubleshoot, including web addresses (https://), secrets, or files. |
| 30 | + |
| 31 | +## Detailed Design |
| 32 | + |
| 33 | +Current spec format is like this example: |
| 34 | + |
| 35 | +```yaml |
| 36 | +apiVersion: troubleshoot.sh/v1beta2 |
| 37 | +kind: SupportBundle |
| 38 | +metadata: |
| 39 | + name: default |
| 40 | +spec: |
| 41 | + collectors: |
| 42 | + - clusterInfo: {} |
| 43 | + - clusterResources: {} |
| 44 | + analyzers: |
| 45 | + - cephStatus: {} |
| 46 | + - longhorn: {} |
| 47 | +``` |
| 48 | +
|
| 49 | +We could add a new type, `specURIs`, which contains a list of URIs from which to obtain specs: |
| 50 | + |
| 51 | +```yaml |
| 52 | +apiVersion: troubleshoot.sh/v1beta2 |
| 53 | +kind: SupportBundle |
| 54 | +metadata: |
| 55 | + name: default |
| 56 | +spec: |
| 57 | + specURIs: |
| 58 | + - https://raw.githubusercontent.com/replicatedhq/troubleshoot-specs/main/in-cluster/default.yaml |
| 59 | + collectors: |
| 60 | + - clusterInfo: {} |
| 61 | + - clusterResources: {} |
| 62 | + analyzers: |
| 63 | + - cephStatus: {} |
| 64 | + - longhorn: {} |
| 65 | +``` |
| 66 | + |
| 67 | +## Impact on kURL and kots |
| 68 | + |
| 69 | +For kURL, each component/addon installed could include adding a URI pointing at a specific spec that |
| 70 | + |
| 71 | +## Limitations |
| 72 | + |
| 73 | +Redactors are currently excluded from this proposal, though it would be desirable to add a similar feature in the future. |
| 74 | + |
| 75 | +If a URI provided includes a spec which includes another URI, it is possible to get into some kind of recursion. We should count the number of URI calls and limit that. |
| 76 | + |
| 77 | +## Assumptions |
| 78 | + |
| 79 | +Troubleshooot is able to accept multiple specs on invocation. |
| 80 | + |
| 81 | +## Testing |
| 82 | + |
| 83 | +## Alternatives Considered |
| 84 | + |
| 85 | +* Some mechanism to trigger a process to update secrets stored in Kubernetes. This was rejected due to the need to run a manual update spec for something installed in the cluster. |
| 86 | +* Altering kots to provide a URL for the spec rather than storing it in code. This was rejected to allow airgap compatibility. |
| 87 | + |
| 88 | +## Security Considerations |
| 89 | + |
| 90 | +Troubleshoot currently allows downloading from URL, and that pattern is frequently used from the CLI when customers are directed to do so. If we made this change, customers would need to ensure that their firewall allows outbound connections to the URL target from the kots container running Troubleshoot. |
0 commit comments