Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Official documentation on using Reloader with a Cron Job ? #543

Open
Hareshraman opened this issue Oct 9, 2023 · 8 comments
Open

[Question] Official documentation on using Reloader with a Cron Job ? #543

Hareshraman opened this issue Oct 9, 2023 · 8 comments
Labels
kind/question Further information is requested

Comments

@Hareshraman
Copy link

I have been following Reloader for the PR : #486
Issue : Reloader Issue Support for Cron Job
Is there a readme that's available ? for this change , would be really helpful
@Hareshraman Hareshraman changed the title [Question] Is there some official documentation on using Reloader with a Cron Job [Question] Official documentation on using Reloader with a Cron Job ? Oct 9, 2023
@karl-johan-grahn
Copy link
Contributor

Why did you close #542?

@karl-johan-grahn karl-johan-grahn added the kind/question Further information is requested label Oct 9, 2023
@Hareshraman
Copy link
Author

Hareshraman commented Oct 9, 2023
edited

Closed the other issue as Duplicate Issues were created.

Asking this question , tried using reloader by using version 1.0.42 in a k3s cluster.

`time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: configMaps"
time="2023-10-09T09:46:09Z" level=info msg="created controller for: secrets"
time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: secrets"
time="2023-10-09T09:49:34Z" level=error msg="Failed to list cronjobs cronjobs.batch is forbidden: User \"system:serviceaccount:ix:reloader-reloader\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"abc\""`

I have a configMap in the same namespace ' abc' if i were to change a key: value , the cron job would be triggered. The cron job has been annotated with

`annotations:
    configmap.reloader.stakater.com/reload: my-config`

my-config being the configmap in namespace abc.

Service account has been created "

@Hareshraman
Copy link
Author

Hareshraman commented Oct 9, 2023
edited

i stopped getting the log ensuring namespace selector was pointing to abc namespace, hence it was able to find -myconfig , but my cron job does have an annotations with

`annotations:
    configmap.reloader.stakater.com/reload: my-config`

Expected Behaviour
Cron job is triggered by creating a new pod.

Seen behaviour -> no logs seen in reloader pods mentioning change in "abc" config map. Cron job not triggered.
In the template i see that the resources that the service account have access to are deployment daemonsets and stateful set and is missing cronjob kind , is it expected that we add them to the template ? or is it expected to be cooked into the chart , here's the template
Here's the tempalte

---


# Source: reloader/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    meta.helm.sh/release-namespace: "default"
    meta.helm.sh/release-name: "templates"
  labels:
    app: templates-reloader
    chart: "reloader-1.0.42"
    release: "templates"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
  name: templates-reloader
  namespace: default
---
# Source: reloader/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-namespace: "default"
    meta.helm.sh/release-name: "templates"
  labels:
    app: templates-reloader
    chart: "reloader-1.0.42"
    release: "templates"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
  name: templates-reloader-role
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
      - configmaps
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - daemonsets
      - statefulsets
    verbs:
      - list
      - get
      - update
      - patch
  - apiGroups:
      - "extensions"
    resources:
      - deployments
      - daemonsets
    verbs:
      - list
      - get
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: reloader/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding
metadata:
  annotations:
    meta.helm.sh/release-namespace: "default"
    meta.helm.sh/release-name: "templates"
  labels:
    app: templates-reloader
    chart: "reloader-1.0.42"
    release: "templates"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
  name: templates-reloader-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: templates-reloader-role
subjects:
  - kind: ServiceAccount
    name: templates-reloader
    namespace: default
---
# Source: reloader/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    meta.helm.sh/release-namespace: "default"
    meta.helm.sh/release-name: "templates"
  labels:
    app: templates-reloader
    chart: "reloader-1.0.42"
    release: "templates"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
    group: com.stakater.platform
    provider: stakater
    version: v1.0.42
  name: templates-reloader
  namespace: default
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: templates-reloader
      release: "templates"
  template:
    metadata:
      labels:
        app: templates-reloader
        chart: "reloader-1.0.42"
        release: "templates"
        heritage: "Helm"
        app.kubernetes.io/managed-by: "Helm"
        group: com.stakater.platform
        provider: stakater
        version: v1.0.42
    spec:
      containers:
      - image: "ghcr.io/stakater/reloader:v1.0.42"
        imagePullPolicy: IfNotPresent
        name: templates-reloader

        ports:
        - name: http
          containerPort: 9090
        livenessProbe:
          httpGet:
            path: /live
            port: http
          timeoutSeconds: 5
          failureThreshold: 5
          periodSeconds: 10
          successThreshold: 1
          initialDelaySeconds: 10
        readinessProbe:
          httpGet:
            path: /metrics
            port: http
          timeoutSeconds: 5
          failureThreshold: 5
          periodSeconds: 10
          successThreshold: 1
          initialDelaySeconds: 10

        securityContext:
          {}
        args:
          - "--namespace-selector=abc"
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
      serviceAccountName: templates-reloader```

@Hareshraman
Copy link
Author

I feel the cluster Role and the Role binding needs to be updated for a batch/job for the service account that is created with it

@Hareshraman Hareshraman mentioned this issue Oct 10, 2023
Merged
@prakash-26790
Copy link

Would be good if document is updated with CronJob support.

I tried adding annotation for job like below

apiVersion: batch/v1
kind: Job
metadata:
  name: init-job
  annotations:
    reloader.stakater.com/auto: "true"

But seems not working.

Im using latest Helm chart version 1.0.44

@Hareshraman
Copy link
Author

This was fixed in 1.0.45 and releases above

@karl-johan-grahn
Copy link
Contributor

Documentation is still missing

@RobCannon
Copy link

Just noting that the HelmChart does not add the RBAC permissions to patch or update a Job/CronJob. It doesn't look like the controller (v1.0.52) is looking for and Jobs to update either. I would like to see this update a Job when a secret changes (and hopefully the Job will start again).

  - verbs:
      - list
      - get
    apiGroups:
      - batch
    resources:
      - cronjobs
  - verbs:
      - create
    apiGroups:
      - batch
    resources:
      - jobs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RobCannon @karl-johan-grahn @prakash-26790 @Hareshraman