Avoid sylva-units reconciliation caused by cluster-public-endpoint valuesFrom entry

Priya Goyalrequested to merge
fix-drift-reconcliation into main

What does this MR do and why?

  • Remove the cluster-public-endpoint optional valuesFrom entry from environment-values/base/sylva-units-release.yaml
  • Remove the cluster_public_endpoint value from bootstrap.values.yaml, and its schema definition in schema files
  • Update adjust_mgmt_kubeconfig to read CLUSTER_PUBLIC_ENDPOINT directly from the cluster-public-endpoint ConfigMap instead of sylva-units-values secret

Investigation and discussion summary:

Logs showed that at install time, the cluster-public-endpoint ConfigMap didn't exist yet, so the value was missing from Flux's config. ~30 minutes later, libvirt-metal created that ConfigMap , Flux detected a config change and triggered an unwanted second upgrade of sylva-units.

  • First idea: Remove the ConfigMap reference using inject_bootstrap_values() in the bootstrap script.
  • @feleouet rejected this - we need to simplify those scripts, not add more logic.
  • Second idea: Keep the ConfigMap in the libvirt-metal chart but remove it from sylva-units valuesFrom.
  • @feleouet 's preferred solution: Produce the ConfigMap directly in the management cluster so it never exists in bootstrap , eliminating the drift entirely.

The earlier MR that was reverted !2881 (merged)

  • While investigating, @feleouet rediscovered a past MR (!2881 (merged)) that had previously removed cluster_public_endpoint from the values but it was reverted after causing pipeline failures.
  • Key finding: cluster_public_endpoint is actually not used by the management cluster at all , it's only used in common.sh to get the management cluster's API endpoint in libvirt-metal.
  • The earlier revert may have been unnecessary - the pipeline failures might be due to an unrelated Kubernetes backend issue during a rolling update, not the cluster_public_endpoint removal.

Agreed final approach:

  • Remove cluster-public-endpoint from sylva-units HelmRelease valuesFrom (and from schema).
  • Keep the ConfigMap itself (still created in bootstrap, copied to management cluster).
  • Update adjust_mgmt_kubeconfig to read CLUSTER_PUBLIC_ENDPOINT directly from the ConfigMap instead of from the sylva-units-values secret.

Related reference(s)

closes #3924 (closed) (Issue is being discussed here)

Test coverage

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2, okd, ck8s
🐧 Node OS ubuntu, suse, na, leapmicro
🛠️ Deployment Options Deployment option list and description
🎬 Pipeline Scenarios Available scenario list and description
🟢 Enabled units Any available units name, by default apply to management and workload cluster. Can be prefixed by mgmt: or wkld: to be applied only to a specific cluster type
🔴 Disabled units Any available units name, by default apply to management and workload cluster. Can be prefixed by mgmt: or wkld: to be applied only to a specific cluster type
🏗️ Target platform Can be used to select specific deployment environment Available platform list and description
  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu
  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse
  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu
  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu
  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse
  • ☁️ capo 🚀 rke2 🐧 suse
  • ☁️ capo 🚀 rke2 🐧 leapmicro
  • ☁️ capo 🚀 kadm 🐧 ubuntu
  • ☁️ capo 🚀 kadm 🐧 ubuntu 🟢 neuvector,mgmt:harbor
  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha 🐧 suse
  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade 🛠️ ha 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.6.x 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capo 🚀 rke2 🛠️ misc 🐧 ubuntu 🟢 mgmt:harbor 🔴 neuvector
  • ☁️ capo 🚀 rke2 🛠️ ha,misc,openbao:penguin: suse
  • ☁️ capo 🚀 rke2 🐧 suse 🎬 upgrade-from-prev-tag
  • ☁️ capm3 🚀 rke2 🐧 suse
  • ☁️ capm3 🚀 kadm 🐧 ubuntu
  • ☁️ capm3 🚀 ck8s 🐧 ubuntu
  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu
  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capm3 🚀 rke2 🎬 upgrade-from-prev-release-branch 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 rke2 🛠️ misc,ha 🐧 suse
  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade 🛠️ ha,misc 🐧 suse
  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse
  • ☁️ capm3 🚀 ck8s 🎬 rolling-update 🛠️ ha 🐧 ubuntu
  • ☁️ capm3 🚀 rke2|okd 🎬 no-update 🐧 ubuntu|na
  • ☁️ capm3 🚀 rke2 🐧 suse 🎬 upgrade-from-release-1.5
  • ☁️ capm3 🚀 rke2 🐧 suse 🎬 upgrade-to-main

Global config for deployment pipelines

  • autorun pipelines

  • allow failure on pipelines

  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Priya Goyal

Merge request reports