Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Production readiness Helm chart tweaks #309

Merged
merged 4 commits into from
Feb 28, 2024
Merged

Production readiness Helm chart tweaks #309

merged 4 commits into from
Feb 28, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Feb 28, 2024
edited
Loading

  • Fixed a copy-paste typo in the help text for podDisruptionBudget
  • Added some warnings to the NOTES.txt file to tell the user about production readiness values they should use

Warnings

$ helm upgrade trust-manager bin/chart/trust-manager-v1.14.1.tgz --install --create-namespace --namespace venafi --values values.yaml
Release "trust-manager" has been upgraded. Happy Helming!
NAME: trust-manager
LAST DEPLOYED: Wed Feb 28 17:15:33 2024
NAMESPACE: venafi
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
⚠️  WARNING: Consider increasing the Helm value `replicaCount` to 2 if you require high availability.
⚠️  WARNING: Consider setting the Helm value `podDisruptionBudget.enabled` to true if you require high availability.

trust-manager v1.14.1 has been deployed successfully!
Your installation includes a default CA package, using the following
default CA package image:

quay.io/jetstack/cert-manager-package-debian:20210119.0

It's imperative that you keep the default CA package image up to date.
To find out more about securely running trust-manager and to get started
with creating your first bundle, check out the documentation on the
cert-manager website:

https://cert-manager.io/docs/projects/trust-manager/

Testing

Given a 3-node cluster with two "platform" nodes with cert-manager and trust-manager deployed with PDBs, I was able to drain node 1, and see node 1 Pods rescheduled to node 2

$ kubectl drain kind-worker --ignore-daemonsets --delete-emptydir-data
node/kind-worker cordoned
Warning: ignoring DaemonSet-managed Pods: kube-system/kindnet-7hdl6, kube-system/kube-proxy-t8s8h
evicting pod venafi/trust-manager-54dbf9c6c-9p5ns
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-6rfjw
evicting pod venafi/cert-manager-7d8db8dc5d-wff2z
evicting pod venafi/cert-manager-webhook-b5f7b7977-n7p7j
pod/cert-manager-7d8db8dc5d-wff2z evicted
pod/trust-manager-54dbf9c6c-9p5ns evicted
pod/cert-manager-cainjector-7d77c9dbb9-6rfjw evicted
pod/cert-manager-webhook-b5f7b7977-n7p7j evicted
node/kind-worker drained

then I attempted to drain node 2 and see that it was blocked until I uncordoned node1

$ kubectl drain kind-worker2 --ignore-daemonsets --delete-emptydir-data
node/kind-worker2 cordoned
Warning: ignoring DaemonSet-managed Pods: kube-system/kindnet-7tcnd, kube-system/kube-proxy-6w9n2
evicting pod venafi/cert-manager-7d8db8dc5d-c8rvp
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-2fc9j
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
evicting pod venafi/trust-manager-54dbf9c6c-5pngb
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
evicting pod venafi/cert-manager-webhook-b5f7b7977-cwmz6
evicting pod venafi/cert-manager-webhook-b5f7b7977-dljlg
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
pod/cert-manager-webhook-b5f7b7977-cwmz6 evicted
pod/cert-manager-cainjector-7d77c9dbb9-2fc9j evicted
pod/cert-manager-7d8db8dc5d-c8rvp evicted
pod/trust-manager-54dbf9c6c-5pngb evicted
pod/cert-manager-webhook-b5f7b7977-dljlg evicted
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
pod/cert-manager-cainjector-7d77c9dbb9-fwkfm evicted
pod/cert-manager-7d8db8dc5d-56vvt evicted
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
pod/cert-manager-webhook-b5f7b7977-xmhzk evicted
pod/trust-manager-54dbf9c6c-zvggr evicted
node/kind-worker2 drained

@wallrj
Fix copy-paste error in the PodDisruptionBudget Helm value help text
922a541 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Show production readiness warnings during Helm install
27d6674 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make generate-helm-docs
25d3a53 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make generate-helm-schema
63535c8 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 28, 2024
@wallrj wallrj changed the title WIP: Production readiness Helm chart tweaks Production readiness Helm chart tweaks Feb 28, 2024
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 28, 2024
SgtCoDFish
SgtCoDFish approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Awesome, thanks Richard!

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 28, 2024
@jetstack-bot jetstack-bot merged commit 34bb21e into cert-manager:main Feb 28, 2024
4 checks passed
@wallrj wallrj deleted the pdb-tweaks branch February 28, 2024 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @jetstack-bot @SgtCoDFish