Closed diverdane closed 2 years ago
Amazing. Looks good except the build is failing.
@diverdane This is cool. I was thinking... what if SP wrote out a little shell script with the restart logic for the liveness probe somewhere in the mounted volume so that the app container liveness probe just needed to source it to be able to automatically restart when needed? So instead of an inline script it was just source sp_funcs.sh
. That way if they have their own liveness probe script all they have to do is source that script at the top maybe. May not be a good idea, just a thought I had.
@imheresamir , Hmmm... That's an interesting idea. I was thinking about adding something along those lines, but a little less elegant than what you're proposing. I was thinking about having SP create two sentinel files:
postStart
trick, so it could be written to the same directory as the client tokens get written to (SP's private emptyDir volume)livenessProbe
. The existence of the file would trigger a container restart.But adding script(s) would be make it easier to use!
A utility script provided by SP could contain the logic for your second point: to check for the existence of the "updated" sentinel. Just trying to think of ways to make it easy for customers to integrate into their existing liveness probe with minimal effort. It could possibly be as simple as a source sp_utils.sh
one-liner at the top of their script.
Desired Outcome
For the application Helm chart for the Secrets Provider running in Push-to-File mode with secret rotation support, it is desirable that we include:
Implemented Changes
The following changes are made to the
app-secrets-provider-rotation
Helm chart in order to delay the application container from starting until after the Secrets Provider sidecar container has finished creating the secret file(s) in the secrets shared volume:Also, a liveness probe is added which uses the secret file date to determine if the application should be restarted.
These are being added as a reference for customers who are interested in sequencing the SP sidecar container and their app container startup, and who might need to have their application restarted whenever changes occur in the rendered secret files.
Connected Issue/Story
Resolves #[relevant GitHub issue(s), e.g. 76]
CyberArk internal issue link: [insert issue ID]()
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be merged.
Changelog
Test coverage
Documentation
README
s) were updated in this PRBehavior
Security