Skip to content

[installer]: add annotation to make DB resources restart if changes #8547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 7, 2022
Merged

[installer]: add annotation to make DB resources restart if changes #8547

merged 1 commit into from
Mar 7, 2022

Conversation

mrsimonemms
Copy link
Contributor

Description

Add the database type (in-cluster, external, cloudsql) as an annotation on the long-running resources that connect to the database. This is to force a restart of these resources if the database type is changed.

This has become important to support with KOTS. This can cause a bug where the "login with GitHub" button never shows.

How to test

Release Notes

[installer]: add annotation to make DB resources restart if changes

Documentation

@mrsimonemms mrsimonemms requested a review from a team March 2, 2022 16:26
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Mar 2, 2022
@codecov
Copy link

codecov bot commented Mar 2, 2022
edited
Loading

Codecov Report

Merging #8547 (128bead) into main (c60f4a8) will decrease coverage by 4.76%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             main   #8547      +/-   ##
=========================================
- Coverage   12.31%   7.55%   -4.77%     
=========================================
  Files          20      31      +11     
  Lines        1161    2171    +1010     
=========================================
+ Hits          143     164      +21     
- Misses       1014    2004     +990     
+ Partials        4       3       -1
Flag Coverage Δ
components-gitpod-cli-app 11.17% <ø> (ø)
components-local-app-app-darwin-amd64 ?
components-local-app-app-darwin-arm64 ?
components-local-app-app-linux-amd64 ?
components-local-app-app-linux-arm64 ?
components-local-app-app-windows-386 ?
components-local-app-app-windows-amd64 ?
components-local-app-app-windows-arm64 ?
install-installer-raw-app 4.49% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
components/local-app/pkg/auth/pkce.go
components/local-app/pkg/auth/auth.go
install/installer/pkg/common/storage.go 0.00% <0.00%> (ø)
...installer/pkg/components/ws-manager/rolebinding.go 0.00% <0.00%> (ø)
install/installer/pkg/common/ca.go 0.00% <0.00%> (ø)
...l/installer/pkg/components/ws-manager/tlssecret.go 0.00% <0.00%> (ø)
...staller/pkg/components/ws-manager/networkpolicy.go 0.00% <0.00%> (ø)
install/installer/pkg/common/render.go 0.00% <0.00%> (ø)
...components/ws-manager/unpriviledged-rolebinding.go 0.00% <0.00%> (ø)
install/installer/pkg/common/objects.go 0.00% <0.00%> (ø)
... and 5 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c60f4a8...128bead. Read the comment docs.

@geropl
Copy link
Member

geropl commented Mar 2, 2022

@mrsimonemms makes absolute sense to add this!

Should we extend this to all DB connection information? Like user and password as well?

geropl
geropl reviewed Mar 2, 2022
View reviewed changes
install/installer/pkg/components/server/deployment.go
{
Name: "DATABASE_TYPE",
Value: func() string {
if pointer.BoolDeref(ctx.Config.Database.InCluster, false) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that it's not required, but: would it make sense to share code between all DB-dependant deployments? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it's just this one part, I took the view that a little bit of duplication was ok (@csweichel beat that into me 😄).

As you're now the owners of this code, I'm happy to write a function inside common to generate the annotations if you'd prefer

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrt duplication: Yeah, in this case it might actually be counter-productive, as the only dependency is within the deployment itself. If we changed a single function, we might inadvertently change other as well.

I think what I'm missing most is a method name/comment that conveys the intention: what we do, and why these values are the important ones to establish identity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll happily add a comment

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment added to both instances

@mrsimonemms
Copy link
Contributor Author

@mrsimonemms makes absolute sense to add this!

Should we extend this to all DB connection information? Like user and password as well?

That would be nice. The only problem is, except for the in-cluster DB (who's details never change), we don't actually have access to the data. The external/cloudsql creds are stored in a secret which we just refer to

@geropl
Copy link
Member

geropl commented Mar 2, 2022

The external/cloudsql creds are stored in a secret which we just refer to

Can we hash the secret then? 🤔

@mrsimonemms
Copy link
Contributor Author

Can we hash the secret then? thinking

I don't think so. Because the Installer doesn't have access to the cluster at render time, we don't know what the contents of the secrets are to create a hash from

@mrsimonemms mrsimonemms requested a review from geropl March 2, 2022 17:48
@mrsimonemms
Copy link
Contributor Author

@geropl what are your thoughts on this? At this stage, it's practical to get the credentials to reload when change, just the DB type.

As I see it, we have two options:

  1. do nothing and merge this PR as-is
  2. put a randomly generated value in the annotations so they ALWAYS reload. It's perhaps a little excessive, but would at least ensure that the DB was being accessed with the correct creds

@geropl
Copy link
Member

geropl commented Mar 7, 2022
edited
Loading

Because the Installer doesn't have access to the cluster at render time

Thx for the 💡 , makes sense.

put a randomly generated value in the annotations so they ALWAYS reload

That 💯 won't work for for SaaS. Let's merge this as-is.

geropl
geropl approved these changes Mar 7, 2022
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@roboquat roboquat merged commit 840d29a into main Mar 7, 2022
@roboquat roboquat deleted the sje/db-annotation branch March 7, 2022 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geropl geropl geropl approved these changes

Assignees
No one assigned
Labels
release-note size/M team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mrsimonemms @geropl @roboquat