From 9818241c387f6e55ad8ddac79f2d950c882d5327 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Fri, 15 Nov 2024 15:01:33 +0100 Subject: [PATCH 1/8] Fix the readiness probe using a sidecar container --- charts/ibm-mq/templates/role-binding.yaml | 13 +++++++ charts/ibm-mq/templates/role.yaml | 9 +++++ charts/ibm-mq/templates/service.yaml | 1 + charts/ibm-mq/templates/stateful-set.yaml | 46 ++++++++++++++++++++++- 4 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 charts/ibm-mq/templates/role-binding.yaml create mode 100644 charts/ibm-mq/templates/role.yaml diff --git a/charts/ibm-mq/templates/role-binding.yaml b/charts/ibm-mq/templates/role-binding.yaml new file mode 100644 index 0000000..7886754 --- /dev/null +++ b/charts/ibm-mq/templates/role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-labeler-binding + namespace: ready-check +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-labeler +subjects: +- kind: ServiceAccount + name: {{ include "ibm-mq.fullname" ( . ) }} + namespace: ready-check diff --git a/charts/ibm-mq/templates/role.yaml b/charts/ibm-mq/templates/role.yaml new file mode 100644 index 0000000..d7816bf --- /dev/null +++ b/charts/ibm-mq/templates/role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-labeler + namespace: ready-check +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list","patch"] diff --git a/charts/ibm-mq/templates/service.yaml b/charts/ibm-mq/templates/service.yaml index cfba77c..bf5b418 100644 --- a/charts/ibm-mq/templates/service.yaml +++ b/charts/ibm-mq/templates/service.yaml @@ -26,3 +26,4 @@ spec: name: qmgr selector: {{- include "ibm-mq.selectorLabels" . | nindent 4 }} + role: master diff --git a/charts/ibm-mq/templates/stateful-set.yaml b/charts/ibm-mq/templates/stateful-set.yaml index 9215bda..63f97cc 100644 --- a/charts/ibm-mq/templates/stateful-set.yaml +++ b/charts/ibm-mq/templates/stateful-set.yaml @@ -272,8 +272,46 @@ spec: defaultMode: 420 secretName: {{ .Values.credentials.secret }} {{- end }} + volumes: + - name: state + emptyDir: {} terminationGracePeriodSeconds: {{.Values.queueManager.terminationGracePeriodSeconds}} containers: + - name: state-checker + command: + - sh + - '-c' + - > + sleep 20; + while true; do + sleep $(($RANDOM % 5 + 5)); + KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + echo "Checking state of the queue manager" + STATE=$(cat /etc/mqm/state/test) + if [ $STATE -eq 0 ]; then + echo "Queue manager is active" + echo "patching the label:" + curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \ + --request PATCH \ + --header "Content-Type: application/json-patch+json" \ + --data '[ { "op": "replace", "path": "/metadata/labels/role", "value": "master" } ]' \ + https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME + else + echo "Queue manager is not active" + echo "patching the label:" + curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \ + --header "Content-Type: application/json-patch+json" \ + --request PATCH \ + --data '[ { "op": "replace", "path": "/metadata/labels/role", "value": "standby" } ]' \ + https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME + fi + done + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/mqm/state + name: state - name: qmgr image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -371,6 +409,8 @@ spec: {{- else if .Values.web.manualConfig.secret.name }} volumeMounts: {{- end}} + - name: state + mountPath: /etc/mqm/state {{- if .Values.queueManager.nativeha.tls }} {{- if .Values.queueManager.nativeha.tls.secretName }} - name: ha-tls @@ -493,7 +533,11 @@ spec: readinessProbe: exec: command: - - chkmqready + - sh + - '-c' + - > + chkmqready; + echo $? > /etc/mqm/state/test {{- if or .Values.queueManager.nativeha.enable .Values.queueManager.multiinstance.enable }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds | default 0 }} {{- else }} From dec191fc6b461d3ecead7099d957224bbc595183 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Fri, 13 Dec 2024 11:47:05 +0100 Subject: [PATCH 2/8] Restrict role just to the helm chart pod --- charts/ibm-mq/templates/role.