Closed swenson closed 3 months ago
We may also want to prefix the annotation something like vault.
or something like that, to avoid a collision values...annotations
Updated. I also fixed the Test.dockerfile
to work again (the way we were using pip
to install yq
no longer worked).
Thanks!
When updating the Vault config (and corresponding) configmap, we now generate a checksum of the config and set it as an annotation on both the configmap and the Vault StatefulSet pod template.
This allows the deployer to know what pods need to be restarted to pick up the a changed config.
We still recommend using the standard upgrade method for Vault on Kubernetes, i.e., using the
OnDelete
strategy for the Vault StatefulSet, so updating the config and doing ahelm upgrade
should not trigger the pods to restart, and then deleting pods one at a time, starting with the standby pods.With
kubectl
andjq
, you can check check which pods need to be updated by first getting the value of the current configmap checksum:Fixes #748.