search

habitat-sh / habitat-operator

A Kubernetes operator for Habitat services
Apache License 2.0
61 stars 17 forks source link

ringSecretName won't work for k8s >= 1.9.6 #354

Open jamesc opened 6 years ago

jamesc commented 6 years ago

The code at https://github.com/habitat-sh/habitat-operator/blob/master/pkg/controller/v1beta2/stateful_sets.go#L269-L275 :+1: 

vm := &apiv1.VolumeMount{
    Name:      ringSecretName,
    MountPath: "/hab/cache/keys",
    // This directory cannot be made read-only, as the supervisor writes to
    // it during its operation.
    ReadOnly: false,
}

wont work anymore due to the ReadOnly: false option being silently ignored since 1.9.6. See https://github.com/kubernetes/kubernetes/issues/62099.

This hits me in #351 as well since hab can't change the directory permissions on a read-only volume mount. The suggested workaround is an initContainer combined with a emptyDir Volume

surajssd commented 6 years ago

IIUC, This should be taken care by the operator. Operator should detect such changes and update the secret in k8s accordingly and then the secret is updated in all the pods that has it mounted.