3012 - Probes for external-secrets

[fdberlking]

Problem Statement

Introducing livenessProbe for the core controller.

Related Issue

Fixes #3012

Proposed Changes

• Adding livenessProbe being part of the deployment
• Making livenessProbe configurable via values.yaml

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• Building the operator binary and docker image with make build
• All tests pass with make lint
• All tests pass with make test
• All tests pass with make check-diff
• All tests pass with make docs
• All tests pass with make helm.docs
• All tests pass with make helm.test
• I ensured my PR is ready for review with make reviewable

[fdberlking]

Updated failing Helm unit tests for livenessProbes:

➜  external-secrets git:(issue/3012) ✗ make helm.test
./hack/helm.generate.sh deploy/crds deploy/charts/external-secrets
13:07:01 [ OK ] Finished generating helm chart files

### Chart [ external-secrets ] deploy/charts/external-secrets/

 PASS  test cert controller deployment  deploy/charts/external-secrets/tests/cert_controller_test.yaml
 PASS  test controller deployment       deploy/charts/external-secrets/tests/controller_test.yaml

[Skarlso]

Ah, a linter error. :)

[fdberlking]

Ah, a linter error. :)

@Skarlso, could you quickly help me, if the issue is just with Error: unknown flag: --live-addr? Or do I miss something else? :/

[Skarlso]

Ah, a linter error. :)

@Skarlso, could you quickly help me, if the issue is just with Error: unknown flag: --live-addr? Or do I miss something else? :/

I think so... 🤔 :D

[fdberlking]

Ah, a linter error. :)

@Skarlso, could you quickly help me, if the issue is just with Error: unknown flag: --live-addr? Or do I miss something else? :/

I think so... 🤔 :D

At least I'm getting closer 😄 but it was a good learning experience 👍

[Skarlso]

Now you just need to run make check-diff or something like that. And see what failed.

[Skarlso]

Readme if missing these:

+++ b/deploy/charts/external-secrets/README.md
@@ -106,6 +106,13 @@ The command removes all the Kubernetes components associated with the chart and
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
 | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| livenessProbe.address | string | `""` | Address for readiness probe |
+| livenessProbe.failureThreshold | int | `5` |  |
+| livenessProbe.initialDelaySeconds | int | `10` |  |
+| livenessProbe.periodSeconds | int | `10` |  |
+| livenessProbe.port | int | `8082` | ReadinessProbe port for kubelet |
+| livenessProbe.successThreshold | int | `1` |  |
+| livenessProbe.timeoutSeconds | int | `5` |  |
 | metrics.listen.port | int | `8080` |  |
 | metrics.service.annotations | object | `{}` | Additional service annotations |
 | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |

You have to run make helm.docs.

[fdberlking]

Readme if missing these:

+++ b/deploy/charts/external-secrets/README.md
@@ -106,6 +106,13 @@ The command removes all the Kubernetes components associated with the chart and
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
 | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| livenessProbe.address | string | `""` | Address for readiness probe |
+| livenessProbe.failureThreshold | int | `5` |  |
+| livenessProbe.initialDelaySeconds | int | `10` |  |
+| livenessProbe.periodSeconds | int | `10` |  |
+| livenessProbe.port | int | `8082` | ReadinessProbe port for kubelet |
+| livenessProbe.successThreshold | int | `1` |  |
+| livenessProbe.timeoutSeconds | int | `5` |  |
 | metrics.listen.port | int | `8080` |  |
 | metrics.service.annotations | object | `{}` | Additional service annotations |
 | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |

You have to run make helm.docs.

I have not fixed my issue when pulling the latest changes from master, but it should be okay now. I had an issue with Podman and Makefile which resulted in

make helm.docs
make: *** [helm.docs] Error 125

After restarting Podman, the issue was resolved

make helm.docs 
time="2024-02-27T11:46:02Z" level=info msg="Found Chart directories [.]"
time="2024-02-27T11:46:02Z" level=info msg="Generating README Documentation for chart /helm-docs"
time="2024-02-27T11:46:02Z" level=warning msg="Could not open chart README file /helm-docs/README.md, skipping chart"

At least I don't get a critical *** error anymore.

