Skip to content

[minor] Implement Redis-Based Distributed Locking for GitOps Operations#2189

Merged
whitfiea merged 38 commits intomasterfrom
mascore-13109-branch-lock
Apr 21, 2026
Merged

[minor] Implement Redis-Based Distributed Locking for GitOps Operations#2189
whitfiea merged 38 commits intomasterfrom
mascore-13109-branch-lock

Conversation

@Hardik-Prajapati-10
Copy link
Copy Markdown
Contributor

@Hardik-Prajapati-10 Hardik-Prajapati-10 commented Apr 16, 2026
edited
Loading

Issue

https://jsw.ibm.com/browse/MASCORE-13109

Description

This PR implements a comprehensive Redis-based distributed locking mechanism to replace the legacy Git branch-based locking system for GitOps operations. The change addresses critical issues with concurrent pipeline executions that previously caused race conditions, merge conflicts, and branch pollution.

Key Changes

1. Redis Locking Infrastructure (image/cli/mascli/functions/gitops_utils)

  • Added Redis connection management with TLS support
  • Implemented atomic lock acquisition using Redis SET NX operations
  • Added lock release with ownership verification using Lua scripts
  • Included automatic lock expiry (TTL) to prevent orphaned locks
  • Added comprehensive retry logic with configurable parameters
  • Default behavior: GITOPS_USE_REDIS_LOCKING=false (Git branch locking) to avoid breaking changes
  • Opt-in Redis: Set GITOPS_USE_REDIS_LOCKING=true to enable Redis locking (fails if Redis unavailable)

2. Container Image Updates

  • Added redis-cli installation script (image/cli/install/install-redis-cli.sh)
  • Updated Dockerfile to include redis-cli in the CLI container image (v19.6.1+)
  • Supports multiple package managers (microdnf, dnf, yum, apt-get, apk)

3. Migrated GitOps Functions (10 functions)

All functions now support gitops_lock_and_modify with Redis locking (opt-in):

  • gitops_cp4d_service
  • gitops_suite_app_config
  • gitops_deprovision_app_config
  • gitops_mas_config
  • gitops_suite_workspace
  • gitops_deprovision_suite_workspace
  • gitops_deprovision_cp4d_service
  • gitops_db2u_database
  • gitops_rds_db2_database
  • gitops_deprovision_db2u_database

4. Documentation

  • Comprehensive setup guide (docs/redis-locking-setup.md)
  • IBM Toolchain configuration script (docs/ibm-toolchain-redis-setup.sh)
  • Migration examples and troubleshooting guide

Impact

Reliability Improvements (when Redis enabled):

  • Eliminates race conditions through atomic Redis operations
  • Prevents merge conflicts in concurrent updates
  • Removes temporary Git branch pollution
  • Automatic lock expiry prevents orphaned locks
  • Explicit control: fails immediately if Redis is unavailable when enabled

Non-Breaking Change:

  • Default: GITOPS_USE_REDIS_LOCKING=false uses existing Git branch locking
  • Opt-in: Set GITOPS_USE_REDIS_LOCKING=true to enable Redis locking
  • Redis is optional - existing deployments continue to work without changes
  • When Redis enabled, it is required (no fallback to Git)
  • Operations fail immediately if Redis is unavailable when explicitly enabled

Test Results

Manual Testing

  • ✅ Redis connection validation with TLS
  • ✅ Lock acquisition and release operations
  • ✅ Concurrent pipeline execution without conflicts
  • ✅ Lock TTL expiry behavior
  • ✅ Retry logic under contention
  • ✅ All 10 migrated GitOps functions tested
  • ✅ Default behavior (Git locking) unchanged
  • ✅ Error handling when Redis enabled but unavailable

Integration Testing

  • ✅ IBM Cloud Redis instance connectivity
  • ✅ IBM Toolchain pipeline execution
  • ✅ Multi-pipeline concurrent operations
  • ✅ Error handling for Redis unavailability
  • ✅ Backward compatibility with existing deployments

Configuration Testing

  • ✅ TLS certificate handling
  • ✅ Authentication (username/password)
  • ✅ Environment variable configuration
  • ✅ Setup script validation (ibm-toolchain-redis-setup.sh)
  • ✅ Default behavior without Redis configuration

Backporting

Related Pull Requests

https://github.ibm.com/maximoappsuite/saas-deploy-py/pull/262

⚠️ Notes for Reviewers

  • Ensure you have understood the guidelines before proceeding with a review.
  • Ensure all sections in the PR template are appropriately completed.
  • Non-breaking change: Default behavior (GITOPS_USE_REDIS_LOCKING=false) maintains existing Git branch locking
  • Opt-in feature: Redis locking requires explicit GITOPS_USE_REDIS_LOCKING=true
  • Explicit control: When Redis enabled, operations fail if Redis unavailable (no silent fallback)
  • Review the migration strategy in docs/redis-locking-setup.md
  • Verify the setup script docs/ibm-toolchain-redis-setup.sh for IBM Cloud integration
  • Check that all 10 migrated functions follow the new locking pattern consistently
  • Validate error handling for Redis unavailability scenarios
  • Review security aspects: TLS configuration, credential handling, and password masking
  • Confirm backward compatibility for existing deployments without Redis

