refactor!: Split into Deployment and DaemonSet #645
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The splits the deployment of the secret-operator as a whole into two parts: - The controller is deployed via a Deployment which ensures only a single instance of the secret-operator in controller mode is running in a Kubernetes cluster. This can potentially lead to perfomance issues and as such should be monitored going forward. - The CSI server is deployed via a DaemonSet (unchanged) as this server is needed on every node to provision requested secret volumes. This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates.
Techassi
added
release-note
Release Note==== Platform improvements
===== Stackable secret-operator
The Helm Chart now deploys the secret-operator as two parts.
This separation is needed for CRD versioning and conversion by the operator.
See https://github.com/stackabletech/secret-operator/pull/645[secret-operator#645].
* The controller (which reconciles resources, maintains CRDs and provides the CRD conversion webhook) runs as a Deployment with a single replica.
* The CSI server runs on every Kubernetes cluster node via a DaemonSet (this behaviour is unchanged).
* The Helm values are adjusted in accordance to the changes above.
See the secret-operator https://github.com/stackabletech/secret-operator/blob/25.11.0/CHANGELOG.md[changelog] for a complete overview of these changes. |
Techassi
moved this from Development: In Progress
to Development: Waiting for Review
in Stackable Engineering
sbernauer
previously approved these changes
Oct 20, 2025
There was a problem hiding this comment.
The Rust code change LGTM.
I let you and @NickLarsenNZ decide about the helm structure and values.yaml, as he did related things for listener-operator in the past
Techassi
moved this from Development: Waiting for Review
to Development: In Review
in Stackable Engineering
Techassi
changed the title
Techassi
added
the
release-note/action-required
Techassi
moved this from Development: In Review
to Development: Done
in Stackable Engineering
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 21, 2025
* refactor: Split into Deployment and DaemonSet The splits the deployment of the secret-operator as a whole into two parts: - The controller is deployed via a Deployment which ensures only a single instance of the secret-operator in controller mode is running in a Kubernetes cluster. This can potentially lead to perfomance issues and as such should be monitored going forward. - The CSI server is deployed via a DaemonSet (unchanged) as this server is needed on every node to provision requested secret volumes. This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates. * chore: Add changelog entry * chore: Update comment * refactor: Adjust values.yaml file to be closer to listener-operator * chore: Adjust changelog entry
2 tasks
Techassi
added a commit
that referenced
this pull request
Oct 21, 2025
This was accidentally introduced in #645.
This was referenced Oct 21, 2025
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 21, 2025
This was accidentally introduced in #645.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The splits the deployment of the secret-operator as a whole into two parts:
This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates. The Helm values.yaml structure is similar to the structure introduced in stackabletech/listener-operator#334.
Follow-up research: Look into Leases which seems to be a Kubernetes native way of enforcing that only a single instance of an application is running/does a particular piece of work in a cluster.
This is in line with what listener-operator is already doing
Author
Reviewer
Acceptance