openstack/magnum-specs
Code Issues Proposed changes

Propose adding Reloader to workload clusters.

Browse Source 
Spec to install Reloader as a cluster addon to automate pod restarts of
OpenStack services when mounted secrets are updated.

Change-Id: I10da6e5311eb1e5483ca3f29e7c4066b0dba8bd6
Signed-off-by: Matthew Northcott <matthewnorthcott@catalystcloud.nz>
This commit is contained in:
Matthew Northcott
2025-08-13 14:13:33 +12:00
parent aa06aafa8b
commit 9459d02096
2 changed files with 133 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
doc/source/index.rst
View File

@@ -6,6 +6,14 @@
OpenStack Magnum Design Specifications OpenStack Magnum Design Specifications
================================================== ==================================================
Flamingo approved specs:
.. toctree::
:glob:
:maxdepth: 2
specs/flamingo/*
Caracal approved specs: Caracal approved specs:
.. toctree:: .. toctree::

125
specs/flamingo/reloader.rst Normal file
View File

@@ -0,0 +1,125 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
========
Reloader
========
Problem description
===================
Some workloads that rely on up-to-date Secrets and ConfigMaps may fail when
these resources are updated or changed. One such example is the Cinder CSI
plugin which mounts the `cloud-config` secret and uses the contained
application credential for authentication which is required for most, if not
all, volume management operations. If the application credential is manually
rotated, the Cinder CSI plugin would need to be reloaded to prevent
authentication failure.
In this spec, we propose adding Reloader[1] as an optional cluster addon
to help circumvent these cases.
Proposed change
===============
The proposed change includes:
1. The addition of Reloader as a cluster addon within capi-helm-charts.
2. Annotation of OpenStack services that rely on Secrets and ConfigMaps
deployed alongside them.
3. The addition of a configuration option within the magnum-capi-helm driver
that enables the deployment of Reloader to workload clusters.
Alternatives
--------------
The alternative is to continue requiring an administrator to manually reload
affected workloads when mounted Secrets and ConfigMaps are changed.
Implementation
==============
The implementation involves the addition of Reloader into capi-helm-charts,
with a set of default values appropriate for workload clusters initialised with
Magnum. Additionally, pods that should be reloaded with Reloader must be
annotated appropriately.
capi-helm-charts
----------------
Reloader will be added to capi-helm-charts as a cluster addon and toggled,
similarly to other addons, using the `reloader.enabled` value. Enabling
Reloader will install the upstream Helm chart from the Stakater repository[2]
to workload clusters and annotate affected OpenStack pods appropriately for
Reloader's named resource reload mechanism[3]. These pods are namely
cinder-csi and openstack-cloud-controller-manager. Initially, this spec
proposes that pod restarts should only be invoked when the cloud-config Secret
changes.
Considering that end-users may want to use Reloader for their own workloads,
we can reduce the scope of resources this release of Reloader has access to
by setting `reloader.watchGlobally` to `false` and deploying Reloader to the
`openstack-system` namespace as all affected pods with the annotation exist
there. This options creates a `Role` and associated `RoleBinding` for Reloader
instead of a `ClusterRole` and `ClusterRoleBinding`.
magnum-capi-helm
----------------
Reloader should not be enabled in the chart by default, but be configurable via
the magnum-capi-helm driver if desired. A small change to the driver to add
this option will be required.
Assignee(s)
-----------
Primary assignee:
* northcottmt
With support from:
* dalees
Milestones
----------
* Add Reloader as a cluster addon within capi-helm-charts
* Modify existing OpenStack releases with the appropriate annotations
* Add configuration options to the magnum-capi-helm driver to enable Reloader
in workload clusters
Target milestone for completion:
Flamingo
Work Items
----------
Complete all the above milestones.
Dependencies
============
None
Security Impact
===============
This spec proposes that an externally maintained service is added to workload
clusters which may have security implications that should be taken into
consideration. Attention must be given to what changes are introduced in each
update, particularly in what resources Reloader has access to. Reloader should
not be granted access to namespaces beyond `openstack-system`, which it would
have if installed with default values. Appropriaoate RBAC mitigates the
potential for undesirable access to other namespaces.
References
==========
[1] https://github.com/stakater/Reloader
[2] https://github.com/stakater/Reloader/tree/master/deployments/kubernetes/chart/reloader
[3] https://github.com/stakater/Reloader?tab=readme-ov-file#2--named-resource-reload-specific-resource-annotations