Open Hareshraman opened 11 months ago
Why did you close https://github.com/stakater/Reloader/issues/542?
Closed the other issue as Duplicate Issues were created.
Asking this question , tried using reloader by using version 1.0.42 in a k3s cluster.
`time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: configMaps"
time="2023-10-09T09:46:09Z" level=info msg="created controller for: secrets"
time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: secrets"
time="2023-10-09T09:49:34Z" level=error msg="Failed to list cronjobs cronjobs.batch is forbidden: User \"system:serviceaccount:ix:reloader-reloader\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"abc\""`
I have a configMap in the same namespace ' abc' if i were to change a key: value , the cron job would be triggered. The cron job has been annotated with
`annotations:
configmap.reloader.stakater.com/reload: my-config`
my-config being the configmap in namespace abc.
Service account has been created "
i stopped getting the log ensuring namespace selector was pointing to abc namespace, hence it was able to find -myconfig , but my cron job does have an annotations with
`annotations:
configmap.reloader.stakater.com/reload: my-config`
Expected Behaviour Cron job is triggered by creating a new pod.
Seen behaviour -> no logs seen in reloader pods mentioning change in "abc" config map. Cron job not triggered. In the template i see that the resources that the service account have access to are deployment daemonsets and stateful set and is missing cronjob kind , is it expected that we add them to the template ? or is it expected to be cooked into the chart , here's the template Here's the tempalte
---
# Source: reloader/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader
namespace: default
---
# Source: reloader/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader-role
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- list
- get
- update
- patch
- apiGroups:
- "extensions"
resources:
- deployments
- daemonsets
verbs:
- list
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
# Source: reloader/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: templates-reloader-role
subjects:
- kind: ServiceAccount
name: templates-reloader
namespace: default
---
# Source: reloader/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
group: com.stakater.platform
provider: stakater
version: v1.0.42
name: templates-reloader
namespace: default
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
app: templates-reloader
release: "templates"
template:
metadata:
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
group: com.stakater.platform
provider: stakater
version: v1.0.42
spec:
containers:
- image: "ghcr.io/stakater/reloader:v1.0.42"
imagePullPolicy: IfNotPresent
name: templates-reloader
ports:
- name: http
containerPort: 9090
livenessProbe:
httpGet:
path: /live
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /metrics
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
securityContext:
{}
args:
- "--namespace-selector=abc"
securityContext:
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: templates-reloader```
I feel the cluster Role and the Role binding needs to be updated for a batch/job for the service account that is created with it
Would be good if document is updated with CronJob support.
I tried adding annotation for job like below
apiVersion: batch/v1
kind: Job
metadata:
name: init-job
annotations:
reloader.stakater.com/auto: "true"
But seems not working.
Im using latest Helm chart version 1.0.44
This was fixed in 1.0.45 and releases above
Documentation is still missing
Just noting that the HelmChart does not add the RBAC permissions to patch or update a Job/CronJob. It doesn't look like the controller (v1.0.52) is looking for and Jobs to update either. I would like to see this update a Job when a secret changes (and hopefully the Job will start again).
- verbs:
- list
- get
apiGroups:
- batch
resources:
- cronjobs
- verbs:
- create
apiGroups:
- batch
resources:
- jobs
Documentation is still missing
I just want to come in and do a ➕ 1️⃣ on this.
Since this behavior is not documented it caught us by surprise when our CronJobs were getting triggered when secrets got updated, which were otherwise supposed to run at fixed points in time and were quite expensive to run.
I have been following Reloader for the PR : https://github.com/stakater/Reloader/pull/486 Issue : Reloader Issue Support for Cron Job Is there a readme that's available ? for this change , would be really helpful