From 615b7d67b196b11dbf707ba05a6c524665381a50 Mon Sep 17 00:00:00 2001 From: ab-andresc <143436018+ab-andresc@users.noreply.github.com> Date: Wed, 11 Jun 2025 12:59:25 -0400 Subject: [PATCH] gives enough time for argocd to verify job has finished (#3487) Problem: Argocd can never find the job completion as TTL is set to 0 Solution: Sets the default ttl seconds to 30 so that argocd has enough time to verify. --- charts/nginx-gateway-fabric/README.md | 3 ++- charts/nginx-gateway-fabric/templates/certs-job.yaml | 2 +- charts/nginx-gateway-fabric/values.schema.json | 7 +++++++ charts/nginx-gateway-fabric/values.yaml | 3 +++ deploy/azure/deploy.yaml | 2 +- deploy/default/deploy.yaml | 2 +- deploy/experimental-nginx-plus/deploy.yaml | 2 +- deploy/experimental/deploy.yaml | 2 +- deploy/nginx-plus/deploy.yaml | 2 +- deploy/nodeport/deploy.yaml | 2 +- deploy/openshift/deploy.yaml | 2 +- deploy/snippets-filters-nginx-plus/deploy.yaml | 2 +- deploy/snippets-filters/deploy.yaml | 2 +- 13 files changed, 22 insertions(+), 11 deletions(-) diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 185cfe6289..c630da24eb 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -252,7 +252,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | Key | Description | Type | Default | |-----|-------------|------|---------| -| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[]}` | +| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` | | `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` | | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` | | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` | @@ -261,6 +261,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` | | `certGenerator.tolerations` | Tolerations for the cert-generator pod. | list | `[]` | | `certGenerator.topologySpreadConstraints` | The topology spread constraints for the cert-generator pod. | list | `[]` | +| `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` | | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` | | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` | | `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"2.0.0"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` | diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml index 79953b24a2..430fa0de3f 100644 --- a/charts/nginx-gateway-fabric/templates/certs-job.yaml +++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml @@ -169,4 +169,4 @@ spec: nodeSelector: {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }} {{- end }} - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }} diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json index 819bb0dd2f..06952ea06a 100644 --- a/charts/nginx-gateway-fabric/values.schema.json +++ b/charts/nginx-gateway-fabric/values.schema.json @@ -60,6 +60,13 @@ "required": [], "title": "topologySpreadConstraints", "type": "array" + }, + "ttlSecondsAfterFinished": { + "default": 30, + "description": "How long to wait after the cert generator job has finished before it is removed by the job controller.", + "required": [], + "title": "ttlSecondsAfterFinished", + "type": "integer" } }, "required": [], diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 742ac72855..52774c35a8 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -479,6 +479,9 @@ certGenerator: # -- Overwrite existing TLS Secrets on startup. overwrite: false + # -- How long to wait after the cert generator job has finished before it is removed by the job controller. + ttlSecondsAfterFinished: 30 + # -- Tolerations for the cert-generator pod. tolerations: [] diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index 836ed15e84..23c55309ac 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -367,7 +367,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index e9a1e8fc4f..f6fffb8e80 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -365,7 +365,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index 52a90ec338..64ab70d886 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -373,7 +373,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index bfe412154e..6ec8742878 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -370,7 +370,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 6428805597..2acbe49dac 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -368,7 +368,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index 7f674c3b92..d764393556 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -365,7 +365,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index 93453a631e..e2ae831df9 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -387,7 +387,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index f978dcbf5b..2c8b907641 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -371,7 +371,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index c46094be73..d01ed150bd 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -368,7 +368,7 @@ spec: fsGroup: 1001 runAsNonRoot: true serviceAccountName: nginx-gateway-cert-generator - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 30 --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass