Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Kustomize recipes for security deployments #79

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Fix Kustomize recipes for security deployments #79

wants to merge 14 commits into from

Conversation

matthewrossi
Copy link
Member

@matthewrossi matthewrossi commented Nov 29, 2024
edited
Loading

Looking at the content and history of the repository, it seems to me in the last few weeks there was a commitment to move away from the App of Apps deployment in favor of deploying the services using Kustomize bundles.
Unfortunately, during the transition, some essential resources, that the previous deployment method was using, are no longer considered in the generation of the Kustomize bundles causing many security services to break.

The primary goal of the change is fixing the Kustomize recipes and, while at it, improving the reliability of the deployment of the data sanitization services.

While working on the patch and testing it out by deploying the resulting bundle, I noticed that the ordering of the sync-wave was off due to a known ArgoCD issue.
Is this something that happens also when using the applications declared in: integration-cluster.yaml, integration-security-cluster.yaml, validation-cluster.yaml, validation-security-cluster.yaml?

@matthewrossi matthewrossi self-assigned this Nov 29, 2024
@matthewrossi matthewrossi requested a review from a team as a code owner November 29, 2024 15:32
@matthewrossi
Copy link
Member Author

I managed to find a way to test the release of the security services by using the integration-security-cluster.yaml, and in this way the sync waves are respected.
92dd0a0 ensures the sync waves of the prerequisites are aligned with the sync waves of their relative applications.

FYI since integration-deployment and integration-security-deployment are two distinct applications their sync waves are not synced by ArgoCD (see issue argoproj/argo-cd#7437).

This implies that:

  • by running integration-deployment before integration-security-deployment, none of the 'primary' services can rely on the mutation and validation of Gatekeeper nor they can use security services as long as the integration-security-deployment app is released
  • by running the integration-security-deployment before integration-deployment, the deployment of the security services would fail because some 'primary' services are missing

So I suggest to solve the issue by merging the integration-deployment and integration-security-deployment apps in future PRs (of course the same should happen in the validation cluster).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@matthewrossi matthewrossi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthewrossi @a-zharinov