Skip to content

Commit 46f7198

Browse files
BradleyBoutcherBradleyBoutcher
committed
Remove need for '--recreate-pods`
Using the `checksum/config` annotation, we can automatically cause pods to recreate if their checksum changes. This allows us to remove `--recreate-pods` from our instructions, as the command is deprecated.
1 parent f2e885a commit 46f7198

File tree

5 files changed

+10
-17
lines changed

5 files changed

+10
-17
lines changed

conjur-oss/README.md

-2
Original file line numberDiff line numberDiff line change
@@ -282,7 +282,6 @@ $ LOG_LEVEL="<info, debug, etc.>
282282
$ helm upgrade \
283283
-n "$CONJUR_NAMESPACE" \
284284
--reuse-values \
285-
--recreate-pods \
286285
--set logLevel="$LOG_LEVEL" \
287286
"$HELM_RELEASE" \
288287
./conjur-oss
@@ -347,7 +346,6 @@ $ LOG_LEVEL="debug"
347346
$ helm upgrade \
348347
-n "$CONJUR_NAMESPACE" \
349348
--reuse-values \
350-
--recreate-pods \
351349
--set logLevel="$LOG_LEVEL" \
352350
"$HELM_RELEASE" \
353351
./conjur-oss

conjur-oss/UPGRADING.md

-11
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,6 @@ $ HELM_RELEASE="conjur-oss"
9090
$ helm upgrade \
9191
-n "$CONJUR_NAMESPACE" \
9292
--reuse-values \
93-
--recreate-pods \
9493
< INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \
9594
"$HELM_RELEASE" \
9695
https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v<VERSION>/conjur-oss-<VERSION>.tgz
@@ -105,7 +104,6 @@ $ HELM_RELEASE="conjur-oss"
105104
$ helm upgrade \
106105
-n "$CONJUR_NAMESPACE" \
107106
--reuse-values \
108-
--recreate-pods \
109107
< INSERT YOUR --set CUSTOMIZATION SETTINGS HERE > \
110108
"$HELM_RELEASE" \
111109
./conjur-oss
@@ -115,9 +113,6 @@ Some notes:
115113

116114
- The `--reuse-values` is required to preserve any non-default values
117115
that were used during your previous `helm install`.
118-
- `--recreate-pods` is required to ensure that pods are using the latest
119-
configuration from Kubernetes `secrets` and `configMaps` following
120-
`helm upgrade`.
121116
- Custom values that can be set via `--set` are described in the
122117
[Custom Installation](README.md#custom-installation) section of the
123118
[README.md](README.md) file.
@@ -149,7 +144,6 @@ $ HELM_RELEASE="conjur-oss"
149144
$ helm upgrade \
150145
-n "$CONJUR_NAMESPACE" \
151146
--reuse-values \
152-
--recreate-pods \
153147
--set image.tag="<new-conjur-version>" \
154148
"$HELM_RELEASE" \
155149
./conjur-oss
@@ -166,7 +160,6 @@ $ HELM_RELEASE="conjur-oss"
166160
$ helm upgrade \
167161
-n "$CONJUR_NAMESPACE" \
168162
--reuse-values \
169-
--recreate-pods \
170163
--set nginx.image.tag="<nginx-version>" \
171164
"$HELM_RELEASE" \
172165
./conjur-oss
@@ -207,7 +200,6 @@ $ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET"
207200
$ helm upgrade \
208201
-n "$CONJUR_NAMESPACE" \
209202
--reuse-values \
210-
--recreate-pods \
211203
--set database.ssl.cert="<new-ssl-cert>" \
212204
--set database.ssl.key="<new-ssl-key>" \
213205
"$HELM_RELEASE" \
@@ -255,7 +247,6 @@ $ kubectl delete -n "$CONJUR_NAMESPACE" "$CERT_SECRET"
255247
$ helm upgrade \
256248
-n "$CONJUR_NAMESPACE" \
257249
--reuse-values \
258-
--recreate-pods \
259250
--set ssl.caCert="<new-ssl-CA-cert>" \
260251
--set ssl.caKey="<new-ssl-CA-key>" \
261252
--set ssl.cert="<new-ssl-cert>" \
@@ -283,7 +274,6 @@ $ HELM_RELEASE="conjur-oss"
283274
$ helm upgrade \
284275
-n "$CONJUR_NAMESPACE" \
285276
--reuse-values \
286-
--recreate-pods \
287277
--set "database.url=<new-database-url>" \
288278
"$HELM_RELEASE" \
289279
./conjur-oss
@@ -489,7 +479,6 @@ $ kubectl exec -it -n "$namespace" \
489479
```sh-session
490480
$ helm upgrade -n "$namespace" \
491481
--reuse-values \
492-
--recreate-pods \
493482
--set replicaCount="1" \
494483
$helm_chart_name \
495484
./conjur-oss

conjur-oss/templates/deployment.yaml

+7-3
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ metadata:
1313
{{ toYaml . | indent 4 }}
1414
{{- end }}
1515
{{- with .Values.deployment.annotations }}
16-
annotations:
1716
{{ toYaml . | indent 4 }}
1817
{{- end }}
1918
spec:
@@ -23,18 +22,23 @@ spec:
2322
template:
2423
metadata:
2524
labels: *AppConjurLabels
25+
annotations:
26+
# Automatically roll deployment if dependent secrets have been changed
27+
checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
28+
checksum/config: {{ include (print $.Template.BasePath "/ssl-cert.yaml") . | sha256sum }}
29+
checksum/config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}
2630
spec:
2731
serviceAccountName: {{ template "conjur-oss.service-account" . }}
2832
volumes:
2933
- name: {{ .Release.Name }}-conjur-ssl-cert-volume
3034
secret:
3135
secretName: {{ .Release.Name }}-conjur-ssl-cert
32-
# Permission == 0400. JSON spec doesnt support octal notation.
36+
# Permission == 0400. JSON spec doesn't support octal notation.
3337
defaultMode: 256
3438
- name: {{ .Release.Name }}-conjur-ssl-ca-cert-volume
3539
secret:
3640
secretName: {{ .Release.Name }}-conjur-ssl-ca-cert
37-
# Permission == 0400. JSON spec doesnt support octal notation.
41+
# Permission == 0400. JSON spec doesn't support octal notation.
3842
defaultMode: 256
3943
- name: {{ .Release.Name }}-conjur-configmap-volume
4044
configMap:

conjur-oss/templates/postgres.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ spec:
4141
template:
4242
metadata:
4343
labels: *AppPostgresLabels
44+
annotations:
45+
checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
4446
spec:
4547
securityContext:
4648
fsGroup: 999

helm-upgrade.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ set -eo pipefail
1919
#
2020
# Also, force the recreation of pods, since Helm isn't aware that pods need
2121
# to be started e.g. for when configmaps or secrets are changed.
22-
HELM_ARGS="$@ --reuse-values --recreate-pods"
22+
HELM_ARGS="$@ --reuse-values"
2323

2424
if [ ! -z "$CONJUR_NAMESPACE" ]; then
2525
HELM_ARGS="$HELM_ARGS -n $CONJUR_NAMESPACE"

0 commit comments

Comments
 (0)