Pod/Deployment doesn't restart although recognized by the operator

[rchenzheng]

Versions

Server Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.17-gke.1901", GitCommit:"b5bc948aea9982cd8b1e89df8d50e30ffabdd368", GitTreeState:"clean", BuildDate:"2021-05-27T19:56:12Z", GoVersion:"go1.13.15b4", Compiler:"gc", Platform:"linux/amd64"} Operator: v0.1.0

Problem

Pod does not restart even though the secret was updated

Expected result

Pod should restart as soon as the secret is updated, instead only the secret gets updated

Logs

│ 2021-07-15T19:28:44.164Z    INFO    controllers.DopplerSecret    [/] Secrets have been modified    {"dopplersecret": "external-secrets/dopplersecret-test", "verifyTLS": true, "host": "https://api.doppler.com", "oldVersion": "W/\"70d6dcadc0177a11c86e856195e8be2c1078975aaa2fb7ab37ae1db4b5aa03ec\"", "newVersion": "W/\"f37c20815bb0f7c177425f50e14e8051588f0c011e5 │
│ 2021-07-15T19:28:44.170Z    INFO    controllers.DopplerSecret    [/] Successfully updated existing Kubernetes secret                                                                                                                                                                                                                                                     │
│ 2021-07-15T19:28:44.178Z    INFO    controllers.DopplerSecret    Finished reconciling deployments    {"dopplersecret": "external-secrets/dopplersecret-test", "numDeployments": 1}

Configs

apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
  name: dopplersecret-test # DopplerSecret Name
  namespace: external-secrets
spec:
  tokenSecret: # Kubernetes service token secret (namespace defaults to doppler-operator-system)
    name: doppler-token-secret
    namespace: doppler-operator-system
  managedSecret: # Kubernetes managed secret (will be created if does not exist)
    name: doppler-test-secret
    namespace: external-secrets # Should match the namespace of deployments that will use the secret
---
apiVersion: v1
kind: Pod
metadata:
  name: doppler-busybox
  namespace: external-secrets
  annotations:
    secrets.doppler.com/reload: 'true'
spec:
  containers:
  - name: busybox
    image: busybox:glibc
    command:
      - sleep
      - "3600"
    envFrom:
      - secretRef:
          name: doppler-test-secret

[nmanoogian]

Hi @rchenzheng! 👋

Thanks for sending this in and providing excellent details! The problem here is that the Doppler operator currently monitors deployment resources, not pods. Here's an example deployment that uses reloading: https://github.com/DopplerHQ/kubernetes-operator/blob/main/config/samples/deployment-envfrom.yaml

You should be able to change your pod definition to a deployment definition by moving the current spec into the template field.

Is there any reason why you might want to use a pod instead of a deployment?

[rchenzheng]

Hi @rchenzheng! 👋

Thanks for sending this in and providing excellent details! The problem here is that the Doppler operator currently monitors deployment resources, not pods. Here's an example deployment that uses reloading: https://github.com/DopplerHQ/kubernetes-operator/blob/main/config/samples/deployment-envfrom.yaml

You should be able to change your pod definition to a deployment definition by moving the current spec into the template field.

Is there any reason why you might want to use a pod instead of a deployment?

This is currently a POC, but I'd like if it could support all type of workloads since my use cases make use of most.

ie. statefulsets, daemonsets, replicasets, etc...

[nmanoogian]

Ah, understood -- thanks for the feedback! I'll bring up those use cases with the team.

[rchenzheng]

Ah, understood -- thanks for the feedback! I'll bring up those use cases with the team.

I think it'd be a fairly common use case, is there any timeline for adding support?

[nmanoogian]

We don't have a timeline currently for adding support for other Kubernetes workloads.

In the meantime though, one solution would be to use the Doppler operator to sync secrets from Doppler to Kubernetes and use another reloading solution (such as Reloader) to automatically restart your workloads when those secrets change.

[kzap]

Would like to request this also. Usually you have an annotation on the pod spec that a controller would update and that would trigger a restart.