Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend activestandby taskimage to safely handle ingresses which have Fastly annotations #2607

Closed
twardnw opened this issue Apr 13, 2021 · 4 comments · Fixed by #3592
Closed

extend activestandby taskimage to safely handle ingresses which have Fastly annotations #2607

twardnw opened this issue Apr 13, 2021 · 4 comments · Fixed by #3592
Assignees
@shreddedbacon
Labels
8-automation-helpers Automation, Services & Helpers subsystem enhancement priority-high

Comments

@twardnw
Copy link
Contributor

twardnw commented Apr 13, 2021

No description provided.

@twardnw twardnw added the 8-automation-helpers Automation, Services & Helpers subsystem label Apr 13, 2021
@shreddedbacon
Copy link
Member

Just for visibility.

The main thing that would need to be done is have the task search for this label on any ingress objects before it performs the creation of the HostMigration CRD.

dioscuri.amazee.io/migrate=true

Then check if the annotation fastly.amazee.io/watch exists (true and false, the label MUST exist, this is to cover anything that may be disabled for a reason).
If that annotation exists, then check the current values of the following annotations, and patch them with the following. (maybe store the original values in a seperate annotation like fastly.amazee.io/X-backup)

fastly.amazee.io/delete-external-resources=false
fastly.amazee.io/paused=true
fastly.amazee.io/watch=false

This needs to be done in both the source and destination namespaces.

Then the task would perform the host-migration task as normal.

Once the task is complete, then the annotations need to be reverted (use the value from X-backup, then delete the X-backup annotations)

@shreddedbacon
Copy link
Member

shreddedbacon commented Apr 13, 2021
edited
Loading

Theoretically, we could perform the entire migration inside of this task and remove the need for the dioscuri operator entirely...
Edit: nope, the user that the task runs, has no permission to perform changes in the other namespace that it needs to do migrations with:

Task failed to get the object list from kubernetes, error was: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ci-active-standby-control-k8s-master-b:lagoon-deployer" cannot list resource "ingresses" in API group "networking.k8s.io" in the namespace "ci-active-standby-control-k8s-master-a"

@shreddedbacon
Copy link
Member

Working on initial support in dioscuri for this here: amazeeio/dioscuri#19

For now, the best thing would be to not do any annotation or labelling within cluster so that the ingress are not aware of the fastly-controller. So manually uploading certificates, and manually adding the domains to the required services.

@shreddedbacon shreddedbacon mentioned this issue Nov 14, 2023
Merged
4 tasks
@shreddedbacon
Copy link
Member

The linked issue would solve this by adding the new label activestandby.lagoon.sh/migrating=true when performing the migration. This means that other systems that rely on changes to ingress can be aware of when the process takes place (the fastly-controller for amazeeio) and not perform the actions it normally would.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shreddedbacon shreddedbacon

Labels
8-automation-helpers Automation, Services & Helpers subsystem enhancement priority-high
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: rewrite activestandby task to remove external dioscuri requirement uselagoon/lagoon
2 participants
@twardnw @shreddedbacon