Reputation: 597
Restart Pod when secrets gets updated
We are using secret as environment variables on pod, but every time we have updated on secrets, we are redeploying the pods to take changes effect. We are looking for a mechanism where Pods get restarted automatically whenever secrets gets updated. Any help on this?
Thanks in advance.
Upvotes: 16
Views: 32394
Answers (4)
Reputation: 1639
Add a statefulset annotation that contains a checksum of the secret in question. Each time the secret changes, its checksum changes and thus the statefulset changes too. This triggers its pods to be rerolled.
spec:
template:
metadata:
annotations:
checksum/secret/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
This is mentioned in the helm docs at https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments.
Upvotes: 3
Reputation: 1209
If you mount your secrets to pod it will get updated automatically you don't have to restart your pod as mentioned here
Other approaches are stakater reloader which can reload your deployments based on configs, secrets etc
Upvotes: 9
Reputation: 16688
One way is to use an operator provided by VMware carvel kapp controller (documentation), using kapp controller you can reload the secrets/ configmap without needing to restart the pods (which effectively runs helm template <package> on a periodic basis and applies the changes if it founds any differences in helm template), check out my design for reloading the log level without needing to restart the pod.
Upvotes: -1
Reputation: 129045
There are many ways to handle this.
First, use Deployment instead of "naked" Pods that are not managed. The Deployment will create new Pods for you, when the Pod template is changed.
Second, to manage Secrets may be a bit tricky. It would be great if you can use a setup where you can use Kustomize SecretGenerator - then each new Secret will get its unique name. In addition, that unique name is reflected to the Deployment automatically - and your pods will automatically be recreated when a Secret is changed - this match your origin problem. When Secret and Deployment is handled this way, you apply the changes with:
kubectl apply -k <folder>
Upvotes: 7
Related Questions
- How to auto restart pod/Deployment on update of a secret from Azure Key Vault
- Reload pod when secret changes
- Restart a POD on an Event
- Kubernetes secret programmatically update
- Refreshing PODs automatically when mounted secrets gets updated, but it looks not happening
- Dynamically refresh pods on secrets update on kubernetes while using helm chart
- Kubernetes - How to dynamically refresh secrets without restarting pod
- Reload Kubernetes deployment to fetch new secret without downtime
- Updating a Pod with its Secret
- Openshift: Restart pod when a secret changes