Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce on-stemcell-change variable strategy #2460

Merged
merged 1 commit into from Aug 15, 2023
Merged

Introduce on-stemcell-change variable strategy #2460

merged 1 commit into from Aug 15, 2023

Conversation

ystros
Copy link
Contributor

@ystros ystros commented Aug 9, 2023
edited

This commit introduces a new update block under variable declarations, as well as a strategy key underneath it to control when BOSH retrieves the latest version of that variable. This feature allows better control over when new variable versions are rolled out to VMs during a deploy.

Currently, when a manifest is deployed, the BOSH Director will query CredHub for the latest version of each variable in the manifest. This ensures that deployments always use the current configuration stored in CredHub.

This is a problem for being able to automatically rotate certificates - if a new version of a certificate is in CredHub, the deploy will use it. Normally this would be desirable, but since the rotation is done without users taking a direct action, they may not be aware that there are updated certs and thus will be surprised by a longer-than-normal deploy if they have no other changes. Predicting when there's going to be a longer-than-normal deploy is important for strict change / maintenance windows.

The new key on variables has two potential values:

  • on-deploy: BOSH will use the current behavior of looking up the latest variable value on each deploy (default)
  • on-stemcell-change: BOSH will only look up the latest variable value when a deploy is occuring that updates all stemcells for the deployment. If one or more stemcells is not being updated, then BOSH will continue to use the previously deployed value for the variable.

The on-stemcell-change behavior can be overridden by passing the force_latest_variables parameter to the deploy API endpoint. This will ensure that the latest variable value is used, regardless of the variable's declared strategy.

Corresponding docs PR: cloudfoundry/docs-bosh#799

@selzoc @lnguyen
@danielfor @cunnie @ystros
Introduce on-stemcell-change variable strategy
6b40dfc 
This commit introduces a new `update` block under variable declarations,
as well as a `strategy` key underneath it to control when BOSH retrieves
the latest version of that variable. This feature allows better control
over when new variable versions are rolled out to VMs during a deploy.

Currently, when a manifest is deployed, the BOSH Director will query
CredHub for the latest version of each variable in the manifest. This
ensures that deployments always use the current configuration stored in
CredHub.

This is a problem for being able to automatically rotate certificates -
if a new version of a certificate is in CredHub, the deploy will use it.
Normally this would be desirable, but since the rotation is done without
users taking a direct action, they may not be aware that there are
updated certs and thus will be surprised by a longer-than-normal deploy
if they have no other changes. Predicting when there's going to be a
longer-than-normal deploy is important for strict change / maintenance
windows.

The new key on variables has two potential values:
* on-deploy: BOSH will use the current behavior of looking up the latest
  variable value on each deploy (default)
* on-stemcell-change: BOSH will only look up the latest variable value
  when a deploy is occuring that updates all stemcells for the
  deployment. If one or more stemcells is not being updated, then BOSH
  will continue to use the previously deployed value for the variable.

The on-stemcell-change behavior can be overridden by passing the
`force_latest_variables` parameter to the deploy API endpoint. This will
ensure that the latest variable value is used, regardless of the
variable's declared strategy.

Co-authored-by: Long Nguyen <nguyenlo@vmware.com>
Co-authored-by: Daniel Felipe Ochoa <danielfelipo@vmware.com>
Co-authored-by: Brian Cunnie <bcunnie@vmware.com>
Co-authored-by: Brian Upton <bupton@vmware.com>
@ystros ystros mentioned this pull request Aug 9, 2023
Merged
@beyhan beyhan requested review from a team, aramprice, mvach and selzoc and removed request for a team, aramprice and mvach August 10, 2023 14:46
@selzoc selzoc mentioned this pull request Aug 10, 2023
Merged
lnguyen
lnguyen approved these changes Aug 15, 2023
View reviewed changes
Copy link
Member

@lnguyen lnguyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@selzoc selzoc merged commit 4916eb1 into main Aug 15, 2023
4 checks passed
@selzoc selzoc deleted the on-stemcell-change-spike branch August 15, 2023 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@selzoc selzoc selzoc approved these changes

@lnguyen lnguyen lnguyen approved these changes

@aramprice aramprice Awaiting requested review from aramprice

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ystros @selzoc @lnguyen