Since concourse/concourse#5652, it is possible to send a SIGHUP signal to the TSA to reload worker authorized keys without restarting the concourse server.
In order to use that feature with the concourse helm chart, one correct Kubernetes way to achieve that is to add a sidecar container responsible to update the team authorized keys file from whatever source, and then send the SIGHUP signal to Concourse in order to take the update into account.
That being said, to be able to send a SIGHUP signal between containers within a pod, the shareProcessNamespace field of v1.PodSpec needs to be set to true.
This PR implements a new parameter in the chart in order to enable that process namespace sharing capability for the web component.
At Cycloid, we participated in the implementation of this feature within Concourse and use it successfully to authorize worker keys fetched from a Vault server.
This PR would let us use the official helm chart for our Concourse deployments.
Changes proposed in this pull request
Add option to enable process namespace sharing between containers within the web component.
Contributor Checklist
[x] Variables are documented in the README.md
[x] Which branch are you merging into?
master is for changes related to the current release of the concourse/concourse:latest image and should be good to publish immediately
dev is for changes related to the next release of Concourse (aka unpublished code on master in concourse/concourse)
Reviewer Checklist
This section is intended for the core maintainers only, to track review progress. Please do not
fill out this section.
[x] Code reviewed
[x] Topgun tests run
[ ] Back-port if needed
[x] Is the correct branch targeted? (master or dev)
taylorsilva
commented
3 years ago
Why do we need this PR?
Since concourse/concourse#5652, it is possible to send a
SIGHUPsignal to the TSA to reload worker authorized keys without restarting the concourse server.In order to use that feature with the concourse helm chart, one correct Kubernetes way to achieve that is to add a sidecar container responsible to update the team authorized keys file from whatever source, and then send the
SIGHUPsignal to Concourse in order to take the update into account.That being said, to be able to send a
SIGHUPsignal between containers within a pod, theshareProcessNamespacefield ofv1.PodSpecneeds to be set totrue.This PR implements a new parameter in the chart in order to enable that process namespace sharing capability for the web component.
At Cycloid, we participated in the implementation of this feature within Concourse and use it successfully to authorize worker keys fetched from a Vault server. This PR would let us use the official helm chart for our Concourse deployments.
Changes proposed in this pull request
Contributor Checklist
README.mdmasteris for changes related to the current release of theconcourse/concourse:latestimage and should be good to publish immediatelydevis for changes related to the next release of Concourse (aka unpublished code onmasterin concourse/concourse)Reviewer Checklist