on OpenBao/Vault transition, preserve resources (bis)

Thomas Morinrequested to merge
vault-openbao-transition-prune-false into main

Related to #3121 (closed)

This is a follow-up to !6096 (merged) which does not do what it intended to do (set prune: false on the Kustomization managing the Vault resource).

Indeed, in release-1.5, the unit managing the Vault resource is not the vault unit (on which !6096 (merged) added prune: false); it's the hashicorp-vault unit.

So we need the specprune: false on the hashicorp-vault Kustomization.

Now, that "setting spec.prune: false on the hashicorp-vault Kustomization" cannot be done simply by changing this setting in sylva-units values.yaml, because during an upgrade from Sylva 1.5 to main, this unit isn't enabled anymore and hence the Kustomization isn't render by sylva-units Helm chart, so we cannot patch spec.prune via a simple sylva-units Helm chart rendering.

To set spec.prune: false on the hashicorp-vault Kustomization this MR introduces a Helm pre-upgrade hook in sylva-units, that will kubectl patch the hashicorp-vault Kustomization.

In future work, tracked in #TBC, we'll improve this pre-upgrade hook (make it more generic and usable for other Kustomizations, add the ability to play this Job only when needed, etc.).

(note that this MR is not reverting !6096 (merged) because having prune: false on the vault unit is still needed to upgrade from Sylva 1.4 to main/1.6, because in Sylva 1.4, the vault Kustomization is the Kustomization managing the Vault resource)

Testing

In https://gitlab.com/sylva-projects/sylva-core/-/jobs/12153307679, we see that:

  • the Vault CR is not deleted/recreated
  • the vault StatefulSet is not deleted/recreated
  • #3121 (closed) does not trigger

#3121 (closed) does not trigger on any of the last 4 pipelines (and this dev branch does not include !6125 (merged) which we merged as a mitigation for #3121 (closed))

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2, okd, ck8s
🐧 Node OS ubuntu, suse, na, leapmicro
🛠️ Deployment Options light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging, cilium
🎬 Pipeline Scenarios Available scenario list and description
🟢 Enabled units Any available units name, by default apply to management and workload cluster. Can be prefixed by mgmt: or wkld: to be applied only to a specific cluster type

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-no-wkld 🛠️ ha 🐧 suse

  • ☁️ capo 🚀 kadm 🎬 sylva-upgrade-no-wkld 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-no-wkld 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 sylva-upgrade-no-wkld 🛠️ ha 🐧 ubuntu

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines
  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Thomas Morin

Merge request reports