Reputation: 45350
Reload Kubernetes deployment to fetch new secret without downtime
In Kubernetes I have a Deployment that uses a secret and injects them as environment variables:
apiVersion: apps/v1
kind: Deployment
...
envFrom:
- secretRef:
name: api-env
I need to update some of the environment variables, so I deleted the secret api-env and created it again with the updated values.
How do I trigger the deployment to update itself with the new env secrets without any downtime?
Upvotes: 6
Views: 3876
Answers (1)
Reputation: 8892
I see a few alternatives, in order of viability:
- For k8s' versions >v1.15:
kubectl rollout restart deployment $deploymentname: this will restart pods incrementally without causing downtime. For older versions: Updating the deployment template will trigger a rollout. From this issue:
kubectl patch deployment mydeployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"mycontainer","env":[{"name":"RESTART_","value":"'$(date +%s)'"}]}]}}}}'Mount secrets on volumes instead of as environment variables, as Mounted Secrets are updated automatically
- One approach is to consider the Secret/Configmap as immutable and when creating a new one changing the deployment to point to it.
- Program your application to watch for changes in the Secrets API.
Upvotes: 9
Related Questions
- Restart Pod when secrets gets updated
- How to auto restart pod/Deployment on update of a secret from Azure Key Vault
- Reload pod when secret changes
- Kubernetes secret programmatically update
- Kubernetes - How to dynamically refresh secrets without restarting pod
- How to Refresh Worker Secrets Without Killing Deployment?
- Change the secret a Kubernetes deployment expects
- Recreate a deployment without service outage
- Updating a Pod with its Secret
- Openshift: Restart pod when a secret changes