Skip to content

OSDOCS-17704 updated create-only mode #104178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wgabor0427 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OSDOCS-17704 updated create-only mode #104178

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions modules/zero-trust-manager-pause-reconciliation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,15 @@

:_mod-docs-content-type: PROCEDURE
[id="zero-trust-manager-pause-reconciliation_{context}"]
= Pausing Operator reconciliation

= Pausing Operator reconciliation by annotation
[role="_abstract"]
Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object.
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Pause reconciliation of the `SpireServer` by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the subscription object.
Pause reconciliation of the operands by enabling `create-only` mode. This setting prevents the Operator from automatically reverting your manual changes to the desired state. You can enable this mode by updating the operator's subscription object.


Reconciliation by annotation supports the `SpireServer`, `SpireAgent`, `SpiffeCSIDriver`, `SpireOIDCDiscoveryProvider`, and the `ZeroTrustWorkloadIdentityManager` custom resources. You can pause the reconciliation process by adding an annotation.
[IMPORTANT]
====
When `create-only` mode is disabled, the Operator overwrites the resources if any conflicts exist.
====

.Prerequisites

Expand All @@ -17,11 +22,11 @@ Reconciliation by annotation supports the `SpireServer`, `SpireAgent`, `SpiffeCS

.Procedure

* To pause reconciling the `SpireServer` custom resource, add the `create-only` annotation to the named `cluster` by running the following command:
* To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command:
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* To pause reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command:
* To pause reconciling the operands resources managed by operator, add the environment variable `CREATE_ONLY_MODE`: `true` in the subscription object by running the following command:

+
[source,terminal]
----
$ oc annotate SpireServer cluster -n zero-trust-workload-identity-manager ztwim.openshift.io/create-only=true
$ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"true"}]}}}'
----

.Verification
Expand All @@ -44,3 +49,8 @@ status:
type: CreateOnlyMode
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.Verification

  • Check the status of the ZeroTrustWorkloadIdentityManager resource to confirm that the create-only mode is active. The status must be true and the reason must be CreateOnlyModeEnabled.

$ oc get zerotrustworkloadidentitymanager cluster -o yaml

.Example output

status:
  conditions:
  - lastTransitionTime: "2025-12-23T11:36:58Z"
    message: All components are ready
    reason: Ready
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-12-23T11:36:58Z"
    message: All operand CRs are ready
    reason: Ready
    status: "True"
    type: OperandsAvailable
  - lastTransitionTime: "2025-12-23T11:36:58Z"
    message: create-only mode enabled
    reason: CreateOnlyModeEnabled
    status: "True"
    type: CreateOnlyMode

----

[IMPORTANT]
====
The Operator updates the upgradeable condition to `false` in the `operatorCondition` resource. You might not be able to upgrade the Operator when in `create-only` mode.
====

7 changes: 5 additions & 2 deletions modules/zero-trust-manager-restart-reconciliation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,18 @@

= Resuming Operator reconciliation by annotation

[role="_abstract"]
Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object.
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Restart reconciliation of the `SpireServer` by disabling `create-only` mode. This helps to ensure that the `SpireServer` resource works correctly when you restart the controller. You can diable this mode by updating the subscription object.
Restart reconciliation of the operands by disabling `create-only` mode. This helps to ensure that the operator-managed resource works correctly when the controller gets restarted. You can disable this mode by updating the subscription object.


.Procedure

Follow these steps to restart the reconciliation process:

. Run the `oc annotate` command, adding a hyphen (`-`) at the end of the annotation name. This removes the annotation from the cluster resource.
. To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command:
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
. To restart reconciling the `SpireServer`, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command:
. To restart reconciling the operator-managed resources, add the environment variable `CREATE_ONLY_MODE`: `false` in the subscription object by running the following command:

+
[source,terminal]
----
$ oc annotate SpireServer cluster -n zero-trust-workload-identity-manager ztwim.openshift.io/create-only-
$ oc -n $OPERATOR_NAMESPACE patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"false"}]}}}'
----

. Restart the controller by running the following command:
Copy link

@anirudhAgniRedhat anirudhAgniRedhat Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the retart for the operator deployment.

Expand Down
5 changes: 4 additions & 1 deletion ...ity/zero_trust_workload_identity_manager/zero-trust-manager-reconciliation.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ include::_attributes/common-attributes.adoc[]

toc::[]

By enabling the `create-only` mode, you can pause the Operator reconciliation, which allows you to perform manual configurations or debug without the controller overwriting your changes. This is done by annotating the API resources which are managed by the Operator. The following scenarios are examples of when the `create-only` mode might be of use:
[role="_abstract"]
By enabling the `create-only` mode, you can pause the Operator reconciliation, which allows you to perform manual configurations or debug without the controller overwriting your changes. This is done by setting the environment variable in the subscription object.

The following scenarios are examples of when the `create-only` mode might be of use:

**Manual Customization Required**: You need to customize operator-managed resources (ConfigMaps, Deployments, DaemonSets, etc.) with specific configurations that differ from the operator's defaults

Expand Down