fix: Make sure that namespaces will not be purged #2963
Conversation
|
Hi @keskad. Thanks for your PR. I'm waiting for a jenkins-x or todo member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the jenkins-x/lighthouse repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
https://kubernetes.slack.com/archives/C9MBGQJRH/p1647955769010979 jenkins-x/jx3-versions#2963 Signed-off-by: Damian Kęska <372403+keskad@users.noreply.github.com>
|
I created also an extended proposal: Please say what do you think about the concept. I think if we are deleting resources we need to wear double condoms. Based on docs from: |
|
/hold Needs to be double-tested before merged. |
|
Will extensively test tommorow (24.03.2022) |
|
pain |
|
Source changes were reverted, so this testing was not finalized on that day because of revert. Will get back to it very soon. |
|
Related PR: #2398 Worth considering changing approach to applying changes to the cluster at all, to be more careful. |
|
The main problem in Jenkins-X today is the opposite: Kubernetes resources are not removed when they should due to limitations in I am looking at solving the problem of resources not being removed. When this is in place I think we could making it optional to not delete namespaces. Or maybe do it the other way: Make it optional to support deleting namespaces. |
|
The approach here to not support deleting any cluster resources could certainly give severe unforeseen effects. |
There was an issue reported on Slack: https://kubernetes.slack.com/archives/C9MBGQJRH/p1647955769010979
Generally I think that resources such as namespaces should be excluded from purging.
I upgraded my two clusters and was not able to reproduce the issue.
Possible Scenario
We fixed an issue that some resources were not created because of bug in
jx gitops(see PR: jenkins-x-plugins/jx-gitops#835), so a new resources started appearing - for me ajx-git-operatornamespace was created after cluster upgrade AND IT WAS LOOKING FINE, nothing was deleted.But what if somebody had different labels applied on
jx-git-operator-namespace, maybe older version of Jenkins X? Then freshly creatednamespacemaybe was different from that applied on a cluster and the old one was pruned, so the bootjob stopped and new one had no time to apply?Resolution
Do not prune namespaces, as it is really dangerous, namespaces could be shared with other applications and should not be pruned cluster-wide.
Compromise: We do not prune anymore resources that are cluster scoped (role bindings, namespaces)