Bug 1751147: operator: restart the operator pod on trusted-ca-bundle change #194
Conversation
|
@stlaz: This pull request references Bugzilla bug 1751147, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Introduces the watchdog for operator deployment so that there is a mechanism which guards changes to the trusted-ca-bundle CM and these are refetched by having the operator pod restart.
stlaz
force-pushed
the
refetch_system_trust
branch
from
41673eb to
3915c83
Compare
|
@stlaz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
enj
left a comment
enj
left a comment
There was a problem hiding this comment.
Mostly looks fine but needs a review from someone more familiar with the watch dog code.
|
|
||
| rt, err := transportFor("", caData, nil, nil) | ||
| // FIXME: this reads too often, either always merge system-trust store in transportForInner or keep this in memory | ||
| systemCaData, _ := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem") |
There was a problem hiding this comment.
Read the file once in an init block and store in var. You will get restarted anyway when it changes.
There was a problem hiding this comment.
Also this does assume a newline at the end of the first byte slice.
| terminationMessagePolicy: FallbackToLogsOnError | ||
| resources: | ||
| requests: | ||
| memory: 50Mi |
|
It seems that the watchdog is actually wired inside the code already which I did not know. Superseeded by #195 |
3 participants
Introduces the watchdog for operator deployment so that there is
a mechanism which guards changes to the trusted-ca-bundle CM and
these are refetched by having the operator pod restart.
cc @enj @sttts