-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restart Ironic when certificate is updated #247
Conversation
/assign @dtantsur |
dc4f627
to
824eade
Compare
/test-integration |
824eade
to
6434684
Compare
/test-integration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this approach will fly, you probably need whatever party orchestrates the containers to restart them.
Yes, I agree that this approach is not an optimal way. However, at the moment, we are needing this feature soon, so a straightforward solution is good to go, IMO. But I think we will need to design a more K8s native solution in the future. |
65f37d3
to
5762b61
Compare
/test-integration |
5762b61
to
fac748c
Compare
Considering that cert-manager can rotate the certificates at any time, without notifications (it just updates the secret), I don't see a better solution than Ironic being able to detect that the certificate changed and reload it, or since it does not support that for now, having a helper script that will cause a restart of Ironic. |
fac748c
to
08325bf
Compare
/test-integration |
08325bf
to
af3e5d3
Compare
/test-integration |
af3e5d3
to
289faf9
Compare
/test-integration |
289faf9
to
a36903e
Compare
/test-integration |
inotify would not work on NFS for example |
prepare-image.sh
Outdated
@@ -2,7 +2,7 @@ | |||
|
|||
set -euxo pipefail | |||
|
|||
dnf install -y python3 python3-requests | |||
dnf install -y python3 python3-requests epel-release |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make enabling epel conditional on RESTART_CONTAINER_CERTIFICATE_UPDATED, not everyone wants to have it (and it may even conflict with tripleo repos).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dtantsur The environment variable RESTART_CONTAINER_CERTIFICATE_UPDATED can only be set when we run the container, but the package needs to be installed when the image is built. Do you have any ideas how should we handle it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can provide options in Dockerfiles as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When we use the image, for example in BMO, we only pull the images from quay.io. We don't rebuild the image using the Dockerfile. In this case, we cannot pick the option that is provided in Dockerfiles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, you have to rebuild it or publish an alternative image. Or you can only install inotify from EPEL without pulling in anything else.
09:45 <dtantsur> hi folks! I remember long ago it was not recommended to use EPEL with OpenStack repositories. What's the situation now?
10:26 <apevec> dtantsur, the same
a36903e
to
f89efde
Compare
b07feb6
to
81a8868
Compare
/test-integration |
81a8868
to
c5d9d4d
Compare
/test-integration |
c5d9d4d
to
e1e3864
Compare
/test-integration |
e1e3864
to
ca389bd
Compare
/test-integration |
prepare-image.sh
Outdated
@@ -11,6 +11,7 @@ if [[ ! -z ${EXTRA_PKGS_LIST:-} ]]; then | |||
xargs -rtd'\n' dnf --setopt=install_weak_deps=False install -y < /tmp/${EXTRA_PKGS_LIST} | |||
fi | |||
fi | |||
dnf install -y https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/i/inotify-tools-3.14-19.el8.x86_64.rpm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will break once this version is deleted. What you need is to install epel-release but disable the added repo via dnf (dnf config-manager --set-disabled epel
or something like that). Then you can use --enablerepo=epel
when installing inotify-tools specifically.
ca389bd
to
73ee4e1
Compare
/test-integration |
73ee4e1
to
721b2d1
Compare
/test-integration |
721b2d1
to
0e0a584
Compare
/test-integration |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur, namnx228 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Use IPv6-friendly URLs for CoreOS
When the TLS certificate is updated, Ironic will reload (or restart) to get the new certificate.