Reloader
Reloader copied to clipboard
stakater
[Question] Official documentation on using Reloader with a Cron Job ?
I have been following Reloader for the PR : https://github.com/stakater/Reloader/pull/486 Issue : Reloader Issue Support for Cron Job Is there a readme that's available ? for this change , would be really helpful
Why did you close https://github.com/stakater/Reloader/issues/542?
Closed the other issue as Duplicate Issues were created.
Asking this question , tried using reloader by using version 1.0.42 in a k3s cluster.
`time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: configMaps"
time="2023-10-09T09:46:09Z" level=info msg="created controller for: secrets"
time="2023-10-09T09:46:09Z" level=info msg="Starting Controller to watch resource type: secrets"
time="2023-10-09T09:49:34Z" level=error msg="Failed to list cronjobs cronjobs.batch is forbidden: User \"system:serviceaccount:ix:reloader-reloader\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"abc\""`
I have a configMap in the same namespace ' abc' if i were to change a key: value , the cron job would be triggered. The cron job has been annotated with
`annotations:
configmap.reloader.stakater.com/reload: my-config`
my-config being the configmap in namespace abc.
Service account has been created "
i stopped getting the log ensuring namespace selector was pointing to abc namespace, hence it was able to find -myconfig , but my cron job does have an annotations with
`annotations:
configmap.reloader.stakater.com/reload: my-config`
Expected Behaviour Cron job is triggered by creating a new pod.
Seen behaviour -> no logs seen in reloader pods mentioning change in "abc" config map. Cron job not triggered. In the template i see that the resources that the service account have access to are deployment daemonsets and stateful set and is missing cronjob kind , is it expected that we add them to the template ? or is it expected to be cooked into the chart , here's the template Here's the tempalte
---
# Source: reloader/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader
namespace: default
---
# Source: reloader/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader-role
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- list
- get
- update
- patch
- apiGroups:
- "extensions"
resources:
- deployments
- daemonsets
verbs:
- list
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
# Source: reloader/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
name: templates-reloader-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: templates-reloader-role
subjects:
- kind: ServiceAccount
name: templates-reloader
namespace: default
---
# Source: reloader/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
meta.helm.sh/release-namespace: "default"
meta.helm.sh/release-name: "templates"
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
group: com.stakater.platform
provider: stakater
version: v1.0.42
name: templates-reloader
namespace: default
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
app: templates-reloader
release: "templates"
template:
metadata:
labels:
app: templates-reloader
chart: "reloader-1.0.42"
release: "templates"
heritage: "Helm"
app.kubernetes.io/managed-by: "Helm"
group: com.stakater.platform
provider: stakater
version: v1.0.42
spec:
containers:
- image: "ghcr.io/stakater/reloader:v1.0.42"
imagePullPolicy: IfNotPresent
name: templates-reloader
ports:
- name: http
containerPort: 9090
livenessProbe:
httpGet:
path: /live
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /metrics
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
securityContext:
{}
args:
- "--namespace-selector=abc"
securityContext:
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: templates-reloader```
I feel the cluster Role and the Role binding needs to be updated for a batch/job for the service account that is created with it
Would be good if document is updated with CronJob support.
I tried adding annotation for job like below
apiVersion: batch/v1
kind: Job
metadata:
name: init-job
annotations:
reloader.stakater.com/auto: "true"
But seems not working.
Im using latest Helm chart version 1.0.44
Just noting that the HelmChart does not add the RBAC permissions to patch or update a Job/CronJob. It doesn't look like the controller (v1.0.52) is looking for and Jobs to update either. I would like to see this update a Job when a secret changes (and hopefully the Job will start again).
- verbs:
- list
- get
apiGroups:
- batch
resources:
- cronjobs
- verbs:
- create
apiGroups:
- batch
resources:
- jobs
