Add tasks to wait for Kyverno admission controller rollout and webhook service endpoints, enhancing deployment reliability and ensuring successful policy validation.
This commit is contained in:
Nikholas Pcenicni
8
ansible/roles/noble_kyverno_policies/defaults/main.yml
Normal file
8
ansible/roles/noble_kyverno_policies/defaults/main.yml
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
# After the operator chart, the validating webhook can still be a few seconds behind Helm --wait.
|
||||||
|
noble_kyverno_policies_endpoint_wait_retries: 60
|
||||||
|
noble_kyverno_policies_endpoint_wait_delay: 5
|
||||||
|
|
||||||
|
# Transient "failed calling webhook ... context deadline exceeded" while admission warms up.
|
||||||
|
noble_kyverno_policies_helm_retries: 12
|
||||||
|
noble_kyverno_policies_helm_delay: 20
|
||||||
@@ -1,4 +1,38 @@
|
|||||||
---
|
---
|
||||||
|
# Helm --wait on the operator does not guarantee the first policyvalidate call from apiserver succeeds.
|
||||||
|
- name: Wait for Kyverno admission controller Deployment rollout
|
||||||
|
ansible.builtin.command:
|
||||||
|
argv:
|
||||||
|
- kubectl
|
||||||
|
- rollout
|
||||||
|
- status
|
||||||
|
- deployment/kyverno-admission-controller
|
||||||
|
- -n
|
||||||
|
- kyverno
|
||||||
|
- --timeout=300s
|
||||||
|
environment:
|
||||||
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Wait for Kyverno webhook Service (kyverno-svc) to have endpoints
|
||||||
|
ansible.builtin.command:
|
||||||
|
argv:
|
||||||
|
- kubectl
|
||||||
|
- get
|
||||||
|
- endpoints
|
||||||
|
- kyverno-svc
|
||||||
|
- -n
|
||||||
|
- kyverno
|
||||||
|
- -o
|
||||||
|
- 'jsonpath={range .subsets[*].addresses[*]}{.ip}{"\n"}{end}'
|
||||||
|
environment:
|
||||||
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||||
|
register: noble_kyverno_policies_ep
|
||||||
|
until: (noble_kyverno_policies_ep.stdout | default('') | trim | length) > 0
|
||||||
|
retries: "{{ noble_kyverno_policies_endpoint_wait_retries }}"
|
||||||
|
delay: "{{ noble_kyverno_policies_endpoint_wait_delay }}"
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: Install Kyverno policy chart (PSS baseline, Audit)
|
- name: Install Kyverno policy chart (PSS baseline, Audit)
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
argv:
|
argv:
|
||||||
@@ -19,4 +53,8 @@
|
|||||||
- 10m
|
- 10m
|
||||||
environment:
|
environment:
|
||||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||||
|
register: noble_kyverno_policies_helm
|
||||||
|
retries: "{{ noble_kyverno_policies_helm_retries }}"
|
||||||
|
delay: "{{ noble_kyverno_policies_helm_delay }}"
|
||||||
|
until: noble_kyverno_policies_helm.rc == 0
|
||||||
changed_when: true
|
changed_when: true
|
||||||
|
|||||||
Reference in New Issue
Block a user