From f80d72a55bf62f617ad07965ba0720758f29dc3c Mon Sep 17 00:00:00 2001
From: Martin Frick <martin.frick@sap.com>
Date: Mon, 12 Jun 2023 20:15:41 +0200
Subject: [PATCH] Provide a sample for approuter restart

---
 README.md                                     |  2 +-
 .../code/deployment-restart.yaml              | 63 +++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml

diff --git a/README.md b/README.md
index 2c0f6d6..32beba4 100644
--- a/README.md
+++ b/README.md
@@ -134,7 +134,7 @@ The **Advanced Features** require some additional services and software componen
   - Automated Credential Rotation (Workaround available - 2023/06/09)
     - **Problem**: Users are facing a callback authentication error after successful login via SAP IAS as part of the One-Domain concept. 
     - **Issue**: Activating the automated credential rotation of the SAP BTP Service Operator renews the X.509 certificate of the respective SAP IAS service bindings. As the Application Router caches the binding details for performance reasons, the cached X.509 certificate is not valid anymore after rotation. This results in an authentication error between Application Router and SAP IAS. 
-    - **Workaround**: A restart of the Application Router after credential rotation will solve this issue and the latest X.509 certificate is being cached. This restart can be automated in a Kubernetes/Kyma CronJob, starting a new Deployment rollout according to your credential rotation cycle. Combined with an external Redis cache for Application Router session management, downtimes can be minimized or completely mitigated! Make sure to have a sufficient overlap of both, the old and new X.509 certificate (*rotatedBindingTTL*), so the cached credentials are still valid until the restart has happened! 
+    - **Workaround**: A restart of the Application Router after credential rotation will solve this issue and the latest X.509 certificate is being cached. This restart can be automated in a Kubernetes/Kyma CronJob, starting a new Deployment rollout according to your credential rotation cycle. You can find an example incl. roles and service accounts in the respective Expert Features ([click here](./docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml)). Combined with an external Redis cache for Application Router session management, downtimes can be minimized or completely mitigated! Make sure to have a sufficient overlap of both, the old and new X.509 certificate (*rotatedBindingTTL: 24h* & *rotationFrequency: 48h*), so the cached credentials are still valid until the restart has happened!
     - **Solution**: Issue has been addressed and a potential notification mechanism might trigger an automated update of the Application Router cache in the future (subject to change). 
   - Consumer extension API issue (Workaround available - 2022/12/19)
     - **Problem**: Applying a Consumer extension currently results in the Push API not being usable by the extended Tenant anymore. 
diff --git a/docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml b/docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml
new file mode 100644
index 0000000..ede7d83
--- /dev/null
+++ b/docu/4-expert/onboard-automation-domain/code/deployment-restart.yaml
@@ -0,0 +1,63 @@
+# These artifacts provide a workaround related to Application Router and Automated Credential Rotation
+# ! A restart of Application Router will enforce a re-authentication of all active users !
+# ! Please make sure to read the respective issue in the central README document first !
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: restart-susaas-prod-onboarding-router
+  namespace: default
+spec:
+  concurrencyPolicy: Forbid
+  # Restart Deployment daily at 00:00 UCT
+  schedule: '0 0 * * *'
+  timeZone: "Etc/UTC"
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      activeDeadlineSeconds: 600
+      ttlSecondsAfterFinished: 10
+      template:
+        metadata:
+          annotations:
+            sidecar.istio.io/inject: "false"
+        spec:
+          serviceAccountName: deployment-restart
+          restartPolicy: Never
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl
+              command:
+                - 'kubectl'
+                - 'rollout'
+                - 'restart'
+                - 'deployment/susaas-prod-onboarding-router'
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: deployment-restart
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: deployment-restart
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployment-restart
+subjects:
+  - kind: ServiceAccount
+    name: deployment-restart
+    namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployment-restart
+  namespace: default
+rules:
+  - apiGroups: ["apps", "extensions"]
+    resources: ["deployments"]
+    verbs: ["get", "patch", "list", "watch"]
\ No newline at end of file