Remove Secret migration workaround #477
Comments
dervoeti
changed the title
|
I think I'll wait another release or two with this. We don't officially support skipping a release but we do know that people are doing it. |
|
Unfortunately, it is not possible to disable the deployment of this Job on newly created clusters. This forces customers to mirror the tools image which contains CVEs. It is also not obvious that they have to mirror the image tagged with 24.7.0 for the SDP 24.11.0: |
|
I'm not entirely sure I understand the implications of that Sigi. Could you elaborate? |
In https://github.com/stackabletech/secret-operator/pull/476/files, a Job was added to the Helm chart to migrate the TLS CA keypair from the hard-coded default namespace to the operator namespace. If the secret operator is installed via Helm, then the following Job is also deployed: apiVersion: batch/v1
kind: Job
metadata:
name: secret-operator-secret-migration
spec:
template:
spec:
containers:
- name: migrate-secret
image: docker.stackable.tech/stackable/tools:1.0.0-stackable24.7.0
...When installing the SDP on a new cluster, this Job is unnecessary. Unfortunately, it is not possible to disable the Job creation via Helm values: It is possible to change the repository of the image, but the tag The image For this reason, some customers do not want to mirror this image, especially because it is useless. The workaround is, to download the Helm chart, unpack it, remove the files for the secret migration manually, pack it and install this custom Helm chart. If we postpone the removal of this secret migration workaround, then I would propose to
|
Just a side note that OLM uses this image too and there is no way to remove it because it's also used for actually installing the secret op. Also the job cannot be disabled on OLM either. We can only remove it completely in the next OLM version. |
|
Understood. I think it's fine for us to remove this in 25.3 but you are making a good argument to already remove it in 24.11.1. I'm not entirely sure if I understand the OLM implications though. |
Follow up issue for #453
This workaround should only be needed when migrating from SDP 24.3 to 24.7.
It probably won't hurt to keep the
Jobthat copies over theSecret, since it checks if it's already there and only copies it if it's not present. But if we require customers to incrementally upgrade SDP (e.g. no jump from 24.3 to 24.11 possible), then we can remove this workaround (revert #476) in 24.11 to reduce complexity, since it's guaranteed that theJobwill have run when upgrading to 24.7.The text was updated successfully, but these errors were encountered: