Add annotation on config change

[swenson]

When updating the Vault config (and corresponding) configmap, we now generate a checksum of the config and set it as an annotation on both the configmap and the Vault StatefulSet pod template.

This allows the deployer to know what pods need to be restarted to pick up the a changed config.

We still recommend using the standard upgrade method for Vault on Kubernetes, i.e., using the OnDelete strategy for the Vault StatefulSet, so updating the config and doing a helm upgrade should not trigger the pods to restart, and then deleting pods one at a time, starting with the standby pods.

With kubectl and jq, you can check check which pods need to be updated by first getting the value of the current configmap checksum:

kubectl get pods -o json | jq -r ".items[] | select(.metadata.annotations.\"config/checksum\" != $(kubectl get configmap vault-config -o json | jq '.metadata.annotations."config/checksum"') ) | .metadata.name"

Fixes #748.

[benashz]

We may also want to prefix the annotation something like vault. or something like that, to avoid a collision values...annotations

[swenson]

Updated. I also fixed the Test.dockerfile to work again (the way we were using pip to install yq no longer worked).

[swenson]

Thanks!