Add tasks to wait for Kyverno admission controller rollout and webhook service endpoints, enhancing deployment reliability and ensuring successful policy validation.

2026-05-13 21:08:56 -04:00
parent 70cb74d8bd
commit 774b97894c
2 changed files with 46 additions and 0 deletions
--- a/ansible/roles/noble_kyverno_policies/defaults/main.yml
+++ b/ansible/roles/noble_kyverno_policies/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# After the operator chart, the validating webhook can still be a few seconds behind Helm --wait.
+noble_kyverno_policies_endpoint_wait_retries: 60
+noble_kyverno_policies_endpoint_wait_delay: 5
+
+# Transient "failed calling webhook ... context deadline exceeded" while admission warms up.
+noble_kyverno_policies_helm_retries: 12
+noble_kyverno_policies_helm_delay: 20
--- a/ansible/roles/noble_kyverno_policies/tasks/main.yml
+++ b/ansible/roles/noble_kyverno_policies/tasks/main.yml
@@ -1,4 +1,38 @@
 ---
+# Helm --wait on the operator does not guarantee the first policyvalidate call from apiserver succeeds.
+- name: Wait for Kyverno admission controller Deployment rollout
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - rollout
+      - status
+      - deployment/kyverno-admission-controller
+      - -n
+      - kyverno
+      - --timeout=300s
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  changed_when: false
+
+- name: Wait for Kyverno webhook Service (kyverno-svc) to have endpoints
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - get
+      - endpoints
+      - kyverno-svc
+      - -n
+      - kyverno
+      - -o
+      - 'jsonpath={range .subsets[*].addresses[*]}{.ip}{"\n"}{end}'
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_kyverno_policies_ep
+  until: (noble_kyverno_policies_ep.stdout | default('') | trim | length) > 0
+  retries: "{{ noble_kyverno_policies_endpoint_wait_retries }}"
+  delay: "{{ noble_kyverno_policies_endpoint_wait_delay }}"
+  changed_when: false
+
 - name: Install Kyverno policy chart (PSS baseline, Audit)
  ansible.builtin.command:
    argv:
@@ -19,4 +53,8 @@
      - 10m
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_kyverno_policies_helm
+  retries: "{{ noble_kyverno_policies_helm_retries }}"
+  delay: "{{ noble_kyverno_policies_helm_delay }}"
+  until: noble_kyverno_policies_helm.rc == 0
  changed_when: true