OSDOCS-17704 updated create-only mode #104178
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
size/S
|
🤖 Thu Dec 18 20:08:41 - Prow CI generated the docs preview: |
wgabor0427
force-pushed
the
OSDOCS-17704
branch
from
6479035 to
fd9a42e
Compare
openshift-ci
bot
added
size/M
|
@wgabor0427: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Member
|
Kindly |
|
|
||
| = Pausing Operator reconciliation by annotation | ||
| [role="_abstract"] | ||
| Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object. |
There was a problem hiding this comment.
Suggested change
| Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object. | |
| Pause reconciliation of the operands by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the operator's subscription object. |
| .Procedure | ||
|
|
||
| * To pause reconciling the `SpireServer` custom resource, add the `create-only` annotation to the named `cluster` by running the following command: | ||
| * To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: |
There was a problem hiding this comment.
Suggested change
| * To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: | |
| * To pause reconciling the operands resources managed by operator, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command: |
| = Resuming Operator reconciliation by annotation | ||
|
|
||
| [role="_abstract"] | ||
| Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object. |
There was a problem hiding this comment.
Suggested change
| Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object. | |
| Restart reconciliation of the operands by disabling `create-only` mode. This helps to ensure that the operator-managed resource works correctly when the controller gets restarted. You can disable this mode by updating the subscription object. |
| Follow these steps to restart the reconciliation process: | ||
|
|
||
| . Run the `oc annotate` command, adding a hyphen (`-`) at the end of the annotation name. This removes the annotation from the cluster resource. | ||
| . To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: |
There was a problem hiding this comment.
Suggested change
| . To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: | |
| . To restart reconciling the operator-managed resources, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command: |
| message: Create-only mode is enabled via ztwim.openshift.io/create-only annotation | ||
| reason: CreateOnlyModeEnabled | ||
| status: "True" | ||
| type: CreateOnlyMode |
There was a problem hiding this comment.
.Verification
- Check the status of the ZeroTrustWorkloadIdentityManager resource to confirm that the
create-onlymode is active. Thestatusmust betrueand thereasonmust beCreateOnlyModeEnabled.
$ oc get zerotrustworkloadidentitymanager cluster -o yaml
.Example output
status:
conditions:
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: All components are ready
reason: Ready
status: "True"
type: Ready
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: All operand CRs are ready
reason: Ready
status: "True"
type: OperandsAvailable
- lastTransitionTime: "2025-12-23T11:36:58Z"
message: create-only mode enabled
reason: CreateOnlyModeEnabled
status: "True"
type: CreateOnlyMode
| $ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"false"}]}}}' | ||
| ---- | ||
|
|
||
| . Restart the controller by running the following command: |
There was a problem hiding this comment.
remove the retart for the operator deployment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version(s):
4.20+
Issue:
https://issues.redhat.com/browse/OSDOCS-17704
Link to docs preview:
https://104178--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-reconciliation.html
QE review:
Additional information: