-
Feature Request
-
Resolution: Done
-
Major
-
None
-
openshift-4.11.z, openshift-4.12
-
False
-
None
-
False
-
Not Selected
-
Engineering
-
-
-
-
1.
Upgrades of operators are not blue/green or highly available
outage issue at the time of operator upgrade.
2. What is the nature and description of the request?
– > CU's operator is developed to use the OLM generated certs. This means that OLM generates a cert which they can use in their webhook server ( named ibm-appconnect-operator-service-cert ) and it also updates the web hooks with the appropriate caBundle so that kube can connect to our webhook server.The problem is that during the upgrade OLM (I think?) regenerates the certificate used by the webhook server. The problem is that it updates this in a way that cannot be made highly available.
It updates the webhook definition to use the new caBundle and also updates the secret with the new information.This means that the next request that comes in will use the new caBundle but the webhook server is still using the old one as it has not restarted yet to pick up the new certificate. OLM does restart the webhook server topic up the new cert and once its ready then issue is resolved.In the upgrade process they don't think OLM should be regenerating the secrets used by the webhook. Doing this breaks the blue/green upgrade.
3. Why does the customer need this? (List the business requirements here)
--> To avoid downtime
4. List any affected packages or components.
--> OLM
SLACK Link:
https://redhat-internal.slack.com/archives/C3VS0LV41/p1678794118515989