search

securesign / secure-sign-operator

Apache License 2.0
4 stars 17 forks source link

[SECURESIGN-437] Configuration update support #177

Closed bouskaJ closed 5 months ago

bouskaJ commented 9 months ago

When the configuration update happen the underlying secret or configmap will be updated and the running pod should be eventually updated as well (see https://kubernetes.io/docs/concepts/configuration/configmap/#mounted-configmaps-are-updated-automatically). This is critical feature and we need to cover it by test

bouskaJ commented 8 months ago

This one will be harder than I thought. Investigating deployed application, I realized, that they don't work with files on place but they are loading them into memory,zip archive, etc. We need to rotate deployment on every configuration change.

I would follow advise from https://stackoverflow.com/questions/37317003/restart-pods-when-configmap-updates-in-kubernetes

cooktheryan commented 8 months ago

@bouskaJ thinking about this any CM or secret change should be applied through the CR so could we record the update of the cm or secret then trigger a rollout of the deployment on that update event?

cooktheryan commented 8 months ago

For testing I wonder if an acceptable test will be using #78 once it's coded in

bouskaJ commented 8 months ago

@bouskaJ thinking about this any CM or secret change should be applied through the CR so could we record the update of the cm or secret then trigger a rollout of the deployment on that update event?

Hey @cooktheryan basically yes, the problem is that the TUF component does found existing secret by labels (implemented in https://github.com/securesign/secure-sign-operator/pull/35) The goal of that PR was component decoupling https://github.com/securesign/secure-sign-operator/issues/38).

Let's give an example: Fulcio certificate was changed in Fulcio CR. Only fulcio controller work with the Fulcio CR and know that the key was changed. We can't propagate the information to the Tuf component because https://github.com/securesign/secure-sign-operator/issues/38. That means that the key autodiscovery feature needs to be executed again on the TUF under the hood. I am going to solve it by creating new immutable CM and CM rotation with every change. I have something WIP https://github.com/securesign/secure-sign-operator/commit/0372555ca4e93bce856361154b9632aac6919817 I hope it will be done today.

bouskaJ commented 5 months ago

Migrated to Jira.