[Skarlso]

@fdberlking nooooo... helm lint is failing again. :D

[Skarlso]

Hmmm, is it failing because it's installing the wrong version of the controller?

The command arg is obviously there. So I guess it's just installing an older version via the helm chart. Not the one that is being developed here.

[Skarlso]

Yah.

Pulling image "ghcr.io/external-secrets/external-secrets:main"

This should probably pull the branch or something instead of main.

@moolen Can we safely ignore a failure if the helm chart is dealing with a new value that has been introduced but it's pulling the wrong branch binary, so it's failing because it's expecting a value to be there that is not yet in main?

[fdberlking]

Yah.

Pulling image "ghcr.io/external-secrets/external-secrets:main"

This should probably pull the branch or something instead of main.

@moolen Can we safely ignore a failure if the helm chart is dealing with a new value that has been introduced but it's pulling the wrong branch binary, so it's failing because it's expecting a value to be there that is not yet in main?

Sorry, I didn't have time yesterday to further look into the failing checks.
So Idk, why the Helm/lint-and test is failing again because it has been previously corrected by me, but it seems like it's not an issue by my PR…correct?

Nevertheless, I will also check the issue with check-diff again as everything should be actually place now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[fdberlking]

Yah.

Pulling image "ghcr.io/external-secrets/external-secrets:main"

This should probably pull the branch or something instead of main.
@moolen Can we safely ignore a failure if the helm chart is dealing with a new value that has been introduced but it's pulling the wrong branch binary, so it's failing because it's expecting a value to be there that is not yet in main?

Sorry, I didn't have time yesterday to further look into the failing checks. So Idk, why the Helm/lint-and test is failing again because it has been previously corrected by me, but it seems like it's not an issue by my PR…correct?

Nevertheless, I will also check the issue with check-diff again as everything should be actually place now.

@Skarlso finally some progress at the end of the week 😄 I definitely learnt a lot about Makefile and Helm unit tests during this PR. Overall, this should be good to go now (see results below).
Additionally, I fixed an issue with outdated crds snapshots due to the integration of fortanix and onboardbase in the meantime.

external-secrets % make lint      
...
23:08:57 [ OK ] Finished linting

external-secrets % make check-diff
23:09:15 [ OK ] Finished generating deepcopy and crds
/Library/Developer/CommandLineTools/usr/bin/make -C ./hack/api-docs build
docker build -t github.com/external-secrets-mkdocs:latest -f Dockerfile .
[+] Building 0.1s (10/10) FINISHED 
...
23:09:55 [ OK ] Finished linting
23:09:55 [ .. ] checking that branch is clean
23:09:55 [ OK ] branch is clean

external-secrets % make helm.docs
time="2024-02-29T22:11:49Z" level=info msg="Found Chart directories [.]"
time="2024-02-29T22:11:49Z" level=info msg="Generating README Documentation for chart /helm-docs"

external-secrets % make reviewable
23:12:18 [ OK ] Finished generating deepcopy and crds
/Library/Developer/CommandLineTools/usr/bin/make -C ./hack/api-docs build
docker build -t github.com/external-secrets-mkdocs:latest -f Dockerfile .
[+] Building 0.1s (10/10) FINISHED
...
INFO    -  Documentation built in 4.54 seconds
./hack/helm.generate.sh deploy/crds deploy/charts/external-secrets
23:12:49 [ OK ] Finished generating helm chart files
mkdir -p bin/deploy/manifests
helm template external-secrets deploy/charts/external-secrets -f deploy/manifests/helm-values.yaml > bin/deploy/manifests/external-secrets.yaml
time="2024-02-29T22:12:49Z" level=info msg="Found Chart directories [.]"
time="2024-02-29T22:12:49Z" level=info msg="Generating README Documentation for chart /helm-docs"
test -s /Users/xxx/GitHub/external-secrets/bin/golangci-lint && /Users/xxx/GitHub/external-secrets/bin/golangci-lint version --format short | grep -q 1.54.2 || \
        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /Users/xxx/GitHub/external-secrets/bin v1.54.2
23:12:51 [ OK ] Finished linting

[Skarlso]

@fdberlking You're a legend! Well done! Thanks for investing the time into this. :) I really appreciate it. :)