[minor] Implement Redis-Based Distributed Locking for GitOps Operations#2189
[minor] Implement Redis-Based Distributed Locking for GitOps Operations#2189Hardik-Prajapati-10 wants to merge 38 commits intomasterfrom
Conversation
image/cli/mascli/functions/gitops_suite_app_config - Migrated image/cli/mascli/functions/gitops_mas_config - Migrated image/cli/mascli/functions/gitops_deprovision_app_config - Migrated
Hardik-Prajapati-10
requested review from
amitpandey0217,
mnivedithaa and
rbinns
whitfiea
changed the title
| ### Required Runtime Requirement | ||
|
|
||
| For migrated GitOps flows: | ||
| - `GITOPS_USE_REDIS_LOCKING` must be `true` |
There was a problem hiding this comment.
It seems that GITOPS_USE_REDIS_LOCKING has to be true, so i am not sure what the value is of having an env var anyway?
There was a problem hiding this comment.
The env var acts as a "safety check" - even though Redis is required, the explicit flag prevents accidental misconfiguration and provides clear error messages when Redis setup is incomplete.
Originally, GITOPS_USE_REDIS_LOCKING served two purposes:
Feature switch during development
Redis locking was the preferred mechanism
Git branch locking was a fallback when Redis wasn’t available
Safety / explicit opt‑in
Prevent accidental startup with partial or missing Redis configuration
Force developers/operators to make an intentional choice
There was a problem hiding this comment.
Thinking about this more we could keep the GITOPS_USE_REDIS_LOCKING flag and have it use the branch locking mechanism when this is false. This would allow external customers using gitops to continue with the branch locking and not force a redis instance on them.
There was a problem hiding this comment.
we are going with following approach :
If Redis is available → Uses Redis locking
If Redis is unavailable → Automatically falls back to Git locking
| ### Step 2: Configure IBM Toolchain Environment Variables | ||
|
|
||
| Add these environment variables to your IBM Toolchain pipeline. | ||
|
|
||
| #### In IBM Toolchain → Pipeline → Environment Properties: | ||
|
|
||
| | Variable Name | Type | Value | Description | | ||
| |--------------|------|-------|-------------| | ||
| | `REDIS_USERNAME` | Secure | `ibm_cloud_user` | Redis username from credentials | | ||
| | `REDIS_HOST` | Text | `c-abc123.databases.appdomain.cloud` | Redis hostname | | ||
| | `REDIS_PORT` | Text | `31234` | Redis port | | ||
| | `REDIS_PASSWORD` | Secure | `your-redis-password` | Redis password | | ||
| | `REDIS_TLS_CA_CERT_B64` | Secure | `LS0tLS1CRUdJTi...` | Base64-encoded TLS certificate | | ||
| | `GITOPS_USE_REDIS_LOCKING` | Text | `true` | Required for migrated locking flows | | ||
| | `REDIS_TLS` | Text | `true` | Enable TLS (required for IBM Cloud) | | ||
| | `REDIS_DB` | Text | `0` | Redis database number | | ||
|
|
||
| #### Optional Tuning Parameters | ||
|
|
||
| | Variable Name | Default | Description | | ||
| |--------------|---------|-------------| | ||
| | `GITOPS_LOCK_TTL` | `300` | Lock expires after N seconds | | ||
| | `GITOPS_LOCK_RETRY_MAX` | `100` | Maximum retry attempts | | ||
| | `GITOPS_LOCK_RETRY_DELAY` | `20` | Seconds between retry attempts | |
There was a problem hiding this comment.
Using the IBM toolchain to call the functions is optional. We should update the docs in https://ibm-mas.github.io/gitops/main/ so state these env vars should be set when executing the functions, and also add that to this file.
There was a problem hiding this comment.
doc updated
clarify that Redis env vars must be set whenever migrated GitOps functions are executed, not only in IBM Toolchain note that IBM Toolchain is optional and document pipeline environment properties as one way to provide runtime variables remove the custom CLI image/container setup section because custom CLI images are not supported
| ### Required Runtime Requirement | ||
|
|
||
| For migrated GitOps flows: | ||
| - `GITOPS_USE_REDIS_LOCKING` must be `true` |
There was a problem hiding this comment.
Thinking about this more we could keep the GITOPS_USE_REDIS_LOCKING flag and have it use the branch locking mechanism when this is false. This would allow external customers using gitops to continue with the branch locking and not force a redis instance on them.
If Redis is available → Uses Redis locking If Redis is unavailable → Automatically falls back to Git locking
… updated behavior to error when Redis is unavailable with explicit Redis locking enabled.
whitfiea
changed the title
2 participants
Issue
https://jsw.ibm.com/browse/MASCORE-13109
Description
This PR implements a comprehensive Redis-based distributed locking mechanism to replace the legacy Git branch-based locking system for GitOps operations. The change addresses critical issues with concurrent pipeline executions that previously caused race conditions, merge conflicts, and branch pollution.
Key Changes
1. Redis Locking Infrastructure (
image/cli/mascli/functions/gitops_utils)SET NXoperations2. Container Image Updates
redis-cliinstallation script (image/cli/install/install-redis-cli.sh)3. Migrated GitOps Functions (10 functions)
All functions now use
gitops_lock_and_modifywith Redis locking:gitops_cp4d_servicegitops_suite_app_configgitops_deprovision_app_configgitops_mas_configgitops_suite_workspacegitops_deprovision_suite_workspacegitops_deprovision_cp4d_servicegitops_db2u_databasegitops_rds_db2_databasegitops_deprovision_db2u_database4. Documentation
docs/redis-locking-setup.md)docs/ibm-toolchain-redis-setup.sh)Impact
Reliability Improvements:
Breaking Change:
GITOPS_USE_REDIS_LOCKING=truemust be setTest Results
Manual Testing
Integration Testing
Configuration Testing
ibm-toolchain-redis-setup.sh)Backporting
Related Pull Requests
https://github.ibm.com/maximoappsuite/saas-deploy-py/pull/262
docs/redis-locking-setup.mddocs/ibm-toolchain-redis-setup.shfor IBM Cloud integration