Skip to content

Recreate etcd pods and certificates on update #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 6, 2025
Merged

Recreate etcd pods and certificates on update #675

merged 1 commit into from
Mar 6, 2025

Conversation

@lllamnyp
Copy link
Member

@lllamnyp lllamnyp commented Mar 6, 2025
edited by coderabbitai bot
Loading

Since updating from 2.5.0 to 2.6.0 renews all certificates including the trusted CAs for etcd, all etcd pods need a restart. As many people had problems with their etcds post-update, we decided to script the procedure, so the renewal of certs and pods is done automatically and in a predictable order. The hook fires when upgrading from <2.6.0 to >=2.6.1.

Summary by CodeRabbit

  • New Features
    • Introduced pre- and post-upgrade tasks for the etcd package.
    • Added supporting resources, including roles, role bindings, service accounts, and a ConfigMap to facilitate smoother upgrade operations.
  • Chores
    • Updated the application version from 2.6.0 to 2.6.1.
    • Revised version mapping entries to reflect the updated release.

@lllamnyp lllamnyp requested a review from kvaps as a code owner March 6, 2025 13:10
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Mar 6, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 6, 2025
edited
Loading

Walkthrough

This pull request updates the etcd chart version from 2.6.0 to 2.6.1 and introduces several Helm hook templates. New Kubernetes resources, including a Job, Role, RoleBinding, and ServiceAccount, are added to facilitate post-upgrade operations. Additionally, the versions mapping has been modified to assign a specific commit hash for version 2.6.0 and to add an entry for version 2.6.1.

Changes

File(s) Change Summary
packages/extra/etcd/Chart.yaml Updated etcd version from 2.6.0 to 2.6.1.
packages/extra/etcd/templates/hook/job.yaml, .../hook/role.yaml, .../hook/rolebinding.yaml, .../hook/serviceaccount.yaml Added Kubernetes Job, Role, RoleBinding, and ServiceAccount named etcd-hook for post-upgrade operations.
packages/extra/versions_map Changed version entry for 2.6.0 from HEAD to commit hash a7425b0 and added new version entry for 2.6.1 as HEAD.
packages/extra/etcd/templates/version.yaml Added new ConfigMap named etcd-deployed-version to store the chart version.

Suggested labels

bug, lgtm

Suggested reviewers

  • kvaps

Poem

I'm a bouncy rabbit, hops in tune today,
Watching our hooks at work in a clever display.
Pre-upgrade and post-upgrade, dancing hand in hand,
Updating versions and cleaning up across the land.
With charts all set and roles in place,
I celebrate these changes with a joyful, furry embrace! 🐰

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@dosubot dosubot bot added the enhancement New feature or request label Mar 6, 2025
coderabbitai[bot]
coderabbitai bot reviewed Mar 6, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
packages/extra/etcd/templates/hook/job.yaml (2)

29-50: Post-upgrade Job Metadata and Command Setup

The post-upgrade job’s metadata, annotations, and general structure are properly set up. However, YAMLlint reports an indentation issue at line 47 where the command list item is indented with 10 spaces instead of the expected 12.

Recommendation: Adjust the indentation for the list element under the command: key on line 47 to comply with YAML best practices.

🧰 Tools
🪛 YAMLlint (1.35.1)

[warning] 47-47: wrong indentation: expected 12 but found 10

(indentation)

47-47: YAML Formatting: Trailing Whitespace and Indentation

Static analysis tools have flagged several formatting issues:

  • Indentation: Line 47 is indented with 10 spaces instead of the expected 12.
  • Trailing Whitespace: Lines 55, 59, 65, 74, and 78 contain trailing spaces.

Recommendation: Remove trailing whitespace and correct the indentation on line 47 using an automated formatter or text editor to ensure compliance with YAML standards.

Also applies to: 55-55, 59-59, 65-65, 74-74, 78-78

🧰 Tools
🪛 YAMLlint (1.35.1)

[warning] 47-47: wrong indentation: expected 12 but found 10

(indentation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7425b0 and c99d480.

📒 Files selected for processing (6)
  • packages/extra/etcd/Chart.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/job.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/role.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/rolebinding.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/serviceaccount.yaml (1 hunks)
  • packages/extra/versions_map (1 hunks)
✅ Files skipped from review due to trivial changes (1)
  • packages/extra/etcd/Chart.yaml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
packages/extra/etcd/templates/hook/serviceaccount.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/etcd/templates/hook/role.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/etcd/templates/hook/rolebinding.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/etcd/templates/hook/job.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

[warning] 47-47: wrong indentation: expected 12 but found 10

(indentation)

[error] 55-55: trailing spaces

(trailing-spaces)

[error] 59-59: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 74-74: trailing spaces

(trailing-spaces)

[error] 78-78: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)
packages/extra/etcd/templates/hook/serviceaccount.yaml (1)

1-9: ServiceAccount for Helm hooks looks good

This ServiceAccount will be created only when upgrading to chart version 2.6.1 or higher. The annotations properly configure it as both pre-upgrade and post-upgrade hook, with appropriate cleanup policies.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/etcd/templates/hook/rolebinding.yaml (1)

