Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Deployment hooks #14512

Open
ironcladlou opened this issue Sep 24, 2015 · 31 comments
Open

RFC: Deployment hooks #14512

ironcladlou opened this issue Sep 24, 2015 · 31 comments
Labels
area/app-lifecycle area/workload-api/deployment kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. sig/apps Categorizes an issue or PR as relevant to SIG Apps.

Comments

@ironcladlou
Copy link
Contributor

Users often need a means to inject custom behavior into the lifecycle of a deployment process. The deployment API (#1743) could be expanded to support the execution user-specified Docker images which are given an opportunity to complete at various points during the recon process for a deployment.

Use cases and various design approaches were discussed previously in an OpenShift deployment hooks proposal.

This RFC is to capture initial thoughts on the topic and to link any existing related issues.

@ironcladlou
Copy link
Contributor Author

@bgrant0607 bgrant0607 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/app-lifecycle team/ux labels Sep 24, 2015
@pmorie
Copy link
Member

pmorie commented Sep 25, 2015

Hooks be like

↪️
↩️

@bgrant0607 bgrant0607 added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 1, 2015
@smarterclayton
Copy link
Contributor

A hook is a materialization of the "process" a deployment requires. A hook is a way of reducing the cost of implementing a full custom deployment process - instead, at logical points in the flow control of the process is handed off to the control of user code. Practically, hooks often involve one way transitions in state, such as a forward database migration, removal of old values from a persistent store, or the clearing of a state cache. A hook is effectively a synchronous event listener with veto power - it may return success or failure, or in some cases need reexectution.

Because deployment processes typically involve coupling between state (assumed elsewhere) and code (frequently the target of the deployment), it should be easy for a hook to be coupled to a particular version of code, and easy for a deployer to use the code under deployment from the hook.

Not all deployment processes are equal - most code deployments are small, with infrequent larger deployments that require schema or state changes. It should be easy to reason about when hooks will get run as well as temporarily disable them. Important deployments are usually manual, therefore there is less motivation to build hook enable/disablement mechanisms - it is usually better to allow automatic deployment and hooks to be disabled and an imperative series of actions taken instead.

@bgrant0607
Copy link
Member

Related: #3585

@gravis
Copy link

gravis commented Nov 19, 2015

Let me sum-up our recent experience with openshift here.
We're using a dc to deploy a nginx + rails pod (2 containers). The 2 containers have an EmptyDir in common to share assets, generated by sprockets in rails. Rails was previously deploy using capistrano, and a recipe was in charge of pre-compiling these assets (http://guides.rubyonrails.org/asset_pipeline.html#precompiling-assets).
This is a good example of where a pre would fit. In dev, we don't precompile assets, therefore the container command is just "unicorn [...]" (a ruby webserver).
In production, we need to exec a pre-hook to compile these assets, before unicorn is starting.
This is where we felt into that issue: openshift/origin#4711 (comment)

@bgrant0607 bgrant0607 added this to the v1.2-candidate milestone Nov 19, 2015
@bgrant0607
Copy link
Member

Example of a pre-rollout hook: #1899 (comment)

@smarterclayton
Copy link
Contributor

This could also be done with the future init container proposal, where the
init container on each pod gets a chance to run arbitrary code to fill out
volumes.

On Nov 19, 2015, at 11:17 AM, Philippe Lafoucrière notifications@github.com
wrote:

Let me sum-up our recent experience with openshift here.
We're using a dc to deploy a nginx + rails pod (2 containers). The 2
containers have an EmptyDir in common to share assets, generated by
sprockets in rails. Rails was previously deploy using capistrano, and a
recipe was in charge of pre-compiling these assets (
http://guides.rubyonrails.org/asset_pipeline.html#precompiling-assets).
This is a good example of where a pre would fit. In dev, we don't
precompile assets, therefore the container command is just "unicorn [...]"
(a ruby webserver).
In production, we need to exec a pre-hook to compile these assets, before
unicorn is starting.
This is where we felt into that issue: openshift/origin#4711 (comment)
openshift/origin#4711 (comment)


Reply to this email directly or view it on GitHub
#14512 (comment)
.

@bgrant0607
Copy link
Member

A hook use case is described here:
https://groups.google.com/forum/#!topic/google-containers/zblnAzLeSJA

@edevil
Copy link
Contributor

edevil commented Jun 8, 2016

I'm also having difficulty deciding when/how to do database migrations in the context of a rolling-upgrade. It seems these hooks would be the perfect place for running the migration script.

@wombat
Copy link

wombat commented Jul 28, 2016

@edevil well, as you can´t have breaking schema changes in a rolling-upgrade scenario you can also use K8s jobs to do this. You can either wait for it to be completed before doing the upgrade or trigger them at the same time

@0xmichalis
Copy link
Contributor

I'm also having difficulty deciding when/how to do database migrations in the context of a rolling-upgrade. It seems these hooks would be the perfect place for running the migration script.

This is the place where a mid-hook with the Recreate deployment strategy makes sense

cc: @kubernetes/deployment

@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 3, 2016 via email

@F21
Copy link

F21 commented Jan 24, 2017

Any updates for this one? I am interested in being able to run a deployment and being able to start a chain of init containers for the deployment (not on a per pod basis).

@edevil
Copy link
Contributor

edevil commented Jan 30, 2017

Yeah, init containers per-deployment would be a good option as well.

@0xmichalis
Copy link
Contributor

It's better if those hooks are re-entrant and frequently applied (since that makes their behavior fit a control loop style, rather than a workflow style)

Agreed. FWIW, the way we ensure rollbacks are re-entrant for Deployments is having an API field that when populated, the controller will remove and update the pod template to the specified version in one atomic call.

@0xmichalis 0xmichalis added sig/apps Categorizes an issue or PR as relevant to SIG Apps. and removed team/ux (deprecated - do not use) labels Apr 22, 2017
@0xmichalis
Copy link
Contributor

Proposed deferContainers would give better support for Cleanup actions like db-migration etc.,

@dhilipkumars deferContainers are executed in the pod level and are equivalent to post-hooks. This issue is about hooks at the deployment level and it includes other types of hooks too (pre, mid).

@0xmichalis 0xmichalis added priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Apr 23, 2017
@dhilipkumars
Copy link

@Kargakis deferContainers are proposed to be Prestop so db-migration can be programmed easily using it. If reasons for these hooks are towards 'better support for stateful apps' shouldnt we think of doing these in statefulsets instead?

@0xmichalis
Copy link
Contributor

There are more reasons for hooks than db migrations, eg. image promotion. Although, if we have auto-pausing in the workload controllers (#11505), we can satisfy the use cases of this issue by programming hooks on top of the existing APIs.

@montanaflynn
Copy link

Not sure if this is helpful or even related but here's our use case:

We want to get an http request webhook anytime a deployment changes, this will allow us to correlate errors and changes to metrics with deployments.

@gkop
Copy link

gkop commented Aug 24, 2017

We're using a very vanilla setup on GKE with the default rolling deployments. It's surprising that there's apparently not a simple and conventional way to get a hook when the rolling deploy completes. Would anybody be so kind to share a workaround for this? <3

@2rs2ts
Copy link
Contributor

2rs2ts commented Sep 19, 2017

We have a very similar use case as @montanaflynn and deferContainers would not solve it.

@gkop
Copy link

gkop commented Sep 19, 2017

Our workaround is to spawn kubectl rollout status deploy/$DEPLOYMENT_NAME --watch=true | tail -n 1 and wait for the process to exit. We use the process exit status to determine whether or not the deploy was successful, and include the last line of output in our deploy notifications (usually "deployment $DEPLOYMENT_NAME successfully rolled out") #hacktastic

@486
Copy link

486 commented Dec 13, 2017

Hi,

Any updates on this? We are using OpenShift but also want to be compatible with Vanilla Kubernetes. Loosing Deployment Hooks is the single biggest headache in that transition.

It is just so common to have older software that expects migrations or other setup code to be executed by exactly one process, which can be easily done in the pre-deployment hook.

From a user perspective, I find it very helpful to have deployment hooks as a first-class feature. "Your deployment failed because your migrations, which happen in your pre-hook, didn't run through, you should check that."

As a workaround, Helm can orchestrate Jobs that have to run before your Deployment, but we don't want to adopt more moving parts for this single feature.

@edevil
Copy link
Contributor

edevil commented Jan 18, 2018

Just to add more fuel to the discussion, I was recently bitten by a problem using initContainers for running Django migrations.

During one of the rolling upgrades several pods ran the "./manage.py migrate" script at the same time through the "initContainers" feature. Since Django does not do every migration operation inside a transaction, some of the operations were interleaved which did not end well.

As I really need to run this script once per rolling-deployment (recreate is not an option), I am left with no other option but to do it manually... Launch a Job, check on it periodically, make sure it has run successfully, and only after perform the deployment.

@ironcladlou
Copy link
Contributor Author

@486 @edevil the discussion continues over here: kubernetes/community#1171

@bgrant0607
Copy link
Member

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jan 22, 2018
@shenshouer
Copy link

any update for this ?

@galindro
Copy link

@ironcladlou did you know where in https://github.com/kubernetes/enhancements the Proposal kubernetes/community#1171 was moved into?

@alper
Copy link

alper commented Jun 12, 2024

Is this still open or has this been completed somewhere?

@sftim
Copy link
Contributor

sftim commented Dec 13, 2024

The deployment API (#1743) could be expanded to support the execution user-specified Docker images which are given an opportunity to complete at various points during the recon process for a deployment.

How about CEL as an alternative? Maybe MutatingAdmissionPolicy lets us build this now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/app-lifecycle area/workload-api/deployment kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. sig/apps Categorizes an issue or PR as relevant to SIG Apps.
Projects
Status: Needs Triage
Development

No branches or pull requests