Giters

SAP / sap-btp-service-operator

SAP BTP service operator enables developers to connect Kubernetes clusters to SAP BTP accounts and to consume SAP BTP services within the clusters by using Kubernetes native tools.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Make the ServiceBinding validation webhook less strict

adriil opened this issue · comments

commented

Hi team,

When we define a ServiceBinding as part of our service's Helm chart, and we deploy our Chart using Piper's kubernetesDeploy, the deployment will only work the first time, to create the ServiceBinding. Any subsequent deployments will be denied, even if the ServiceBinding hasn't changed, with the following error :

14:59:08  info  kubernetesDeploy - running command: helm upgrade policysearch-canary pss-0.1.0.tgz --values helm/pss/values/canary.yaml --install --namespace pss --set image.policy_search.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,image.policy_search.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,image.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,image.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,secret.name=regsecret,secret.dockerconfigjson=****,imagePullSecrets[0].name=regsecret,api.image.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,api.image.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,api.imagePullSecret.dockerconfigjson=**** --force --wait --timeout 300s --atomic --render-subchart-notes
14:59:09  Created Pod: kubernetes concurcpss/dynamic-agent-e98acbb0-18af-4fb1-9e07-444f8e05b32c-7ss7c-11chr
14:59:13  info  kubernetesDeploy - Error: UPGRADE FAILED: an error occurred while rolling back the release. original upgrade error: failed to replace object: admission webhook "vservicebinding.kb.io" denied the request: updating service bindings is not supported: failed to replace object: admission webhook "vservicebinding.kb.io" denied the request: updating service bindings is not supported

This forces teams to either manage the ServiceBinding outside of the service lifecycle, or remove the declaration from the templated chart while still keeping the resource alive thanks to "helm.sh/resource-policy": keep.

Is there any way we could ease things here ?

commented

There is a simple workaround that I missed :

  • forceUpdates: false for the kubernetesDeploy step (doc)