enarha
commented
7 months ago It looks like sync-wave "-1" should be enough (no need for "-2"), because "By kind (e.g. namespaces first and then other Kubernetes resources, followed by custom resources)".
Closed enarha closed 7 months ago
enarha
commented
7 months ago It looks like sync-wave "-1" should be enough (no need for "-2"), because "By kind (e.g. namespaces first and then other Kubernetes resources, followed by custom resources)".
enarha
commented
7 months ago @gabemontero I'm able to see the logs from the CI, but I think they are not very helpful in this case because we do not use those external secrets in any way in pipeline-service.
[ pipeline-service] -> kustomize build operator/gitops/argocd/pipeline-service/ | oc apply -f -
Warning: resource namespaces/openshift-pipelines is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
namespace/openshift-pipelines configured
namespace/tekton-results created
serviceaccount/chains-secrets-admin createdshows that the namespaces are created indeed first. Specifically the openshift-pipelines should not have been there without this change. I guess the warning above is because I used the same cluster previously to test the namespace creation followed by the operator install.
gabemontero
commented
7 months ago @gabemontero I'm able to see the logs from the CI, but I think they are not very helpful in this case because we do not use those external secrets in any way in pipeline-service.
[ pipeline-service] -> kustomize build operator/gitops/argocd/pipeline-service/ | oc apply -f - Warning: resource namespaces/openshift-pipelines is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically. namespace/openshift-pipelines configured namespace/tekton-results created serviceaccount/chains-secrets-admin createdshows that the namespaces are created indeed first. Specifically the openshift-pipelines should not have been there without this change.
yeah the creation order was all I was worried about it it was not clear earlier @enarha ... thanks for confirming
I'll defer you if you want to get approval from @Roming22 before merging
gabemontero
commented
7 months ago assuming the upgrade failure is a flake, but let's try again
/retest
gabemontero
commented
7 months ago clean / merging
ExternalSecrets are creates at sync-wave "-1" and they are required for services like Tekton Results and OSP. But for the secrets to be created, the namespace should exist in advance. Here we create the namespace before the secret. It does not affect the deployment of the OSP operator, it ignores the fact the namespace it tries to create already exist.