kubernetes.core
kubernetes.core copied to clipboard
ansible-collections
Handle custom resource status updates with kubernetes.core collection
SUMMARY
When working with Kubernetes Custom Resources (CRs), there are times that I'd like to be able to modify the status of the CR. Currently, these updates are only possible with the operator_sdk.utils.k8s_status module.
- Can the
kubernetes.corecollection directly support CRstatusupdates? - Are CR
statusupdates already possible but there is a documentation gap?
ISSUE TYPE
- Feature Idea
COMPONENT NAME
I have attempted to perform status updates with the following modules:
kubernetes.core.k8skubernetes.core.k8s_json_patch
ADDITIONAL INFORMATION
Here's an example playbook I created to try these CR status updates:
---
- name: Example tests for updating status fields on a Kubernetes CR
hosts: localhost
gather_facts: false
tasks:
- name: Attempt patch with k8s module
kubernetes.core.k8s:
state: patched
definition:
apiVersion: example.ibm.com/v1
kind: Example
metadata:
name: example-1
namespace: ivandov-example
status:
hello: world
register: patch_result
- name: Show patch results
ansible.builtin.debug:
var: patch_result
- name: Attempt patch with k8s_json_patch module
kubernetes.core.k8s_json_patch:
kind: Example
namespace: ivandov-example
name: example-1
api_version: example.ibm.com/v1
patch:
- op: add
path: /status/foo
value: bar
register: patch_result2
- name: Show patch results
ansible.builtin.debug:
var: patch_result2
@ivandov Why would you want/need to manipulate the status of a CR outside of an operator?
We have designed technology that allows native Ansible playbooks to be transformed into Ansible Operators without the need for writing your own Ansible Operator from scratch. However, even when writing an Ansible Operator from scratch, updating a kubernetes CR's status would still require importing both Ansible collections.
It just feels "off" to have one kubernetes collection, kubernetes.core, for handling most of the interactions you may need to have with Kubernetes from an Ansible Playbook. And then, you need a separate Ansible collection for a simple CR status update.
I would imagine most of the logic that's needed to handle status updates is already present in the kubernetes.core collection. Why need to import and maintain multiple collections?
We also need this for various purposes. In addition to operators written in Ansible that @ivandov mentioned, cases that we have encountered:
- Test suite written in Ansible that needs to simulate the operator's activity such as forcing resources into error states.
- Backup/restore logic in Ansible that needs to restore a custom resource status while the operator is offline.
- Recover resources after operator/infrastructure issues.
In theory one wouldn't need to manipulate the status outside of the operator, but real world this is not uncommon.
Hi, I have just run into the same problem. Our use-case is that we install and configure OpenShift via Ansible. When signing CSRs it is necessary to update the status of the object. https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection-api-client
Which due to the lack of support is currently solved via the shell module with oc/kubectl.
The following tasks would solve the problem if the status update were supported
- name: 'Approve CSRs'
kubernetes.core.k8s:
state: 'patched'
kind: 'CertificateSigningRequest'
name: 'test1'
definition:
status:
conditions:
- lastTransitionTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
lastUpdateTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
message: "This CSR was approved by Ansible."
reason: "AnsibleApprove"
status: "True"
type: "Approved"
- name: 'Approve pending CSRs'
kubernetes.core.k8s_json_patch:
kind: 'CertificateSigningRequest'
name: 'test1'
patch:
- op: 'add'
path: '/status/conditions'
value:
- lastTransitionTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
lastUpdateTime: '{{ now(fmt="%Y-%m-%dT%H:%M:%SZ") }}'
message: "This CSR was approved by Ansible."
reason: "AnsibleApprove"
status: "True"
type: "Approved"
