OSDOCS-17704 updated create-only mode #104178
Conversation
openshift-ci
bot
added
the
size/S
|
🤖 Fri Jan 09 14:23:30 - Prow CI generated the docs preview: |
wgabor0427
force-pushed
the
OSDOCS-17704
branch
from
6479035 to
fd9a42e
Compare
openshift-ci
bot
added
size/M
|
Kindly |
|
|
||
| = Pausing Operator reconciliation by annotation | ||
| [role="_abstract"] | ||
| Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object. |
There was a problem hiding this comment.
| Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object. | |
| Pause reconciliation of the operands by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the operator's subscription object. |
| .Procedure | ||
|
|
||
| * To pause reconciling the `SpireServer` custom resource, add the `create-only` annotation to the named `cluster` by running the following command: | ||
| * To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: |
There was a problem hiding this comment.
| * To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: | |
| * To pause reconciling the operands resources managed by operator, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: |
| = Resuming Operator reconciliation by annotation | ||
|
|
||
| [role="_abstract"] | ||
| Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object. |
There was a problem hiding this comment.
| Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object. | |
| Restart reconciliation of the operands by disabling `create-only` mode. This helps to ensure that the operator-managed resource works correctly when the controller gets restarted. You can disable this mode by updating the subscription object. |
| Follow these steps to restart the reconciliation process: | ||
|
|
||
| . Run the `oc annotate` command, adding a hyphen (`-`) at the end of the annotation name. This removes the annotation from the cluster resource. | ||
| . To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: |
There was a problem hiding this comment.
| . To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: | |
| . To restart reconciling the operator-managed resources, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: |
| message: Create-only mode is enabled via ztwim.openshift.io/create-only annotation | ||
| reason: CreateOnlyModeEnabled | ||
| status: "True" | ||
| type: CreateOnlyMode |
There was a problem hiding this comment.
.Verification
- Check the status of the ZeroTrustWorkloadIdentityManager resource to confirm that the
create-onlymode is active. Thestatusmust betrueand thereasonmust beCreateOnlyModeEnabled.
$ oc get zerotrustworkloadidentitymanager cluster -o yaml
.Example output
status:
conditions:
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: All components are ready
reason: Ready
status: "True"
type: Ready
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: All operand CRs are ready
reason: Ready
status: "True"
type: OperandsAvailable
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: create-only mode enabled
reason: CreateOnlyModeEnabled
status: "True"
type: CreateOnlyMode
| $ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"false"}]}}}' | ||
| ---- | ||
|
|
||
| . Restart the controller by running the following command: |
There was a problem hiding this comment.
remove the retart for the operator deployment.
There was a problem hiding this comment.
this still needs to be removed
wgabor0427
force-pushed
the
OSDOCS-17704
branch
2 times, most recently
from
80ca1e5 to
85d237f
Compare
| $ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"false"}]}}}' | ||
| ---- | ||
|
|
||
| . Restart the controller by running the following command: |
There was a problem hiding this comment.
this still needs to be removed
| .Verification | ||
| * Check the status of the `SpireServer` resource to confirm that the `create-only` mode is disabled. The `status` must be `false` and the `reason` must be `CreateOnlyModeDisabled`. | ||
|
|
||
| * Check the status of the `ZeroTrustWorkloadIdentityManager` resource to confirm that the `create-only` mode is disabled. The `status` must be `false` and the `reason` must be `CreateOnlyModeDisabled`. | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc get SpireServer cluster -o yaml | ||
| $ oc get zerotrustworkloadidentitymanager cluster -o yaml | ||
| ---- | ||
|
|
||
| .Example output | ||
| The following example confirms that the 'create-only' mode is active. | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| status: | ||
| conditions: | ||
| - lastTransitionTime: "2025-09-03T12:13:39Z" | ||
| message: Create-only mode is enabled via ztwim.openshift.io/create-only annotation | ||
| reason: CreateOnlyModeDisabled | ||
| status: "False" | ||
| type: CreateOnlyMode | ||
| conditions: | ||
| - lastTransitionTime: "2025-09-03T12:13:39Z" | ||
| message: Create-only mode is disabled via ztwim.openshift.io/create-only annotation | ||
| reason: CreateOnlyModeDisabled | ||
| status: "False" | ||
| type: CreateOnlyMode | ||
| ---- |
There was a problem hiding this comment.
we might need to remove this as the revert status is not getting refected on the CR
CC: @lunarwhite @sayak-redhat any suggestion??
There was a problem hiding this comment.
we should remove if we want only to use env variable through subscription to update the create-only-mode variable
There was a problem hiding this comment.
@lunarwhite there is a question mark in the end => CC: @lunarwhite @sayak-redhat any suggestion??
wgabor0427
force-pushed
the
OSDOCS-17704
branch
2 times, most recently
from
bb9383d to
b5ebff1
Compare
lunarwhite
left a comment
lunarwhite
left a comment
There was a problem hiding this comment.
@sayak-redhat please be cautious when reviewing PRs, human should not solely trust AI generated "review reports" in any way.
In your comments: #104178 (comment), "ztwim.openshift.io/create-only annotation" is there surprisingly - but we have refactored it into patching subscription approach, not? I have no idea why you ignored the review comment #104178 (comment) from @anirudhAgniRedhat which is mentioning the same paragraph
| :_mod-docs-content-type: PROCEDURE | ||
| [id="zero-trust-manager-restart-reconciliation_{context}"] | ||
|
|
||
| = Resuming Operator reconciliation by annotation |
There was a problem hiding this comment.
| = Resuming Operator reconciliation by annotation | |
| = Resuming Operator reconciliation |
There was a problem hiding this comment.
@lunarwhite , @anirudhAgniRedhat asked there and i acknowledged , its not that i ignored
wgabor0427
force-pushed
the
OSDOCS-17704
branch
from
b5ebff1 to
74e17df
Compare
wgabor0427
force-pushed
the
OSDOCS-17704
branch
from
74e17df to
be02b38
Compare
| [source,terminal] | ||
| ---- | ||
| $ oc annotate SpireServer cluster -n zero-trust-workload-identity-manager ztwim.openshift.io/create-only=true | ||
| $ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"true"}]}}}' |
There was a problem hiding this comment.
Enhancement: Accept case-insensitive "TRUE"/"FALSE" for CREATE_ONLY_MODE env var using
strings.EqualFold(). Any random/invalid value will default to false (disabled) for safety.
CREATE_ONLY_MODE env var handling
• Accepts: true/True/TRUE → Enables create-only mode • Accepts: false/False/FALSE → Disables create-only mode • Any other value (yes, 1, random, etc.) → Defaults to DISABLED
The check is case-insensitive. Recommend documenting "true" or "false" as accepted values.
@sayak-redhat Why putting these bits here? This PR is part of the 1.0.0 GA version only, obviously openshift/zero-trust-workload-identity-manager#89 hasn't merged && no release created yet. Have you mixed up the versioning which I told you early
|
@wgabor0427: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
5 participants
Version(s):
4.20+
Issue:
https://issues.redhat.com/browse/OSDOCS-17704
Link to docs preview:
https://104178--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-reconciliation.html
QE review:
Additional information: