Skip to content

feat(deploy): add secret/config map hash to pod templates #1112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2025
Merged

feat(deploy): add secret/config map hash to pod templates #1112

merged 1 commit into from
May 7, 2025

Conversation

ebaron
Copy link
Member

@ebaron ebaron commented May 7, 2025
edited
Loading

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Fixes: #119

Description of the change:

  1. For each operand pod, collect all secrets and config maps used in volumes and environment variables
  2. In alphanumeric order, marshal each secret/config map's key-value pairs as JSON, and concatenate the results
  3. Hash the concatenated JSON. For secrets, use SHA256. For config maps, use FNV-1, which is faster for non-sensitive data.
  4. Add the hashes as annotations to the appropriate pod template.

Other changes:

  • Format/indent the OAuth2 proxy config map for readability
  • Indentation changes for configmap/secret data in test files. Since we're hashing these, indentation matters for the resulting hashes.
  • Modified the test client to move each secret's StringData field to Data upon write. This mirrors what's done by a real API server.

Motivation for the change:

  • Cryostat setups don't stop working when certificates are renewed by cert-manager.

How to manually test:

  1. Build and deploy PR with a default CR
  2. Download cmctl: https://github.com/cert-manager/cmctl/releases/tag/v2.2.0
  3. Manually renew a certificate: /path/to/cmctl renew cryostat-sample
  4. Verify that a new Cryostat pod has been rolled out. The same approach can be used for database/storage/reports pods.

@ebaron ebaron requested a review from a team May 7, 2025 19:51
@ebaron ebaron added feat New feature or request backport labels May 7, 2025
@ebaron
Copy link
Member Author

ebaron commented May 7, 2025

/build_test

@mergify mergify bot added the safe-to-test label May 7, 2025
@ebaron
Copy link
Member Author

ebaron commented May 7, 2025

We should also probably implement something similar for agent auto-configuration. This will be trickier though as it can only be done at the pod template level and we currently only operate on pods. This would depend on #1088.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2025

/build_test completed successfully ✅.
View Actions Run.

andrewazores
andrewazores approved these changes May 7, 2025
View reviewed changes
Copy link
Member

@andrewazores andrewazores left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work great!

@ebaron ebaron merged commit b6d2524 into cryostatio:main May 7, 2025
9 checks passed
mergify bot pushed a commit that referenced this pull request May 7, 2025
@ebaron @mergify
feat(deploy): add secret/config map hash to pod templates (#1112)
d9c1a70 
(cherry picked from commit b6d2524)
@ebaron ebaron mentioned this pull request May 7, 2025
Open
@mergify mergify bot mentioned this pull request May 7, 2025
Merged
7 tasks
ebaron added a commit that referenced this pull request May 8, 2025
@mergify @ebaron
feat(deploy): add secret/config map hash to pod templates (#1112) (#1114
cda1f9e 
)

(cherry picked from commit b6d2524)

Co-authored-by: Elliott Baron <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewazores andrewazores andrewazores approved these changes

Assignees
No one assigned
Labels
backport feat New feature or request safe-to-test
Projects
4.1.0 release
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Story] Detect certificate renewal and redeploy
2 participants
@ebaron @andrewazores