The Configuration Complexity Curse

It occurred to me that the configuration hell is a consequence of Microservice-heavy approach: we have reduced complexity of cross-component interactions by compartmentalizing each component behind a hard boundary, and now we’re paying the price for this free lunch by trying to put those things back together and keeping them that way.<p>Turns out the complexity didn’t go anywhere, it was just biding it’s time, waiting for the right moment to strike back.<p>Damn you, entropy!

If you&#x27;re thinking about implementing this or something like this, <i>please stop</i>.<p>Unless you&#x27;re writing in a compiled language, use the same language your application is written in for your configuration. If you have a python application, have a python file for the configuration. Same for ruby or whatnot.<p>You don&#x27;t need to use the entire language, but at least use the language&#x27;s lexer&#x2F;parser (cf. json&#x2F;javascript). That way, all existing tooling for the language will work for the config files (ask me about how saltstack happily breaks their API because you&#x27;re not &quot;supposed&quot; to use it, despite the fact that they have public docs for it). Additionally, people won&#x27;t need to figure out all the stupid corner cases in your weird language that has no uses outside of a few projects.<p>Additionally, by making your configuration language an actual language, you also simplify a lot of the system design, because the configuration can act directly against your API. This means using your tool from other tools becomes much more straightforward, because the only interface you actually need is the API.<p>The <i>existence</i> of &quot;configuration language&quot; is, itself, a mistake.

Every time an article on configuration languages gets posted here there&#x27;s always a chorus of pooh-poohing. This is a solved problem, just use YAML&#x2F;JSON&#x2F;XML&#x2F;whatever. Just use the same language as your app. Just use bash.<p>I don&#x27;t understand why people hate on new languages so much. Learning a language is pretty easy, at most a week or two of concentrated effort. On the other hand, we put years of effort into software projects. If learning a new language would make us 10% more productive with a sizeable chunk of the work, that&#x27;s a HUGE WIN.<p>Configuration at scale is something new and we don&#x27;t have good ways of doing it yet. Inventing new languages and tools to make it easier will be hugely rewarding; WAY more than a 10% improvement. Some of the stuff we invent won&#x27;t be perfect. So what? Let a thousand projects bloom, we&#x27;ll see what works and what doesn&#x27;t. That&#x27;s how our profession advances.

I just switched my pet project to Cue. It did take me cca 5 days to get familiar with the language, but the result is much more elegant than the original Kustomize configuration. I&#x27;m looking forward to using Cue in future k8s projects and discovering new use cases for the language.

95% of you reading this and thinking oh, that&#x27;s neat let me use this for the company are going to waste time and resources. Why? Because the kind of complexity the article tries to address is not reached by the vast majority of the deployments out there. Typically the &#x27;superstructure&#x27; is larger than the thing it supports. As soon as that&#x27;s the case and there is not credible path to a (near!) future where you will need that superstructure you are better off with the simplest configuration that you can get away with. It will be more robust, easier to modify and easier to troubleshoot than any of these abstraction layers.<p>Question one for anything that you aim at production should be: &quot;Do I <i>really</i> need this?&quot; and only if the answer is a very clear yes and you&#x27;re not just trying to implement $COOLTECH because you are distracted by its shininess or because &#x27;Google does it too&#x27; then you should go ahead and implement.<p>My #1 technique for improving installations is to rip out unnecessary superstructure which is obscuring why things are going wrong, and more often than not is actually part of the problem. Works every time.<p>The same goes by the way for modeling your development process on whatever Spotify does with your 6 people development team, and in fact for any other piece of tech that you bring on board. Each of those pieces has a cost of implementation, a cost of maintenance and a cost of cognitive overhead associated with it. The best shops out there use the <i>least</i> number of technologies they can get away with.

Sometimes there is no problem to be solved, all these tools just complicate everything.<p>Do this instead:<p>1. Use flat yaml files. No loops nor conditionals, no complexity.<p>2. One (single) yaml file templated by ansible just for secret&#x2F;sensitive stuff.<p>3. Done.<p>Boring is better and is easy to diff.

This post is really timely. We&#x27;re going through a wave of innovation in how we ship software but in that we&#x27;re having to reason far more about the infrastructure. I think we might be reaching the end of that phase and the realisation that none of us really want to touch containers or kubernetes, we just want it to fade into the background. Because at the end of the day software development is still software development and not much has changed there despite the underlying platforms being completely rewritten.<p>I&#x27;d argue that we might once again be on the cusp of true serverless but in a way that might become ubiquitous. If we could unlock a shared platform like GitHub but for running software we&#x27;d be in a much better place.

I’ll have to take a look at CUE; it might be worth using.<p>But I have to ask: isn’t there something simpler which can handle taking a declarative specification and adding imperative behaviour to it? I’m writing — as anyone who knows me might suspect — of S-expressions &amp; Lisp.<p>They have an advantage over CUE in that one might well choose to write one’s entire program in Lisp &amp; S-expressions. It doesn’t look like CUE is intended to be the whole-program language.<p>I remember that Tcl used to be commonly used for config-files-which-need-a-bit-of-scripting, but while it is an awesome language (really!) one probably doesn’t want to write an <i>entire</i> program with it, but rather use it to stitch functions written in C together.

Don’t use yaml or json for (infrastructure) configuration. Use code. Configuration files checked in with source doesn’t make it “configuration as code”. If you don’t want to roll your own tools, there are tools like pulumi for this.

I don&#x27;t know if it&#x27;s the best way, but the way I&#x27;ve been managing kubernetes at work is with a custom typescript library to interface with kubernetes. That library has two frontends, a website and a CLI. Whenever I add some new feature to the cloud I prototype it in YAML first and then when I get it working I integrate it into the program.<p>It works mostly pretty well. It&#x27;s a lot more organized and powerful than having a bunch of YAML. It does feel a bit &quot;heavy&quot; though. There&#x27;s also parts of the kubernetes api that are hard to deal with (log streaming for instance..)<p>I don&#x27;t put everything in the tool though. Anything that&#x27;s a one-off I just check in YAML for. But anything that you might do repeatedly I add to the CLI, and the website is for more general non-ops use

Totally agree. K8s using yaml as a config format is a shit show. They should have used good ol’ JSON which has a lot smaller surface area. It has proper schema definitions and a bazillion languages interop with it.<p>Then we can use whatever tools we want to generate and customize as needed.<p>YAML is ugly and doesn’t really solve a problem.<p>Jsonnet on the other hand is far more elegant templating language that solves a real need of generating json&#x2F;yaml files.<p>Please please don’t use a text templating language. You’re in a world of hurt.

I have lived the first 1&#x2F;2 of the article for the last 1.5+ years and have gone through that mental cycle. We&#x27;ve been moving our product from AWS to GCP. We have a custom deployment tool based of off Capistrano, Chef and Cloud Formation to setup our stack in AWS. There are a couple things that have helped me and may help others who have to do a similar thing (or any setup for that matter).<p>Tooling: I looked at them all. yaml, kustomize, helm, deployment manager, etc and in the end I went with Terraform. The reasoning was simple. We deploy Infrastructure, not kubernetes services and terraform lets you do the entire thing with one tool. It has the ability to do loops and clunky if-like statements but if you want real programming power then you can create your own terraform provider which is what we did. The pattern of how to create a provider already exists so you are not re-inventing the wheel. We even add our own services to our provider so that we have one tool for setup of GCP resources -&gt; Kubernetes resources -&gt; our own service(s) resources. 1 tool, 1 flow, 1 statefile and the same pattern when working with it all.<p>Establish patterns: &quot;My service is a multi-tenant service and should do X&quot;. Don&#x27;t allow people to get away with special cases when it comes to deploying infrastructure. Create patterns and stick to them. As an example, one pattern I have is that I have 4 variables that all of my terraform modules use: project, region, cluster and tenant. A combination of any of those variables is enough to create unique resources for everything you deploy... dns names, storage buckets, databases, service accounts, namespaces, clusters, etc. Those variables allow me to know where your git repos are, what GCP project your deployment lives in, what kubernetes cluster you are on and what namespace you are in. Patterns.<p>Keep it simple: There will be pressure to have custom settings and provide as much flexibility as possible. Try and avoid this. Set defaults for values and try and reduce the number of configuration options available to others. In our case, there were around hundreds of environment variables being set on a deploy and most of them were the same. I took the list, standardized the environment variable names, DATABASE_USER, MYSQL_USER, MYSQL_USERNAME, DB_USERNAME... come on guys!, and deployed them as a secret in kubernetes so that all of our running services can access them. Reduce complexity.

The author states:<p>&gt;&quot;kustomize would be the most well known tool now it that is it integrated into kubectl. This seems to work well enough and could be feasible for simple use cases. In comparison to data configuration languages though, this strategy breaks down when configurations grow in complexity and scale. Template writers lack abstraction and type validation that matters when things get complicated, as the semantics are locked into an opaque tool and not exposed as language features.&quot;<p>How exactly does this strategy break down? This sounds a bit hand-wavey to me. Isn&#x27;t Kustomize essentially patching? And isn&#x27;t the type validation done by the underlying API objects in the yaml that Kustomize is patching? Am I missing something obvious or a more subtle point?

Why do people look upon the hideous face of complexity and brittleness and configuration hell and decide that the solution is to introduce yet ANOTHER piece of technology? Don&#x27;t they understand that this is the exact instinct that led us to hell in the first place?

There is a quite mature configuration language nix that is behind nixpkgs, nixos, and many other projects. Worth checking out for others here that are interested in abstractable configuration langauges. It is a functional lazily evaluated language.

I&#x27;m working on devops-pipeline to make complicated infrastructure easier to understand and deploy. <a href="https:&#x2F;&#x2F;devops-pipeline.com" rel="nofollow">https:&#x2F;&#x2F;devops-pipeline.com</a> It is configured by a dot graph file.

After having to configure Druid clusters and their many many service configuration files, I&#x27;ve started just immediately reaching for templating &amp; code-generators to build all of the disparate configuration artifacts the moment that I feel annoyed by redundant information in multiple places.<p>I love the idea of Terraform, but find that the language only goes part way, and is itself pretty idiosyncratic. It&#x27;s pretty nice, though, if you move up by another step of abstraction and write code to generate your HCL. If you get lispy about it, then you can have infrastructure defined as data, generated by code, that is also data...

This is interesting and I feel like it’s somewhat on the right path but may not go far enough. I think the right solution is actually a new protocol

I wish CUE really all the best, but every senior dev can tell you that the problem of too many config languages isn&#x27;t solved by yet another config language to rule them all (insert obligatory xkcd 924 reference here).

This is a really good idea. My take on this was to use Prolog but it turned out people did not like Prolog: <a href="https:&#x2F;&#x2F;github.com&#x2F;davidk01&#x2F;cwacop" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;davidk01&#x2F;cwacop</a>. The project is dead at the moment but being able to work with infrastructure using a hybrid model of logic + imperative drivers I think is fundamentally a good idea.