SAP/sap-btp-service-operator

Make the ServiceBinding validation webhook less strict

adriil opened this issue · 1 comments

adriil commented

Hi team,

When we define a ServiceBinding as part of our service's Helm chart, and we deploy our Chart using Piper's kubernetesDeploy, the deployment will only work the first time, to create the ServiceBinding. Any subsequent deployments will be denied, even if the ServiceBinding hasn't changed, with the following error :

14:59:08  info  kubernetesDeploy - running command: helm upgrade policysearch-canary pss-0.1.0.tgz --values helm/pss/values/canary.yaml --install --namespace pss --set image.policy_search.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,image.policy_search.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,image.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,image.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,secret.name=regsecret,secret.dockerconfigjson=****,imagePullSecrets[0].name=regsecret,api.image.repository=345301178081-20231221-135051596-506.staging.repositories.cloud.sap/policy-search,api.image.tag=1.0.0-20231221134941_6ca6edd5ddf276c6b9dccbd889b4083d77e31ee6@sha256:2aaf78d298a9edf1ec4bc61d2dc375c4e88836bd7f0aee568ee70110d0752b46,api.imagePullSecret.dockerconfigjson=**** --force --wait --timeout 300s --atomic --render-subchart-notes
14:59:09  Created Pod: kubernetes concurcpss/dynamic-agent-e98acbb0-18af-4fb1-9e07-444f8e05b32c-7ss7c-11chr
14:59:13  info  kubernetesDeploy - Error: UPGRADE FAILED: an error occurred while rolling back the release. original upgrade error: failed to replace object: admission webhook "vservicebinding.kb.io" denied the request: updating service bindings is not supported: failed to replace object: admission webhook "vservicebinding.kb.io" denied the request: updating service bindings is not supported

This forces teams to either manage the ServiceBinding outside of the service lifecycle, or remove the declaration from the templated chart while still keeping the resource alive thanks to "helm.sh/resource-policy": keep.

Is there any way we could ease things here ?

adriil commented

There is a simple workaround that I missed :

  • forceUpdates: false for the kubernetesDeploy step (doc)