From 7c5c6cf9ab254da0e3cd216fa8b71783e7629e45 Mon Sep 17 00:00:00 2001 From: Soniya Vyas Date: Thu, 29 Aug 2024 17:20:23 +0530 Subject: [PATCH 1/2] Use PodManagementPolicy: appsv1.ParallelPodManagement for the neutronapi statefulsets With the default PodManagementPolicy: OrderedReadyPodManagement the statefulset controller will only progress pods when the previous/current pod is ready or terminated. When service configuration changes while the pod is starting and the new configuration requires e.g. additional volume mounts the initial pod will never reach ready and therefore an update won't happen. With ParallelPodManagement the statefulset controller will not wait for pods to be ready or complete termination. --- pkg/neutronapi/deployment.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/neutronapi/deployment.go b/pkg/neutronapi/deployment.go index 4d64d3e7..8b9e0468 100644 --- a/pkg/neutronapi/deployment.go +++ b/pkg/neutronapi/deployment.go @@ -134,7 +134,8 @@ func Deployment( Selector: &metav1.LabelSelector{ MatchLabels: labels, }, - Replicas: instance.Spec.Replicas, + PodManagementPolicy: appsv1.ParallelPodManagement, + Replicas: instance.Spec.Replicas, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Annotations: annotations, From 585e0b170d5a439800a501861c6cb9575ddd1445 Mon Sep 17 00:00:00 2001 From: Soniya Vyas Date: Thu, 29 Aug 2024 19:45:26 +0530 Subject: [PATCH 2/2] improvement(neutronapi): Enhance readiness probe to verify SSL certificate presence - Updated the existing readiness probe in the Neutron API deployment to check for the presence of the internal.crt SSL certificate before marking the pod as ready. - Applied the SSL certificate check to the HTTPD container as well, ensuring secure traffic handling. - Improved the deployment reliability by ensuring that pods are only marked as ready when they have the necessary SSL certificates in place. --- pkg/neutronapi/deployment.go | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/pkg/neutronapi/deployment.go b/pkg/neutronapi/deployment.go index 8b9e0468..14162a6e 100644 --- a/pkg/neutronapi/deployment.go +++ b/pkg/neutronapi/deployment.go @@ -56,8 +56,14 @@ func Deployment( TimeoutSeconds: 30, PeriodSeconds: 30, InitialDelaySeconds: 5, + Exec: &corev1.ExecAction{ + Command: []string{ + "cat", + "/etc/pki/tls/certs/internal.crt", + }, + }, } - args := []string{"-c", ServiceCommand} + args := []string{"-c", ServiceCommand} httpdArgs := []string{"-DFOREGROUND"} // @@ -71,7 +77,7 @@ func Deployment( Path: "/", Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(NeutronPublicPort)}, } - + // Use HTTPS if TLS is enabled if instance.Spec.TLS.API.Enabled(service.EndpointPublic) { livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS @@ -93,6 +99,7 @@ func Deployment( httpdVolumeMounts = append(httpdVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...) } + // handle TLS certificates for HTTPD for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { if instance.Spec.TLS.API.Enabled(endpt) { var tlsEndptCfg tls.GenericService @@ -134,8 +141,7 @@ func Deployment( Selector: &metav1.LabelSelector{ MatchLabels: labels, }, - PodManagementPolicy: appsv1.ParallelPodManagement, - Replicas: instance.Spec.Replicas, + Replicas: instance.Spec.Replicas, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Annotations: annotations, @@ -154,6 +160,7 @@ func Deployment( VolumeMounts: apiVolumeMounts, Resources: instance.Spec.Resources, LivenessProbe: livenessProbe, + ReadinessProbe: readinessProbe, TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, }, { @@ -176,9 +183,9 @@ func Deployment( }, } - // If possible two pods of the same service should not - // run on the same worker node. If this is not possible - // the get still created on the same worker node. + // If possible two pods of the same service should not + // run on the same worker node. If this is not possible + // the get still created on the same worker node. deployment.Spec.Template.Spec.Affinity = affinity.DistributePods( common.AppSelector, []string{