feat: add support for checksum annotations

[nritholtz]

Introduces two new boolean values secret.hashSumEnabled and configMap.hashSumEnabled, both true by default, which will auto create/managed checksum annotations on spec.template.metadata.annotations for relevant pod resources. This will automatically mark those pods to be recreated after the changes.

Related Issue or Design Document

#413

Checklist

• I have read the contributing guidelines
  and signed the CLA.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added necessary documentation within the code base (if
  appropriate).

Further comments

I did a deep-dive into this while creating this PR, and I noticed an issue. The secrets in a few charts have auto-generated secret values by default. Since I am using include instead of lookup it means every time the annotations are rendered by the helm template, it would see it as a change/different value for every upgrade (and even a different value across different references in same chart, e.g. kratos and courier). Maybe there is an alternative approach, but I wondering whether this implementation is sufficient.

In addition, I needed to do some changes to helpers where .Values.....secrets are an empty dict to make the reference a safe access for null, since it was causing issues during my development.

[CLAassistant]

All committers have signed the CLA.

[bodymindarts]

Thank you for working on this. Just wanted to flag that I ran into exactly the same issue (config not causing a pod restart) and look forward to this being rolled out.

[Demonsthere]

Hi there, I see that Kratos is failing on the PR. This might be due to the last changes related to kratos 0.9, could you rebase to the current master so the CI can run again :)?

[nritholtz]

OK, rebased to current master.

[Demonsthere]

Hmm, I see the CI failed again with error=map[message:dsn value requested an unknown driver] service_name=Ory Kratos service_version=v0.9.0-alpha.2, looks like the DSN value is somehow being corrupted here? Would need to run it locally and check what is happening with in the context of this changes

[nritholtz]

@Demonsthere I believe I fixed the issue in the tests with my latest changes.

https://github.com/ory/k8s/pull/415/files#diff-feeebee2e39b1cef7f251ce97c0928f8c540e4e6e6ce556a4cf767054280abfeR108 is now using omit and deepCopy instead of unset, since unset was affecting the .Values.config object outside the scope of the helper function. This ultimately caused the .Values.config.dsn to be empty for the secret when being rendered.

[Demonsthere]

Great job, thanks! 🎉