Draft: Simplify kube-job ConfigMap name
What does this MR do and why?
With this MR we:
- Use Flux Kustomization envsubst vars in kube-job ConfigMap name to avoid having each unit (using kube-job Kustomize path) patch that ConfigMap name.
# kustomize-units/kube-job/job.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ${JOB_NAME}-${JOB_TARGET_NAMESPACE:-sylva-system}${DISCRIMINATOR:-}-cm
A view on how this felt repeatedly unnecessary and recap of units is available below.
- Adjust all the scripts pushed as kube-job.sh contents to cope with Kustomize controller post build variable substitution. This was done because the enablement of Kustomize controller envsubst for the ConfigMap manifest (dropping its
kustomize.toolkit.fluxcd.io/substitute: disabled
annotation) has the side effect of running envsubst on the all the unit scripts. Basically, moving further the developer would also need to account for this and it's maybe something we don't want to worry about (though I tend to feel it's acceptable).
The kube-job units we have today (at the state of !2182 (merged)):
- in default chart values:
# charts/sylva-units/values.yaml
keycloak-add-client-scope:
:
kustomization_spec:
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: keycloak-add-client-scope-job
JOB_TARGET_NAMESPACE: keycloak
RUNASUSER: '10000'
RUNASGROUP: '10000'
_patches:
:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: keycloak-add-client-scope-job-keycloak-cm
- op: replace
path: /data/kube-job.sh
value: |
{{ .Files.Get "scripts/keycloak-add-client-scope.sh" | indent 4 }}
keycloak-add-truststore:
:
kustomization_spec:
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: keycloak-add-truststore-job
JOB_TARGET_NAMESPACE: keycloak
CERTIFICATE_NAMESPACE: keycloak
_components:
- "../tls-components/sylva-ca"
_patches:
:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: keycloak-add-truststore-job-keycloak-cm
- op: replace
path: /data/kube-job.sh
value: |
{{ .Files.Get "scripts/keycloak-add-truststore.sh" | indent 4 }}
cluster-machines-ready:
:
repo: sylva-core
kustomization_spec:
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: cluster-machines-ready
JOB_TARGET_NAMESPACE: '{{ .Release.Namespace }}'
JOB_CHECKSUM: '{{ .Values | toJson | sha256sum }}'
_patches:
:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: cluster-machines-ready-{{ .Release.Namespace }}-{{ .Release.Revision }}-cm # needs to match the ConfigMap names used in the Job manifest container volume
os-images-info:
:
kustomization_spec:
path: ./kustomize-units/kube-job
force: true
postBuild:
substitute:
JOB_NAME: create-image-info
JOB_TARGET_NAMESPACE: '{{ .Release.Namespace }}'
JOB_CHECKSUM: '{{ .Values._internal.os_images_info_input_hash }}'
_patches:
:
- target:
kind: ConfigMap
patch: >-
- op: replace
path: /metadata/name
value: create-image-info-{{ .Release.Namespace }}-cm
- op: replace
path: /data/kube-job.sh
value: |
{{ .Files.Get "scripts/create-os-images-info.sh" | indent 4 }}
root-dependency:
:
kustomization_spec:
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: root-dependency-check
DISCRIMINATOR: '-{{ .Release.Revision }}' # needed to ensure that resources are distinct between root-dependency-<n> and root-dependency-<n+1>
JOB_TARGET_NAMESPACE: '{{ .Release.Namespace }}'
JOB_CHECKSUM: '{{ .Release.Revision }}'
RUNASUSER: '10000'
RUNASGROUP: '10000'
_patches:
:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: root-dependency-check-{{ .Release.Namespace }}-{{ .Release.Revision }}-cm
plus the cluster-creator-login
which is a superset of kube-job:
cluster-creator-login:
:
kustomization_spec:
path: ./kustomize-units/cluster-creator-login
wait: false
force: true
postBuild:
substitute:
JOB_NAME: cluster-creator-login
JOB_TARGET_NAMESPACE: flux-system
JOB_CHECKSUM: '{{ .Values | toJson | sha256sum }}'
$ cat kustomize-units/cluster-creator-login/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../kube-job
- role.yaml
- cluster-creator-global-role.yaml
patches:
- path: delete-kube-job-cm.yaml
configMapGenerator:
- name: '${JOB_NAME}-${JOB_TARGET_NAMESPACE:-sylva-system}-cm'
namespace: kube-job
options:
disableNameSuffixHash: true
files:
- kube-job.sh=cluster-creator-login.sh
- in bootstrap cluster values:
# charts/sylva-units/bootstrap.values.yaml
management-cluster-configs:
:
kustomization_spec:
# FIXME: This is very hacky, we should use an ad-hoc kustomization instead of this job to re-create configmap and secrets on maangement cluster
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: copy-configs-job
JOB_CHECKSUM: '{{ .Values | toJson | sha256sum }}'
JOB_TARGET_NAMESPACE: sylva-system
_patches:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: copy-configs-job-sylva-system-cm
pivot:
:
kustomization_spec:
path: ./kustomize-units/kube-job
wait: true
force: true
postBuild:
substitute:
JOB_NAME: pivot-job
JOB_TARGET_NAMESPACE: sylva-system
# change to ClusterRole because the `pivot` unit's pivot-job-sa SA is required to access
# the cluster-wide CRD resources in order to move CAPI objects to management cluster
_patches:
:
- target:
kind: ConfigMap
patch: |
- op: replace
path: /metadata/name
value: pivot-job-sylva-system-cm
All of the ConfigMap name values for replace Json6902 patching fit in the ${JOB_NAME}-${JOB_TARGET_NAMESPACE:-sylva-system}${DISCRIMINATOR:-}-cm
expression.
The only tricky point was the previous deletion of the kube-job kustomize path ConfigMap (kustomize-units/kube-job/job.yaml
) done in kustomize-units/cluster-creator-login/delete-kube-job-cm.yaml
, which is dropped now in favor of overloading the kustomize-units/kube-job/job.yaml
by the kustomize-units/cluster-creator-login/kustomization.yaml
configMapGenerator behavior: merge
.