1-17: RoleBinding configuration is appropriate

The RoleBinding correctly associates the ServiceAccount with the Role of the same name. The hook annotations match those on the other resources, ensuring consistent lifecycle management during the upgrade process.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/versions_map (1)

10-11: Version pinning and update looks correct

Version 2.6.0 is now correctly pinned to a specific commit hash, and version 2.6.1 is set as HEAD. This aligns with the PR objective of addressing issues with the 2.6.0 upgrade by creating a new 2.6.1 version.

packages/extra/etcd/templates/hook/role.yaml (1)

1-31: Role permissions are appropriate for certificate and pod management

The Role grants the necessary permissions for managing secrets (certificates), pods, and configmaps during the upgrade process. This matches the PR objective of automating certificate renewal and etcd pod recreation.

The permissions follow the principle of least privilege by only including the specific resources and verbs needed for the upgrade process.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/extra/etcd/templates/hook/job.yaml (1)

1-27: Review of Pre-upgrade Job Definition

The pre-upgrade job correctly uses a Helm template condition with semverCompare ">= 2.6.1" to ensure it only runs for the intended chart versions. The command at line 24 retrieves the current etcd chart version and updates the etcd-previous-version ConfigMap, which is in line with the automation goals for certificate renewal.

Note: YAMLlint’s error on line 1 (expected node content but found '-') might be a false positive due to the Helm templating syntax. If this becomes a recurring nuisance, consider configuring YAMLlint to accommodate Helm templates.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

kvaps
kvaps requested changes Mar 6, 2025
View reviewed changes
packages/extra/etcd/templates/hook/job.yaml Outdated
args:
- -c
- |-
version=$(kubectl -n tenant-lllamnyp get configmap etcd-previous-version -ojsonpath='{.data.version}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You hardcoded a namespace here

packages/extra/etcd/templates/hook/job.yaml Outdated
@@ -0,0 +1,84 @@
{{- if .Chart.Version | semverCompare ">= 2.6.1" }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check makes no sense, the .Chart.Version will always be more or equal 2.6.1

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, this was helpful during testing, but is redundant in the release.

kvaps
kvaps reviewed Mar 6, 2025
View reviewed changes
packages/extra/etcd/templates/hook/job.yaml Outdated
serviceAccountName: etcd-hook
containers:
- name: helm
image: alpine/k8s:1.31.6
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use bitnami/kubectl:latest as we already consume it from in other hooks

coderabbitai[bot]
coderabbitai bot reviewed Mar 6, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (4)
packages/extra/etcd/templates/hook/job.yaml (4)

1-1: Helm Template Directive & YAMLlint False Positive
The helm template directive on line 1 ({{- if .Chart.Version | semverCompare ">= 2.6.1" }}) is standard for Helm charts. Note that YAMLlint may flag this as a syntax error due to the templating delimiters. Ensure that your YAML linter is configured to ignore helm template syntax.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

46-47: Indentation in the Command List
YAMLlint reports an indentation issue on line 47. Since the command: key’s list items should be indented two spaces further than the key, please update the indentation. For example:

-          command:
-          - bash
+          command:
+            - bash

This ensures proper YAML list formatting without ambiguity.

🧰 Tools
🪛 YAMLlint (1.35.1)

[warning] 47-47: wrong indentation: expected 12 but found 10

(indentation)

51-76: Post-upgrade Job Script: Semver Function & Version Validation
The inline shell script retrieves the previous version from the ConfigMap and defines a semver_less_than function to compare versions. The implementation appears sound. However, consider the scenario where the retrieved version is "unknown" (the default when no deployed version is found). If "unknown" is passed to arithmetic operations in the function, it may result in unexpected errors. You might want to add validation for a non-numeric (or unparseable) version string before performing comparisons.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 55-55: trailing spaces

(trailing-spaces)

[error] 59-59: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 74-74: trailing spaces

(trailing-spaces)

55-55: Remove Trailing Whitespace
YAMLlint has flagged trailing spaces on several lines (specifically lines 55, 59, 65, 74, and 78). Please remove these extra spaces to adhere to YAML style guidelines.

Also applies to: 59-59, 65-65, 74-74, 78-78

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 55-55: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c99d480 and fc14167.

📒 Files selected for processing (1)
  • packages/extra/etcd/templates/hook/job.yaml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.35.1)
packages/extra/etcd/templates/hook/job.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

[warning] 47-47: wrong indentation: expected 12 but found 10

(indentation)

[error] 55-55: trailing spaces

(trailing-spaces)

[error] 59-59: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 74-74: trailing spaces

(trailing-spaces)

[error] 78-78: trailing spaces

(trailing-spaces)

🔇 Additional comments (4)
packages/extra/etcd/templates/hook/job.yaml (4)

2-28: ETCD Pre-upgrade Job: Version Capture & ConfigMap Creation
The pre-upgrade job correctly retrieves the deployed chart version using a helm history command, processes it with jq, and updates the etcd-previous-version ConfigMap. Verify that the image (alpine/k8s:1.31.6) includes all required tools (e.g., bash, jq, sed) for this command to work reliably.

18-18: Container Image Selection – Pre-upgrade Job
The container image is set to alpine/k8s:1.31.6, but previous reviews have suggested using bitnami/kubectl:latest (as used in other hooks) for consistency and possibly better support. Consider changing the image as follows:

-          image: alpine/k8s:1.31.6
+          image: bitnami/kubectl:latest

29-36: ETCD Post-upgrade Job: Basic Structure
The post-upgrade job is set up correctly with the necessary annotations and service account. Ensure that the namespace is consistently templated via {{ .Release.Namespace }} as seen throughout the file.

45-45: Container Image Selection – Post-upgrade Job
The image in the post-upgrade job is also defined as alpine/k8s:1.31.6. For consistency with other hooks (and as recommended by previous comments), consider switching to:

-          image: alpine/k8s:1.31.6
+          image: bitnami/kubectl:latest

@lllamnyp
Recreate etcd pods and certificates on update
8b88fb6 
Since updating from 2.5.0 to 2.6.0 renews all certificates including the
trusted CAs for etcd, all etcd pods need a restart. As many people had
problems with their etcds post-update, we decided to script the
procedure, so the renewal of certs and pods is done automatically and in
a predictable order. The hook fires when upgrading <2.6.1 to >=2.6.1.
@lllamnyp lllamnyp force-pushed the bug/etcd-migration-hook branch from fc14167 to 8b88fb6 Compare March 6, 2025 14:22
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Mar 6, 2025
kvaps
kvaps approved these changes Mar 6, 2025
View reviewed changes
Copy link
Member

@kvaps kvaps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Mar 6, 2025
@kvaps kvaps merged commit 63358e3 into main Mar 6, 2025
1 of 2 checks passed
@kvaps kvaps deleted the bug/etcd-migration-hook branch March 6, 2025 14:24
coderabbitai[bot]
coderabbitai bot reviewed Mar 6, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/extra/etcd/templates/hook/job.yaml (1)

10-39: Kubernetes Job Definition and Command Consistency

The Job resource is well-defined with appropriate annotations for a post-upgrade hook, and it reliably uses {{ .Release.Namespace }} in all kubectl commands to ensure dynamic namespace resolution instead of a hardcoded value. One minor issue noted by YAMLlint is a trailing space on line 34. Please remove any trailing spaces to adhere to formatting standards.

Below is a suggested diff for line 34 removal:

-              kubectl --namespace={{ .Release.Namespace }} delete secrets etcd-ca-tls etcd-peer-ca-tls 
+              kubectl --namespace={{ .Release.Namespace }} delete secrets etcd-ca-tls etcd-peer-ca-tls
🧰 Tools
🪛 YAMLlint (1.35.1)

[warning] 30-30: wrong indentation: expected 12 but found 10

(indentation)

[error] 34-34: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc14167 and 8b88fb6.

📒 Files selected for processing (7)
  • packages/extra/etcd/Chart.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/job.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/role.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/rolebinding.yaml (1 hunks)
  • packages/extra/etcd/templates/hook/serviceaccount.yaml (1 hunks)
  • packages/extra/etcd/templates/version.yaml (1 hunks)
  • packages/extra/versions_map (1 hunks)
✅ Files skipped from review due to trivial changes (1)
  • packages/extra/etcd/templates/version.yaml
🚧 Files skipped from review as they are similar to previous changes (5)
  • packages/extra/etcd/templates/hook/serviceaccount.yaml
  • packages/extra/etcd/templates/hook/role.yaml
  • packages/extra/etcd/templates/hook/rolebinding.yaml
  • packages/extra/etcd/Chart.yaml
  • packages/extra/versions_map
🧰 Additional context used
🪛 YAMLlint (1.35.1)
packages/extra/etcd/templates/hook/job.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

[warning] 5-5: wrong indentation: expected 0 but found 2

(indentation)

[warning] 6-6: wrong indentation: expected 0 but found 4

(indentation)

[warning] 7-7: wrong indentation: expected 0 but found 2

(indentation)

[warning] 30-30: wrong indentation: expected 12 but found 10

(indentation)

[error] 34-34: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)
packages/extra/etcd/templates/hook/job.yaml (1)

1-9: Template Logic for Certificate Update Flag

The block correctly retrieves the etcd-deployed-version ConfigMap and sets the $shouldUpdateCerts flag based on whether the deployed version satisfies the minimum requirement (i.e. < 2.6.1). This ensures the hook job is only triggered if certificate renewal is necessary.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

[warning] 5-5: wrong indentation: expected 0 but found 2

(indentation)

[warning] 6-6: wrong indentation: expected 0 but found 4

(indentation)

[warning] 7-7: wrong indentation: expected 0 but found 2

(indentation)

@lllamnyp lllamnyp mentioned this pull request Mar 7, 2025
Closed
@lllamnyp lllamnyp linked an issue Mar 7, 2025 that may be closed by this pull request
Upgrading the etcd app does not renew all certificates #671
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kvaps kvaps kvaps approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrading the etcd app does not renew all certificates

2 participants

@lllamnyp @kvaps