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/ibm-mq/templates/role.yaml b/charts/ibm-mq/templates/role.yaml index d7816bf..82c5a1a 100644 --- a/charts/ibm-mq/templates/role.yaml +++ b/charts/ibm-mq/templates/role.yaml @@ -6,4 +6,11 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] + resourceNames: [ + {{ include "ibm-mq.pod0.name" . }}, + {{- if .Values.queueManager.nativeha.enable }} + {{ include "ibm-mq.pod1.name" . }}, + {{ include "ibm-mq.pod2.name" . }} + {{- end }} + ] verbs: ["get", "list","patch"] From f32264728a313a54bc3d6e99c5b6ec7555ccc6e9 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Fri, 13 Dec 2024 12:02:09 +0100 Subject: [PATCH 3/8] Make readiness check via pod lable patcher optin --- charts/ibm-mq/templates/role-binding.yaml | 2 ++ charts/ibm-mq/templates/role.yaml | 2 ++ charts/ibm-mq/templates/service.yaml | 2 ++ charts/ibm-mq/templates/stateful-set.yaml | 11 +++++++++++ charts/ibm-mq/values.yaml | 1 + 5 files changed, 18 insertions(+) diff --git a/charts/ibm-mq/templates/role-binding.yaml b/charts/ibm-mq/templates/role-binding.yaml index 7886754..68a3c9e 100644 --- a/charts/ibm-mq/templates/role-binding.yaml +++ b/charts/ibm-mq/templates/role-binding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.readinessProbe.useLabelPatcher }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -11,3 +12,4 @@ subjects: - kind: ServiceAccount name: {{ include "ibm-mq.fullname" ( . ) }} namespace: ready-check +{{ end -}} diff --git a/charts/ibm-mq/templates/role.yaml b/charts/ibm-mq/templates/role.yaml index 82c5a1a..e0e7460 100644 --- a/charts/ibm-mq/templates/role.yaml +++ b/charts/ibm-mq/templates/role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.readinessProbe.useLabelPatcher }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -14,3 +15,4 @@ rules: {{- end }} ] verbs: ["get", "list","patch"] +{{ end -}} diff --git a/charts/ibm-mq/templates/service.yaml b/charts/ibm-mq/templates/service.yaml index bf5b418..bca5e55 100644 --- a/charts/ibm-mq/templates/service.yaml +++ b/charts/ibm-mq/templates/service.yaml @@ -26,4 +26,6 @@ spec: name: qmgr selector: {{- include "ibm-mq.selectorLabels" . | nindent 4 }} + {{- if .Values.readinessProbe.useLabelPatcher }} role: master + {{- end }} diff --git a/charts/ibm-mq/templates/stateful-set.yaml b/charts/ibm-mq/templates/stateful-set.yaml index 63f97cc..0820ea2 100644 --- a/charts/ibm-mq/templates/stateful-set.yaml +++ b/charts/ibm-mq/templates/stateful-set.yaml @@ -272,11 +272,14 @@ spec: defaultMode: 420 secretName: {{ .Values.credentials.secret }} {{- end }} + {{- if .Values.readinessProbe.useLabelPatcher }} volumes: - name: state emptyDir: {} + {{- end }} terminationGracePeriodSeconds: {{.Values.queueManager.terminationGracePeriodSeconds}} containers: + {{- if .Values.readinessProbe.useLabelPatcher }} - name: state-checker command: - sh @@ -312,6 +315,7 @@ spec: volumeMounts: - mountPath: /etc/mqm/state name: state + {{- end }} - name: qmgr image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -409,8 +413,10 @@ spec: {{- else if .Values.web.manualConfig.secret.name }} volumeMounts: {{- end}} + {{- if .Values.readinessProbe.useLabelPatcher }} - name: state mountPath: /etc/mqm/state + {{- end }} {{- if .Values.queueManager.nativeha.tls }} {{- if .Values.queueManager.nativeha.tls.secretName }} - name: ha-tls @@ -532,12 +538,17 @@ spec: # Set readiness probe to determine if the MQ listener is running readinessProbe: exec: + {{- if .Values.readinessProbe.useLabelPatcher }} command: - sh - '-c' - > chkmqready; echo $? > /etc/mqm/state/test + {{- else }} + command: + - chkmqready + {{- end }} {{- if or .Values.queueManager.nativeha.enable .Values.queueManager.multiinstance.enable }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds | default 0 }} {{- else }} diff --git