Sync Resources Deployed by TemplateGroupInstance#
The TemplateGroupInstance CR provides two types of resource sync for the resources mentioned in Template
For the given example, let's consider we want to apply the following template
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Template
metadata:
name: docker-secret
resources:
manifests:
- kind: Secret
apiVersion: v1
metadata:
name: docker-pull-secret
data:
.dockercfg: eyAKICAiaHR0cHM6IC8vaW5kZXguZG9ja2VyLmlvL3YxLyI6IHsgImF1dGgiOiAiYzNSaGEyRjBaWEk2VjI5M1YyaGhkRUZIY21WaGRGQmhjM04zYjNKayJ9Cn0K
type: kubernetes.io/dockercfg
- apiVersion: v1
kind: ServiceAccount
metadata:
name: example-automated-thing
secrets:
- name: example-automated-thing-token-zyxwv
And the following TemplateGroupInstance is used to deploy these resources to namespaces having label kind: build
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: TemplateGroupInstance
metadata:
name: docker-secret-group-instance
spec:
template: docker-secret
selector:
matchLabels:
kind: build
sync: true
As we can see, in our TGI, we have a field spec.sync
which is set to true
. This will update the resources on two conditions:
- The Template CR is updated
-
The TemplateGroupInstance CR is reconciled/updated
-
If, for any reason, the underlying resource gets updated or deleted,
TemplateGroupInstance
CR will try to revert it back to the state mentioned in theTemplate
CR.
Note
Updates to ServiceAccounts are ignored by both, reconciler and informers, in an attempt to avoid conflict between the TGI controller and Kube Controller Manager. ServiceAccounts are only reverted in case of unexpected deletions when sync is true.
Ignore Resources Updates on Resources#
If the resources mentioned in Template
CR conflict with another controller/operator, and you want TemplateGroupInstance to not actively revert the resource updates, you can add the following label to the conflicting resource multi-tenant-operator/ignore-resource-updates: ""
.
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Template
metadata:
name: docker-secret
resources:
manifests:
- kind: Secret
apiVersion: v1
metadata:
name: docker-pull-secret
data:
.dockercfg: eyAKICAiaHR0cHM6IC8vaW5kZXguZG9ja2VyLmlvL3YxLyI6IHsgImF1dGgiOiAiYzNSaGEyRjBaWEk2VjI5M1YyaGhkRUZIY21WaGRGQmhjM04zYjNKayJ9Cn0K
type: kubernetes.io/dockercfg
- apiVersion: v1
kind: ServiceAccount
metadata:
name: example-automated-thing
labels:
multi-tenant-operator/ignore-resource-updates: ""
secrets:
- name: example-automated-thing-token-zyxwv
Note
However, this label will not stop Multi Tenant Operator from updating the resource on following conditions: - Template gets updated - TemplateGroupInstance gets updated - Resource gets deleted
If you don't want to sync the resources in any case, you can disable sync via sync: false
in TemplateGroupInstance
spec.