From 6c8ec5f0896bdfa5dfd7bb26951ea666cc9f9f70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanislav=20Ochotnick=C3=BD?= <stanislav@ochotnicky.com>
Date: Fri, 24 Jun 2022 16:40:35 +0200
Subject: [PATCH] Add ttlSecondsAfterFinished into LDAP sync cron job

Upstream Kubernetes documentation is here:
https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

What this change does - it makes sure that failed jobs do not linger but are
cleaned up by OpenShift. In LDAP sync case the customer should only care about
last sync success or failure.

This should help with alert fatigue from KubeJobFailed when there is a glitch
with LDAP sync.

Similar (unrelated) change in CNO:
https://github.com/openshift/cluster-network-operator/pull/1318

This is available since OpenShift 4.8
---
 modules/ldap-auto-syncing.adoc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/modules/ldap-auto-syncing.adoc b/modules/ldap-auto-syncing.adoc
index 783102869e..1fd35e086b 100644
--- a/modules/ldap-auto-syncing.adoc
+++ b/modules/ldap-auto-syncing.adoc
@@ -175,6 +175,7 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
+      ttlSecondsAfterFinished: 1800                                                  <3>
       template:
         spec:
           containers:
@@ -183,7 +184,7 @@ spec:
               command:
                 - "/bin/bash"
                 - "-c"
-                - "oc adm groups sync --sync-config=/etc/config/sync.yaml --confirm" <3>
+                - "oc adm groups sync --sync-config=/etc/config/sync.yaml --confirm" <4>
               volumeMounts:
                 - mountPath: "/etc/config"
                   name: "ldap-sync-volume"
@@ -197,10 +198,10 @@ spec:
                 name: "ldap-group-syncer"
             - name: "ldap-bind-password"
               secret:
-                secretName: "ldap-secret"                                            <4>
+                secretName: "ldap-secret"                                            <5>
             - name: "ldap-ca"
               configMap:
-                name: "ca-config-map"                                                <5>
+                name: "ca-config-map"                                                <6>
           restartPolicy: "Never"
           terminationGracePeriodSeconds: 30
           activeDeadlineSeconds: 500
@@ -209,9 +210,10 @@ spec:
 ----
 <1> Configure the settings for the cron job. See "Creating cron jobs" for more information on cron job settings.
 <2> The schedule for the job specified in link:https://en.wikipedia.org/wiki/Cron[cron format]. This example cron job runs every 30 minutes. Adjust the frequency as necessary, making sure to take into account how long the sync takes to run.
-<3> The LDAP sync command for the cron job to run. Passes in the sync configuration file that was defined in the config map.
-<4> This secret was created when the LDAP IDP was configured.
-<5> This config map was created when the LDAP IDP was configured.
+<3> How long, in seconds, to keep finished jobs. This should match the period of the job schedule in order to clean old failed jobs and prevent unnecessary alerts. For more information, see link:https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished[TTL-after-finished Controller] in the Kubernetes documentation.
+<4> The LDAP sync command for the cron job to run. Passes in the sync configuration file that was defined in the config map.
+<5> This secret was created when the LDAP IDP was configured.
+<6> This config map was created when the LDAP IDP was configured.
 
 . Create the cron job:
 +