a/charts/ibm-mq/values.yaml b/charts/ibm-mq/values.yaml index 4b578c4..dc04fa6 100644 --- a/charts/ibm-mq/values.yaml +++ b/charts/ibm-mq/values.yaml @@ -139,6 +139,7 @@ livenessProbe: # readinessProbe section specifies setting for the MQ readiness probe, which checks when the MQ listener is running readinessProbe: + useLabelPatcher: false initialDelaySeconds: periodSeconds: 5 timeoutSeconds: 3 From fc9e2f55d525efad4f27dffc3e448cabd18afa70 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Mon, 16 Dec 2024 14:03:45 +0100 Subject: [PATCH 4/8] Fix namespace to chart namespace --- charts/ibm-mq/templates/role-binding.yaml | 9 +++++---- charts/ibm-mq/templates/role.yaml | 5 +++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/charts/ibm-mq/templates/role-binding.yaml b/charts/ibm-mq/templates/role-binding.yaml index 68a3c9e..2e3c1f6 100644 --- a/charts/ibm-mq/templates/role-binding.yaml +++ b/charts/ibm-mq/templates/role-binding.yaml @@ -2,14 +2,15 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: pod-labeler-binding - namespace: ready-check + name: label-patcher-binding + labels: + {{- include "ibm-mq.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: pod-labeler + name: label-patcher subjects: - kind: ServiceAccount name: {{ include "ibm-mq.fullname" ( . ) }} - namespace: ready-check + namespace: {{ .Release.Namespace }} {{ end -}} diff --git a/charts/ibm-mq/templates/role.yaml b/charts/ibm-mq/templates/role.yaml index e0e7460..9b78510 100644 --- a/charts/ibm-mq/templates/role.yaml +++ b/charts/ibm-mq/templates/role.yaml @@ -2,8 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: pod-labeler - namespace: ready-check + name: label-patcher + labels: + {{- include "ibm-mq.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["pods"] From a927f74465004d20ee3bad85603121730dccac70 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Mon, 16 Dec 2024 19:23:51 +0100 Subject: [PATCH 5/8] Fix volume mounts to work in all cases --- charts/ibm-mq/templates/stateful-set.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/charts/ibm-mq/templates/stateful-set.yaml b/charts/ibm-mq/templates/stateful-set.yaml index 0820ea2..3bdb35b 100644 --- a/charts/ibm-mq/templates/stateful-set.yaml +++ b/charts/ibm-mq/templates/stateful-set.yaml @@ -135,6 +135,8 @@ spec: volumes: {{- else if .Values.web.manualConfig.configMap.name }} volumes: + {{- else if .Values.readinessProbe.useLabelPatcher }} + volumes: {{- else if .Values.web.manualConfig.secret.name }} volumes: {{- end}} @@ -273,7 +275,6 @@ spec: secretName: {{ .Values.credentials.secret }} {{- end }} {{- if .Values.readinessProbe.useLabelPatcher }} - volumes: - name: state emptyDir: {} {{- end }} @@ -412,11 +413,9 @@ spec: volumeMounts: {{- else if .Values.web.manualConfig.secret.name }} volumeMounts: + {{- else if .Values.readinessProbe.useLabelPatcher }} + volumeMounts: {{- end}} - {{- if .Values.readinessProbe.useLabelPatcher }} - - name: state - mountPath: /etc/mqm/state - {{- end }} {{- if .Values.queueManager.nativeha.tls }} {{- if .Values.queueManager.nativeha.tls.secretName }} - name: ha-tls @@ -511,6 +510,10 @@ spec: - name: mq-credentials mountPath: "/var/run/secrets" {{- end }} + {{- if .Values.readinessProbe.useLabelPatcher }} + - name: state + mountPath: /etc/mqm/state + {{- end }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.security.readOnlyRootFilesystem }} From 4deac3c774cb78648d22d3053a37522d93a18369 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Mon, 16 Dec 2024 20:10:20 +0100 Subject: [PATCH 6/8] Add less verbose state checking logs --- charts/ibm-mq/templates/stateful-set.