helm: add wait initContainer and preStop hooks#20106
Conversation
hugoShaka
force-pushed
the
hugo/helm-wait-hooks
branch
from
2e0c3e4 to
e29868d
Compare
| lifecycle: | ||
| # waiting during preStop ensures no new request will hit the Terminating pod | ||
| # on clusters using kube-proxy (kube-proxy syncs the node iptables rules every 30s) | ||
| preStop: |
There was a problem hiding this comment.
I wonder if we could also use this to have proxies unregister themselves on shutdown in future to mitigate #20057
There was a problem hiding this comment.
Unregistering would be a nice improvement, but I'm not sure preStop is the best place because it is implementation-specific (Terraform/CloudFormation have the same issue), and we don't have control over the concurrency with preStop. Maybe the proxy will take 2 minutes to shut down, and I don't know what would happen if it gets unregistered while it has not finished doing its job. IMO the best place to do it would be in the graceful shutdown sequence.
Agendas are a little packed right now because of v12, but I'll raise this issue to folks who know more than me about registration and shutdown sequence once things settle down.
Co-authored-by: Gus Luxton <gus@goteleport.com>
5 participants
Part of RFD-096: managing the major upgrades safely
This PR's main purpose is to block proxies running a new Teleport major version from connecting to auth pods running an old Teleport version.
This PR contains three commits:
teleport-clusterHelm chart (initContainers were designed in RFD 096, preStop was a nice additoin coming from the wait PR)waitcommand (the DNS error was not properly unwrapped and not recognized as a DNS error)