Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

Add server-acl-init-cleanup job #246

Merged
merged 1 commit into from
Oct 15, 2019
Merged

Add server-acl-init-cleanup job #246

merged 1 commit into from
Oct 15, 2019

Conversation

lkysow
Copy link
Member

@lkysow lkysow commented Oct 10, 2019
edited
Loading

This job deletes the server-acl-init job when it completes successfully.
This keeps things clean and more importantly fixes the issue where if
you try to make a change to the helm values that result in updating the
spec for the Job that you get an error because the Job spec is
immutable. If the Job is deleted then this isn't a problem.

Also upgrades consul-k8s to the version with the new
delete-completed-job command.

Fixes #227
Needs hashicorp/consul-k8s#152

@lkysow lkysow requested a review from ishustava October 10, 2019 16:53
@lkysow lkysow force-pushed the acl-hook branch 3 times, most recently from 66cea28 to fb36532 Compare October 11, 2019 19:33
ishustava
ishustava reviewed Oct 11, 2019
View reviewed changes
Copy link
Contributor

@ishustava ishustava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! I don't think the ACL init role needs access to services, unless you ran into cases when it does.

templates/server-acl-init-clusterrole.yaml Outdated
Comment on lines 30 to 34
- apiGroups: [""]
resources:
- services
verbs:
- get
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious why do we need services here as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally don't remember adding this so I'll delete it. Good catch. But it's interesting that we actually do make one call for Services:

			kubeSvc, err = c.clientset.CoreV1().Services("default").Get("kubernetes", metav1.GetOptions{})

However that must have been working before. Looking that code now, I'm not sure why it doesn't just use kubernetes.default.svc.cluster.local instead of the IP address (which is the whole reason it's calling this in the first place).

Copy link
Contributor

@ishustava ishustava Oct 14, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, it's calling it inside the configureConnectInject function, but the helm chart already adds services in case connect is enabled.

@lkysow
Add server-acl-init-cleanup job
a6adfe5 
This job deletes the server-acl-init job when it completes successfully.
This keeps things clean and more importantly fixes the issue where if
you try to make a change to the helm values that result in updating the
spec for the Job that you get an error because the Job spec is
immutable. If the Job is deleted then this isn't a problem.

Also upgrades consul-k8s to the version with the new
delete-completed-job command.
@lkysow lkysow mentioned this pull request Oct 15, 2019
Merged
@ishustava ishustava merged commit 223e904 into master Oct 15, 2019
@ishustava ishustava deleted the acl-hook branch October 15, 2019 23:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ishustava ishustava ishustava approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Repeatedly re-running job on upgrading to Chart v0.9.0 w/ bootstrapACLs enabled
2 participants
@lkysow @ishustava