UNCLASSIFIED - NO CUI

Skip to content

complete Gitlab istio injection for shared secrets jobs

migration job

k8s jobs that run and then complete have difficulty with istio injection because the isito sidecar container stays alive and prevents the pod from finishing. Fix the two shared-secrets jobs scripts to kill the istio sidecar at the end of the script.

Reference original istio injection MR

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/merge_requests/91

Instructions

Here are some relevant files for the two shared secrets jobs. Modify the scripts to kill the istio sidecar container after the job has completed the jobs. Discover the appropriate solution through trial and error.
chart/templates/shared-secrets/_jobspec.yaml
chart/templates/shared-secrets/_generate_secrets.sh.tpl
chart/templates/shared-secrets/_self-signed-cert-job.yml
chart/templates/shared-secrets/configmap.yaml

  1. First enable istio injection for the shared-secrets jobs. See below BigBang changes.
  2. Watch the gitlab deployment fail when shared-secrets jobs don't complete
  3. In the scripts (AFTER all job tasks are completed) kill the istio injection sidecar container with a curl command to the istio port. Example:
curl -X POST http://localhost:15020/quitquitquit

BigBang changes needed

When the BigBang MR is made the lines in the Gitlab template values to disable istio injeciton need to be deleted.
https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/chart/templates/gitlab/values.yaml#L49-53

{{- if .Values.istio.enabled }}
shared-secrets:
  annotations:
    sidecar.istio.io/inject: "false"
{{- end }}

Here are some examples how to fix:

https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring/-/blob/main/chart/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml#L48-L57
https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/merge_requests/69/diffs#5b7174495e64650927423aa9b1b61a6c8bea073c_133_132

updade CHANGELOG

Update the top level CHANGELOG with details of the changes made to upstream chart files so that we have documentation of what was changed.

Edited by kevin.wilder

UNCLASSIFIED - NO CUI