-
-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for checksum annotations #415
Conversation
Thank you for working on this. Just wanted to flag that I ran into exactly the same issue (config not causing a pod restart) and look forward to this being rolled out. |
Hi there, I see that Kratos is failing on the PR. This might be due to the last changes related to kratos 0.9, could you rebase to the current master so the CI can run again :)? |
OK, rebased to current master. |
Hmm, I see the CI failed again with |
@Demonsthere I believe I fixed the issue in the tests with my latest changes. https://github.com/ory/k8s/pull/415/files#diff-feeebee2e39b1cef7f251ce97c0928f8c540e4e6e6ce556a4cf767054280abfeR108 is now using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, thanks! 🎉
Introduces two new boolean values
secret.hashSumEnabled
andconfigMap.hashSumEnabled
, both true by default, which will auto create/managed checksum annotations onspec.template.metadata.annotations
for relevant pod resources. This will automatically mark those pods to be recreated after the changes.Related Issue or Design Document
#413
Checklist
and signed the CLA.
introduces a new feature.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
appropriate).
Further comments
I did a deep-dive into this while creating this PR, and I noticed an issue. The secrets in a few charts have auto-generated secret values by default. Since I am using
include
instead oflookup
it means every time the annotations are rendered by the helm template, it would see it as a change/different value for every upgrade (and even a different value across different references in same chart, e.g. kratos and courier). Maybe there is an alternative approach, but I wondering whether this implementation is sufficient.In addition, I needed to do some changes to helpers where
.Values.....secrets
are an empty dict to make the reference a safe access for null, since it was causing issues during my development.