[patch] enable tactical SAAS_MODE and override_dns_cis_flags_to_false fixes in suite-dns role #289
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
relax-files identified by path relative to root dir
…a file, replacing need for the relax-list
This reverts commit bb1a113.
(includes ansible-devops and python-devops fixes for 6.0.0 release)
tomklapiscak
changed the title
rbinns
approved these changes
Apr 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://jsw.ibm.com/browse/MASCORE-6361
This PR includes 2 tactical fixes for the rollout of gitops:6.0.0 to address rate limit problems encountered in the suite-dns Job
single edge certificate via SAAS_MODE hostname template
SAAS_MODEenv var is set to true before running suite-dns role - see [patch] fix suite-dns edge certs logic & remove redundant HTTP call ansible-devops#1714 for details. That PR also resolves an issue whereby edge certs would be reordered even whenoverride_edge_certs: false.override_dns_cis_flags_to_false
dns.cisupdate_dns_entries,override_edge_certsanddelete_wildcardsare set to false during >=6.0.0 rollout. This is because >=6.0.0 (necessarily) forces a re-run of the suite-dns Job for all existing MAS instances. If these flags are true when this happens, a new edge cert would be ordered for every MAS instance (which would easily hit the 50 certs / week LE limit, and each run of the suite-dns job would make ~60 unnecessary calls to the CIS HTTP API (which would cause us to repeatedly hit the per IP 100 req / minute rate limit imposed by CIS). This achieved by the introduction of a newoverride_dns_cis_flags_to_falseflag on the root manfiest. Whentruethe dns.cis flags will be forced to false, regardless of envionment configuration. The intention is to actually update these values in the env config post 6.0.0, at which point theoverride_dns_cis_flags_to_falsecan (and should) be removed from the root app manifest.Also pulls in a change from ansible-devops that removes an unnecessary PATCH call made to CIS API that was adding 70 calls each time the suite-dns job ran. See ibm-mas/ansible-devops#1700
Testing
SAAS_MODE: True
Set on suite-dns job:
SaaS-specific edge cert hostnames loaded:
override_dns_cis_flags_to_false flag
No flag set on root manifest:
dns.cis flags set according to env config on syncjobs app:
flag set to false on root manifest:
dns.cis flags set according to env config on syncjobs app:
flag set to true on root manifest:
dns.cis flags ignore env config and are forced to false on syncjobs app: