Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

stable/prometheus-cloudwatch-exporter Add secrets checksum to deployment annotations #22448

Closed
mrballcb opened this issue May 19, 2020 · 4 comments
Closed

stable/prometheus-cloudwatch-exporter Add secrets checksum to deployment annotations #22448

mrballcb opened this issue May 19, 2020 · 4 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@mrballcb
Copy link
Contributor

Describe the bug
We deploy cloudwatch exporter daily with dynamically generated, short-lived AWS keys. When we deploy and only the AWS key changes (which is most of the time), it does not trigger a pod restart.

Version of Helm and Kubernetes:
helm 3.2.1
kubernetes 1.14.10

Which chart:
stable/prometheus-cloudwatch-exporter

What happened:
If nothing but the AWS keys changes, kube perceives that nothing has changed about the deployment. The same old pod keeps running with an AWS key that is going to expire soon because no new replicaset was created, meaning no new pod either.

What you expected to happen:
Expected changing the AWS key/secret would cause the pods to restart to use new key values stored in the kube secret.

How to reproduce it (as minimally and precisely as possible):

  1. Helm deploy deploy with aws.aws_access_key_id and aws.aws_secret_access_key set to a valid key/secret.
  2. Helm deploy again with a different valid key/secret.
  3. Observe pod does not restart - pod is still using AWS key/secret from Move templates from kubernetes/deployment-manager to the registry #1.

Anything else we need to know:
Adding the sha256sum of the templates/secrets.yaml as a deployment annotation will result in an annotation that changes every redeploy if you set AWS keys, or an annotation that never changes if you don't set AWS keys (ie you assume node role).

There is a very simple 1 line PR forthcoming
@mrballcb mrballcb mentioned this issue May 19, 2020
Closed
2 tasks
@stale
Copy link

stale bot commented Jun 20, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@stale stale bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 20, 2020
@mrballcb
Copy link
Contributor Author

I'm going to redo this against the current master.

@stale stale bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 22, 2020
@mrballcb mrballcb mentioned this issue Jun 22, 2020
Merged
4 tasks
@stale
Copy link

stale bot commented Jul 25, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

@stale stale bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 25, 2020
@stale
Copy link

stale bot commented Aug 8, 2020

This issue is being automatically closed due to inactivity.

@stale stale bot closed this as completed Aug 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add checksum annotation for secrets rendering mrballcb/charts
1 participant
@mrballcb