forked from argoproj/argo-cd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prune resources in reverse order of syncwave during sync (cherry pick a…
…rgoproj#16748) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
- Loading branch information
1 parent
bc2b6f4
commit 4d9097b
Showing
7 changed files
with
144 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
## Test Scenario | ||
|
||
This test example is for testing the reverse pruning of resources with syncwaves during sync operation. | ||
|
||
Resource creation happens in below order | ||
- wave 0: sa & role | ||
- wave 1: rolebinding | ||
- wave 2: pod | ||
|
||
They are setup in such a way that the resources will be cleaned up properly only if they are deleted in the reverse order of creation i.e | ||
- wave 0: pod | ||
- wave 1: rolebinding | ||
- wave 2: sa & role | ||
|
||
If above delete order is not followed the pod gets stuck in terminating state due to a finalizer which is supposed to be removed by k8s container lifecycle hook on delete if delete order is correct. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod-with-finalizers | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "2" | ||
# remove this finalizers using container preStop lifecycle hook on delete | ||
finalizers: | ||
- example.com/block-delete | ||
spec: | ||
serviceAccountName: modify-pods-sa # sa with permissions to modify pods | ||
terminationGracePeriodSeconds: 15 | ||
containers: | ||
- name: container | ||
image: nginx:alpine | ||
command: ["/bin/sh", "-c"] | ||
args: ["sleep 10h"] | ||
env: | ||
- name: POD_NAME | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.name | ||
- name: NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
lifecycle: | ||
# remove finalizers for successful delete of pod | ||
preStop: | ||
exec: | ||
command: | ||
- /bin/sh | ||
- -c | ||
- | | ||
set -e | ||
SERVICE_ACCOUNT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) | ||
POD_URL="https://kubernetes.default.svc/api/v1/namespaces/$NAMESPACE/pods/$POD_NAME" | ||
PATCH_PAYLOAD='[{"op": "remove", "path": "/metadata/finalizers"}]' | ||
curl -k -v -H "Authorization: Bearer $SERVICE_ACCOUNT_TOKEN" -H "Content-Type: application/json-patch+json" -X PATCH --data "$PATCH_PAYLOAD" $POD_URL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: modify-pods-sa | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "0" | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: modify-pods-role | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "0" | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- pods | ||
verbs: | ||
- get | ||
- list | ||
- delete | ||
- update | ||
- patch | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: modify-pods-rolebinding | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "1" | ||
subjects: | ||
- kind: ServiceAccount | ||
name: modify-pods-sa | ||
roleRef: | ||
kind: Role | ||
name: modify-pods-role | ||
apiGroup: rbac.authorization.k8s.io |