search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
471 stars 102 forks source link

Rollouts trigger a double rollout for Flux managed workloads #921

Open hamishforbes opened 2 months ago

hamishforbes commented 2 months ago

Is your feature request related to a problem? Please describe. If a workload (e.g. Deployment or StatefulSet) is deployed into a cluster via Flux, then setting the restartedAt annotation will trigger a second rollout at some point in the future when Flux reconciles the configuration.

This is also a problem if you use kubectl (or any other tooling) to trigger a rollout or otherwise modify the deployment template. The solution is to configure the field manager as flux-client-side-apply when setting the annotation.

Describe the solution you'd like Make the Field Manager configurable when applying the rollout restart annotation.

I'm not sure where this would be configured ideally, I can see 3 options at least a) As a config flag/env var on the operator pod itself b) A field in the CRD e.g. spec.rolloutRestartTargets[{ kind: 'Deployment', name: 'foobar', fieldManager: 'flux-client-side-apply'}] c) An annotation on the target workload - vso.secrets.hashicorp.com/fieldManager: 'flux-client-side-apply'

I've tested this works by just hardcoding the field manager and deploying the custom operator to a dev environment