-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
Ensure Kueue deployment is updated (rolling restart) when TLS profile changes in APIServer or CRD.
Files to modify:
- pkg/operator/target_config_reconciler.go
Implementation approach:
1. When APIServer TLS profile changes, informer triggers reconciliation
2. When Kueue CRD TLS profile changes, existing reconciliation handles it
3. Compare current TLS settings with desired settings
4. If different, update ConfigMap and trigger deployment rollout
5. Use annotation or generation bump to force pod restart
Rollout strategy options:
- Option A: Update deployment annotation (e.g., tls-config-hash) to trigger rollout
- Option B: Update ConfigMap and rely on Kueue to hot-reload (if supported)
- Option C: Delete pods to force restart (less graceful)
Recommended: Option A - annotation-based rollout for controlled updates
// Add hash of TLS config to deployment annotations tlsConfigHash := hashTLSConfig(resolvedProfile) required.Spec.Template.Annotations["kueue.openshift.io/tls-config-hash"] = tlsConfigHash
Acceptance Criteria:
- TLS profile changes in APIServer trigger operand rollout
- TLS profile changes in Kueue CRD trigger operand rollout
- Rollout is graceful (rolling update, not all-at-once)
- Operator logs indicate TLS profile change detected
Depends on:
- OCPKUEUE-460 (APIServer watcher)
- OCPKUEUE-461 (ConfigMap generation)