Hardik-Prajapati-10 and others added 28 commits April 6, 2026 16:51
@Hardik-Prajapati-10
MASCORE-13109
81e5c94
@Hardik-Prajapati-10
gitops-cp4d-service
8c0ad0f
@Hardik-Prajapati-10
Migrated 3 functions.
af353a0 
image/cli/mascli/functions/gitops_suite_app_config - Migrated
image/cli/mascli/functions/gitops_mas_config - Migrated
image/cli/mascli/functions/gitops_deprovision_app_config - Migrated
@Hardik-Prajapati-10
merge
7bd494a
@Hardik-Prajapati-10
Fix Redis locking: correct function scoping and add configuration log…
a32da51 
…ging
dummy
2d42cb0
dummy
8659c1a
@Hardik-Prajapati-10
redis-cli
2d32a90
@Hardik-Prajapati-10
redis-cli installed
3e97b81
@Hardik-Prajapati-10
Update install-redis-cli.sh
cf69f69
@Hardik-Prajapati-10
Enable redis module stream for RHEL 9 UBI compatibility
a059222
@Hardik-Prajapati-10
fix error handling to filter timestamp output
b7ffb33
@Hardik-Prajapati-10
Update gitops_utils
842eeeb
@Hardik-Prajapati-10
Update gitops_utils
975058b
@Hardik-Prajapati-10
Update gitops_utils
ef2b7c6
@Hardik-Prajapati-10
build
5c76068
@Hardik-Prajapati-10
New Lock Key Format
22796ff
@Hardik-Prajapati-10
Redis Lock Key
5e7e6b4
@Hardik-Prajapati-10
Without any password warnings or the -a **** flag in the display.
a1930a1
@Hardik-Prajapati-10
build
d22442f
@Hardik-Prajapati-10
Merge branch 'master' into mascore-13109-branch-lock
da35f00
@Hardik-Prajapati-10
Idempotent cleanup
b95f77a
@Hardik-Prajapati-10
Handles "No Changes" Scenario
e1bce1e
@Hardik-Prajapati-10
Redis Authentication and Exit Code Issues
36230ef
@Hardik-Prajapati-10
Update gitops_suite_workspace
2cfd021
@Hardik-Prajapati-10
migrated other functions
26ceff9
@Hardik-Prajapati-10
Removed fallback-to-Git mechanism
7b8f515
@Hardik-Prajapati-10
Redis Setup Documentation
74f7de3
@Hardik-Prajapati-10 Hardik-Prajapati-10 requested a review from a team as a code owner April 16, 2026 09:28
@Hardik-Prajapati-10 Hardik-Prajapati-10 self-assigned this Apr 16, 2026
@whitfiea whitfiea changed the title Implement Redis-Based Distributed Locking for GitOps Operations [major] Implement Redis-Based Distributed Locking for GitOps Operations Apr 17, 2026
whitfiea
whitfiea requested changes Apr 17, 2026
View reviewed changes
Comment thread image/cli/Dockerfile Outdated
Comment thread docs/redis-locking-setup.md Outdated
Comment thread docs/redis-locking-setup.md Outdated
Comment thread docs/redis-locking-setup.md Outdated
@Hardik-Prajapati-10
Merge branch 'master' into mascore-13109-branch-lock
087e74f
@Hardik-Prajapati-10
PR feedback
ffe907b 
clarify that Redis env vars must be set whenever migrated GitOps functions are executed, not only in IBM Toolchain
note that IBM Toolchain is optional and document pipeline environment properties as one way to provide runtime variables
remove the custom CLI image/container setup section because custom CLI images are not supported
@Hardik-Prajapati-10
Update ibm-toolchain-redis-setup.sh
3f295e8
whitfiea
whitfiea requested changes Apr 20, 2026
View reviewed changes
Comment thread docs/redis-locking-setup.md Outdated
whitfiea
whitfiea requested changes Apr 21, 2026
View reviewed changes
Comment thread image/cli/mascli/functions/gitops_utils Outdated
Comment thread image/cli/mascli/functions/gitops_utils Outdated
@Hardik-Prajapati-10
changed GITOPS_USE_REDIS_LOCKING default value from true to false and…
1f67dac 
… updated behavior to error when Redis is unavailable with explicit Redis locking enabled.
@whitfiea whitfiea changed the title [major] Implement Redis-Based Distributed Locking for GitOps Operations [minor] Implement Redis-Based Distributed Locking for GitOps Operations Apr 21, 2026
@whitfiea whitfiea merged commit 835ca7c into master Apr 21, 2026
14 checks passed
@whitfiea whitfiea deleted the mascore-13109-branch-lock branch April 21, 2026 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whitfiea whitfiea whitfiea approved these changes

@rbinns rbinns Awaiting requested review from rbinns

@mnivedithaa mnivedithaa Awaiting requested review from mnivedithaa

@amitpandey0217 amitpandey0217 Awaiting requested review from amitpandey0217

Assignees

@Hardik-Prajapati-10 Hardik-Prajapati-10

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hardik-Prajapati-10 @whitfiea