Provide a sample for approuter restart

miyasuta · Jun 12, 2023 · f80d72a · f80d72a
1 parent 3ef943b
commit f80d72a
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -134,7 +134,7 @@ The **Advanced Features** require some additional services and software componen
   - Automated Credential Rotation (Workaround available - 2023/06/09)
     - **Problem**: Users are facing a callback authentication error after successful login via SAP IAS as part of the One-Domain concept. 
     - **Issue**: Activating the automated credential rotation of the SAP BTP Service Operator renews the X.509 certificate of the respective SAP IAS service bindings. As the Application Router caches the binding details for performance reasons, the cached X.509 certificate is not valid anymore after rotation. This results in an authentication error between Application Router and SAP IAS. 
-    - **Workaround**: A restart of the Application Router after credential rotation will solve this issue and the latest X.509 certificate is being cached. This restart can be automated in a Kubernetes/Kyma CronJob, starting a new Deployment rollout according to your credential rotation cycle. Combined with an external Redis cache for Application Router session management, downtimes can be minimized or completely mitigated! Make sure to have a sufficient overlap of both, the old and new X.509 certificate (*rotatedBindingTTL*), so the cached credentials are still valid until the restart has happened! 
+    - **Workaround**: A restart of the Application Router after credential rotation will solve this issue and the latest X.509 certificate is being cached. This restart can be automated in a Kubernetes/Kyma CronJob, starting a new Deployment rollout according to your credential rotation cycle. You can find an example incl. roles and service accounts in the respective Expert Features ([click here](./docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml)). Combined with an external Redis cache for Application Router session management, downtimes can be minimized or completely mitigated! Make sure to have a sufficient overlap of both, the old and new X.509 certificate (*rotatedBindingTTL: 24h* & *rotationFrequency: 48h*), so the cached credentials are still valid until the restart has happened!
     - **Solution**: Issue has been addressed and a potential notification mechanism might trigger an automated update of the Application Router cache in the future (subject to change). 
   - Consumer extension API issue (Workaround available - 2022/12/19)
     - **Problem**: Applying a Consumer extension currently results in the Push API not being usable by the extended Tenant anymore. 

diff --git a/docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml b/docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml
@@ -0,0 +1,63 @@
+# These artifacts provide a workaround related to Application Router and Automated Credential Rotation
+# ! A restart of Application Router will enforce a re-authentication of all active users !
+# ! Please make sure to read the respective issue in the central README document first !
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: restart-susaas-prod-onboarding-router
+  namespace: default
+spec:
+  concurrencyPolicy: Forbid
+  # Restart Deployment daily at 00:00 UCT
+  schedule: '0 0 * * *'
+  timeZone: "Etc/UTC"
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      activeDeadlineSeconds: 600
+      ttlSecondsAfterFinished: 10
+      template:
+        metadata:
+          annotations:
+            sidecar.istio.io/inject: "false"
+        spec:
+          serviceAccountName: deployment-restart
+          restartPolicy: Never
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl
+              command:
+                - 'kubectl'
+                - 'rollout'
+                - 'restart'
+                - 'deployment/susaas-prod-onboarding-router'
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: deployment-restart
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: deployment-restart
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployment-restart
+subjects:
+  - kind: ServiceAccount
+    name: deployment-restart
+    namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployment-restart
+  namespace: default
+rules:
+  - apiGroups: ["apps", "extensions"]
+    resources: ["deployments"]
+    verbs: ["get", "patch", "list", "watch"]