New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: use Helm hooks instead of Job unique name #23102
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, I did some local testing and this seems to work nicely!
For anyone curious how this works: Thanks to the job being a hook, Helm will not treat it as part oft the release. Any existing job will be removed by Helm after an upgrade or install due to the "helm.sh/hook-delete-policy": before-hook-creation
default value.
Could you also update the clustermesh certificate generation? Thanks
cilium/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml
Lines 2 to 10 in d914e6c
{{/* | |
Because Kubernetes job specs are immutable, Helm will fail patch this job if | |
the spec changes between releases. To avoid breaking the upgrade path, we | |
generate a name for the job here which is based on the checksum of the spec. | |
This will cause the name of the job to change if its content changes, | |
and in turn cause Helm to do delete the old job and replace it with a new one. | |
*/}} | |
{{- $jobSpec := include "clustermesh-apiserver-generate-certs.job.spec" . -}} | |
{{- $checkSum := $jobSpec | sha256sum | trunc 10 -}} |
generate a name for the job here which is based on the checksum of the spec. | ||
This will cause the name of the job to change if its content changes, | ||
and in turn cause Helm to do delete the old job and replace it with a new one. | ||
*/}} | ||
{{- $jobSpec := include "hubble-generate-certs.job.spec" . -}} | ||
{{- $checkSum := $jobSpec | sha256sum | trunc 10 -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, noticed too late. Please also remove this line, since it's not used anymore. And we can probably inline $jobSpec
too, now that there is only one use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@gandro. Thanks for your review. I've addressed your comments. Backto you!
Done.
Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I've started the first stage CI. Let's also ensure that we get reviews from sig-k8s.
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @sathieu nice cleanup!
install/kubernetes/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml
Show resolved
Hide resolved
As far as I understand, no. At least not as long as |
This PR has 3 approvals, however the CI is failing for unrelated reason. Anything missing to merge? |
@sathieu looks like some image pull backoff issues in k8s testing. It's been a couple weeks since the CI images where built so the images probably just expired - I'm just going to rerun the tests. |
/test |
@tommyp1ckles Note that command doesn't rerun the image builds. You need to do that manually (I will). |
See https://helm.sh/docs/topics/charts_hooks/. Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>
@sathieu Was there a merge conflict forcing to rebase? JFYI, we need to rerun the full test suite after each rebase. |
/test |
@pchaigno Sorry, I added a commit for #23102 (comment), and rebased for clean history. I thought a merge would require a /retest too... |
Looks like k8s-1.26-kernel-net-next CI run hit #20723 |
/test-1.26-net-next |
/ci-l4lb |
/ci-verifier |
@kaworu Please provide a rationale when restarting tests. We want to ensure that we don't miss new flakes (i.e., that we create flake issues as soon as the flakes as discovered). |
@pchaigno both ci-l4lb and ci-verifier were in a "waiting status" pending state and didn't report anything. I was assuming they didn't run at all, but is there any way to get info? |
Ok, probably some blip caused the job triggering to fail for those. Still good to mention so the TopHat doesn't get scared when they see a lot of reruns 😸 |
Unfortunately, it's not in 1.13.0. Any chance to have this backported? |
Seems safe enough to backport to v1.13, @gandro do you agree? |
I'd like to avoid such changes in patch releases, there is the potential danger of it breaking peoples workflow (e.g. if they manually use Since this is not a bugfix, I don't think it satisfies the Backport Criteria for Current Minor Release |
Without this, ArgoCD (and other Gitops tools) thinks there is a diff.
See https://helm.sh/docs/topics/charts_hooks/.