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/ibm-mq/templates/stateful-set.yaml b/charts/ibm-mq/templates/stateful-set.yaml index 3bdb35b..1e649c2 100644 --- a/charts/ibm-mq/templates/stateful-set.yaml +++ b/charts/ibm-mq/templates/stateful-set.yaml @@ -295,20 +295,20 @@ spec: STATE=$(cat /etc/mqm/state/test) if [ $STATE -eq 0 ]; then echo "Queue manager is active" - echo "patching the label:" + echo "Patching the label" curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \ --request PATCH \ --header "Content-Type: application/json-patch+json" \ --data '[ { "op": "replace", "path": "/metadata/labels/role", "value": "master" } ]' \ - https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME + https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME > /dev/null else echo "Queue manager is not active" - echo "patching the label:" + echo "Patching the label" curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \ --header "Content-Type: application/json-patch+json" \ --request PATCH \ --data '[ { "op": "replace", "path": "/metadata/labels/role", "value": "standby" } ]' \ - https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME + https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$NAMESPACE/pods/$HOSTNAME > /dev/null fi done image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" From 61cb6a2f2ea516225ea4a9db2d393a1fc2323b79 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Mon, 6 Jan 2025 10:25:08 +0100 Subject: [PATCH 7/8] Add readiness role selector to loadbalancer + nodeport --- charts/ibm-mq/templates/service-loadbalancer.yaml | 3 +++ charts/ibm-mq/templates/service-qm.yaml | 3 +++ charts/ibm-mq/templates/service-web.yaml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/charts/ibm-mq/templates/service-loadbalancer.yaml b/charts/ibm-mq/templates/service-loadbalancer.yaml index 570bfe2..e74d5fd 100644 --- a/charts/ibm-mq/templates/service-loadbalancer.yaml +++ b/charts/ibm-mq/templates/service-loadbalancer.yaml @@ -43,4 +43,7 @@ spec: {{- end }} selector: {{- include "ibm-mq.selectorLabels" . | nindent 4 }} + {{- if .Values.readinessProbe.useLabelPatcher }} + role: master + {{- end }} {{- end }} diff --git a/charts/ibm-mq/templates/service-qm.yaml b/charts/ibm-mq/templates/service-qm.yaml index 71d4abb..3f39835 100644 --- a/charts/ibm-mq/templates/service-qm.yaml +++ b/charts/ibm-mq/templates/service-qm.yaml @@ -25,4 +25,7 @@ spec: name: qmgr selector: {{- include "ibm-mq.selectorLabels" . | nindent 4 }} + {{- if .Values.readinessProbe.useLabelPatcher }} + role: master + {{- end }} {{- end }} diff --git a/charts/ibm-mq/templates/service-web.yaml b/charts/ibm-mq/templates/service-web.yaml index 3883201..11d22ca 100644 --- a/charts/ibm-mq/templates/service-web.yaml +++ b/charts/ibm-mq/templates/service-web.yaml @@ -25,4 +25,7 @@ spec: name: console-https selector: {{- include "ibm-mq.selectorLabels" . | nindent 4 }} + {{- if .Values.readinessProbe.useLabelPatcher }} + role: master + {{- end }} {{- end }} From 9643ed2d43277a7d96ef1b678f14dfd981095ec2 Mon Sep 17 00:00:00 2001 From: Lorenz Boguhn Date: Mon, 3 Mar 2025 16:26:13 +0100 Subject: [PATCH 8/8] Fix label-patcher role and rb to include qm name --- charts/ibm-mq/templates/role-binding.yaml | 4 ++-- charts/ibm-mq/templates/role.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/ibm-mq/templates/role-binding.yaml b/charts/ibm-mq/templates/role-binding.yaml index 2e3c1f6..4ec696e 100644 --- a/charts/ibm-mq/templates/role-binding.yaml +++ b/charts/ibm-mq/templates/role-binding.yaml @@ -2,13 +2,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: label-patcher-binding + name: {{ include "ibm-mq.fullname" ( . ) }}-label-patcher-binding labels: {{- include "ibm-mq.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: label-patcher + name: {{ include "ibm-mq.fullname" ( . ) }}-label-patcher subjects: - kind: ServiceAccount name: {{ include "ibm-mq.fullname" ( . ) }} diff --git a/charts/ibm-mq/templates/role.yaml b/charts/ibm-mq/templates/role.yaml index 9b78510..fe38e67 100644 --- a/charts/ibm-mq/templates/role.yaml +++ b/charts/ibm-mq/templates/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: label-patcher + name: {{ include "ibm-mq.fullname" ( . ) }}-label-patcher labels: {{- include "ibm-mq.labels" . | nindent 4 }} rules: