From 94d68bf382ec8dc4ce28d7d8d154663afd00b7fe Mon Sep 17 00:00:00 2001 From: Stanislav Zaprudskiy Date: Thu, 26 Jan 2023 16:22:07 +0100 Subject: [PATCH] Make Deployment to be rolled out on CM and Secrets changes With the previous approach, not all associated (mounted) CM/Secrets changes caused the Deployment to be rolled out, but also the Deployment could have been rolled out unnecessary during e.g. Ingress or Service changes (which do not require Pod restarts). Previously existing Pod removal (state: absent) was not complete as other pods continued to exist, but also is not needed with this commit change due to added Pods annotations. The added Deployment Pod annotations now cause the new ReplicaSet version to be rolled out, effectively causing replacement of the previously existing Pods in accordance with the deployment `strategy` (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#deploymentstrategy-v1-apps, `RollingUpdate`) whenever there is a change in the associated CMs or Secrets referenced in annotations. This implementation is quite standard and widely used for Helm workflows - https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments --- .../tasks/resources_configuration.yml | 64 ++++++++++++------- .../tasks/secret_key_configuration.yml | 4 +- .../templates/deployments/deployment.yaml.j2 | 19 +++++- 3 files changed, 62 insertions(+), 25 deletions(-) diff --git a/roles/installer/tasks/resources_configuration.yml b/roles/installer/tasks/resources_configuration.yml index 438af396..0d56eb1c 100644 --- a/roles/installer/tasks/resources_configuration.yml +++ b/roles/installer/tasks/resources_configuration.yml @@ -40,13 +40,13 @@ kind: Secret namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-receptor-ca' - register: _receptor_ca + register: receptor_ca no_log: "{{ no_log }}" - name: Migrate Receptor CA Secret when: - - _receptor_ca['resources'] | default([]) | length - - _receptor_ca['resources'][0]['type'] != "kubernetes.io/tls" + - receptor_ca['resources'] | default([]) | length + - receptor_ca['resources'][0]['type'] != "kubernetes.io/tls" block: - name: Delete old Receptor CA Secret k8s: @@ -61,7 +61,7 @@ register: _receptor_ca_key_file - name: Copy Receptor CA key from old secret to tempfile copy: - content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}" + content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}" dest: "{{ _receptor_ca_key_file.path }}" no_log: "{{ no_log }}" - name: Create tempfile for receptor-ca.crt @@ -71,7 +71,7 @@ register: _receptor_ca_crt_file - name: Copy Receptor CA cert from old secret to tempfile copy: - content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}" + content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}" dest: "{{ _receptor_ca_crt_file.path }}" no_log: "{{ no_log }}" - name: Create New Receptor CA secret @@ -79,6 +79,17 @@ apply: true definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}" no_log: "{{ no_log }}" + - name: Read New Receptor CA Secret + k8s_info: + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ansible_operator_meta.name }}-receptor-ca' + register: _receptor_ca + no_log: "{{ no_log }}" + - name: Set receptor_ca variable + set_fact: + receptor_ca: '{{ _receptor_ca }}' + no_log: "{{ no_log }}" - name: Remove tempfiles file: path: "{{ item }}" @@ -114,6 +125,17 @@ apply: true definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}" no_log: "{{ no_log }}" + - name: Read Receptor CA secret + k8s_info: + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ansible_operator_meta.name }}-receptor-ca' + register: _receptor_ca + no_log: "{{ no_log }}" + - name: Set receptor_ca variable + set_fact: + receptor_ca: '{{ _receptor_ca }}' + no_log: "{{ no_log }}" - name: Remove tempfiles file: path: "{{ item }}" @@ -121,14 +143,14 @@ loop: - "{{ _receptor_ca_key_file.path }}" - "{{ _receptor_ca_crt_file.path }}" - when: not _receptor_ca['resources'] | default([]) | length + when: not receptor_ca['resources'] | default([]) | length - name: Check for Receptor work signing Secret k8s_info: kind: Secret namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-receptor-work-signing' - register: _receptor_work_signing + register: receptor_work_signing no_log: "{{ no_log }}" - name: Generate Receptor work signing RSA key pair @@ -159,6 +181,17 @@ apply: true definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}" no_log: "{{ no_log }}" + - name: Read Receptor work signing Secret + k8s_info: + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ansible_operator_meta.name }}-receptor-work-signing' + register: _receptor_work_signing + no_log: "{{ no_log }}" + - name: Set receptor_work_signing variable + set_fact: + receptor_work_signing: '{{ _receptor_work_signing }}' + no_log: "{{ no_log }}" - name: Remove tempfiles file: path: "{{ item }}" @@ -166,14 +199,13 @@ loop: - "{{ _receptor_work_signing_private_key_file.path }}" - "{{ _receptor_work_signing_public_key_file.path }}" - when: not _receptor_work_signing['resources'] | default([]) | length + when: not receptor_work_signing['resources'] | default([]) | length - name: Apply Resources k8s: apply: yes definition: "{{ lookup('template', item + '.yaml.j2') }}" wait: yes - register: tower_resources_result loop: - 'configmaps/config' - 'secrets/app_credentials' @@ -222,18 +254,6 @@ register: this_deployment_result - block: - - name: Delete pod to reload a resource configuration - k8s: - api_version: v1 - state: absent - kind: Pod - namespace: '{{ ansible_operator_meta.namespace }}' - name: '{{ tower_pod_name }}' - wait: yes - when: - - tower_resources_result.changed - - tower_pod_name | length - - name: Get the new resource pod information after updating resource. k8s_info: kind: Pod @@ -258,7 +278,7 @@ set_fact: tower_pod_name: '{{ tower_pod["metadata"]["name"] | default("")}}' when: - - tower_resources_result.changed or this_deployment_result.changed + - this_deployment_result.changed - name: Verify the resource pod name is populated. assert: diff --git a/roles/installer/tasks/secret_key_configuration.yml b/roles/installer/tasks/secret_key_configuration.yml index 00b64255..e7d022f5 100644 --- a/roles/installer/tasks/secret_key_configuration.yml +++ b/roles/installer/tasks/secret_key_configuration.yml @@ -40,10 +40,10 @@ - name: Set secret key secret set_fact: - __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}' + secret_key: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}' no_log: "{{ no_log }}" - name: Store secret key secret name set_fact: - secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}" + secret_key_secret_name: "{{ secret_key['resources'][0]['metadata']['name'] }}" no_log: "{{ no_log }}" diff --git a/roles/installer/templates/deployments/deployment.yaml.j2 b/roles/installer/templates/deployments/deployment.yaml.j2 index 5135b713..81e0a519 100644 --- a/roles/installer/templates/deployments/deployment.yaml.j2 +++ b/roles/installer/templates/deployments/deployment.yaml.j2 @@ -20,8 +20,25 @@ spec: labels: {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=8) | trim }} {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=8) | trim }} -{% if annotations %} annotations: +{% for template in [ + "configmaps/config", + "secrets/app_credentials", + "storage/persistent", + ] %} + checksum-{{ template | replace('/', '-') }}: "{{ lookup('template', template + '.yaml.j2') | md5 }}" +{% endfor %} +{% for secret in [ + "bundle_cacert", + "route_tls", + "ldap_cacert", + "secret_key", + "receptor_ca", + "receptor_work_signing", + ] %} + checksum-secret-{{ secret }}: "{{ lookup('ansible.builtin.vars', secret, default='')["resources"][0]["data"] | default('') | md5 }}" +{% endfor %} +{% if annotations %} {{ annotations | indent(width=8) }} {% endif %} spec: