search

ansible-collections / kubernetes.core

The collection includes a variety of Ansible content to help automate the management of applications in Kubernetes and OpenShift clusters, as well as the provisioning and maintenance of clusters themselves.
Other
214 stars 133 forks source link

Handle custom resource status updates with kubernetes.core collection #607

Open ivandov opened 1 year ago

ivandov commented 1 year ago
SUMMARY

When working with Kubernetes Custom Resources (CRs), there are times that I'd like to be able to modify the status of the CR. Currently, these updates are only possible with the operator_sdk.utils.k8s_status module.

  1. Can the kubernetes.core collection directly support CR status updates?
  2. Are CR status updates already possible but there is a documentation gap?
ISSUE TYPE
COMPONENT NAME

I have attempted to perform status updates with the following modules:

ADDITIONAL INFORMATION

Here's an example playbook I created to try these CR status updates:

---
- name: Example tests for updating status fields on a Kubernetes CR
  hosts: localhost
  gather_facts: false

  tasks:
    - name: Attempt patch with k8s module
      kubernetes.core.k8s:
        state: patched
        definition:
          apiVersion: example.ibm.com/v1
          kind: Example
          metadata:
            name: example-1
            namespace: ivandov-example
          status:
            hello: world
      register: patch_result

    - name: Show patch results
      ansible.builtin.debug:
        var: patch_result

    - name: Attempt patch with k8s_json_patch module
      kubernetes.core.k8s_json_patch:
        kind: Example
        namespace: ivandov-example
        name: example-1
        api_version: example.ibm.com/v1
        patch:
          - op: add
            path: /status/foo
            value: bar
      register: patch_result2

    - name: Show patch results
      ansible.builtin.debug:
        var: patch_result2
tima commented 1 year ago

@ivandov Why would you want/need to manipulate the status of a CR outside of an operator?

ivandov commented 1 year ago

We have designed technology that allows native Ansible playbooks to be transformed into Ansible Operators without the need for writing your own Ansible Operator from scratch. However, even when writing an Ansible Operator from scratch, updating a kubernetes CR's status would still require importing both Ansible collections.

It just feels "off" to have one kubernetes collection, kubernetes.core, for handling most of the interactions you may need to have with Kubernetes from an Ansible Playbook. And then, you need a separate Ansible collection for a simple CR status update.

I would imagine most of the logic that's needed to handle status updates is already present in the kubernetes.core collection. Why need to import and maintain multiple collections?

jkupferer commented 1 year ago

We also need this for various purposes. In addition to operators written in Ansible that @ivandov mentioned, cases that we have encountered:

In theory one wouldn't need to manipulate the status outside of the operator, but real world this is not uncommon.

larsl-net commented 8 months ago

Hi, I have just run into the same problem. Our use-case is that we install and configure OpenShift via Ansible. When signing CSRs it is necessary to update the status of the object. https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection-api-client

Which due to the lack of support is currently solved via the shell module with oc/kubectl.

The following tasks would solve the problem if the status update were supported

- name: 'Approve CSRs'
  kubernetes.core.k8s:
    state: 'patched'
    kind: 'CertificateSigningRequest'
    name: 'test1'
    definition:
      status:
        conditions:
          - lastTransitionTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
            lastUpdateTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
            message: "This CSR was approved by Ansible."
            reason: "AnsibleApprove"
            status: "True"
            type: "Approved"

- name: 'Approve pending CSRs'
  kubernetes.core.k8s_json_patch:
    kind: 'CertificateSigningRequest'
    name: 'test1'
    patch:
      - op: 'add'
        path: '/status/conditions'
        value:
          - lastTransitionTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
            lastUpdateTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
            message: "This CSR was approved by Ansible."
            reason: "AnsibleApprove"
            status: "True"
            type: "Approved"