search

stakater / Reloader

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!
https://docs.stakater.com/reloader/
Apache License 2.0
7.61k stars 507 forks source link

objectAlias in secret prevent any rolling update on the replicatset #413

Open paillave opened 1 year ago

paillave commented 1 year ago

As I want my files to have a proper name regarding to container specifications, I want to set an alias on some secrets. But when I do so, stakater/reloader doesn't trigger any rolling update at all anymore on my replicaset.

FYI, I just need to remove the objectAlias line, and stakater will work properly... but the file will be created with a name the contained application doesn't recognize.

Here is what I do:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    useVMManagedIdentity: "true"
    userAssignedIdentityID: XXXXXXXXXXXXXXX
    keyvaultName: XXXXXXXXXXXXXXXXX
    objects:  |
      array:
        - |
          objectName: ThisIsACertificate
          objectAlias: SslCertificate.pfx
          objectType: cert
    tenantID: XXXXXXXXXXXXXXXX
  secretObjects:
  - data:
    - key: certificat
      objectName: ThisIsACertificate
    secretName: test-secrets
    type: Opaque
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-azure-key-vault
  labels:
    app: test-azure-key-vault
  annotations:
    secret.reloader.stakater.com/reload: "test-secrets"
spec:
  replicas: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: myApp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: myApp
    spec:
      containers:
      - name: XXXXXXXXXXXXXXXXXXX
        image: XXXXXXXXXXXXXXXXXXXXX
        ports:
        - containerPort: 80
        volumeMounts:
        - name: secrets-store01-inline
          mountPath: XXXXXXXXXXXXXXXXXXXXX
          readOnly: true
      volumes:
      - name: secrets-store01-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: azure-kvname
sunilthorat09 commented 9 months ago

I'm not sure if its actual an issue but it works for us with using objectAlias instead of objectName under data section.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    useVMManagedIdentity: "true"
    userAssignedIdentityID: XXXXXXXXXXXXXXX
    keyvaultName: XXXXXXXXXXXXXXXXX
    objects:  |
      array:
        - |
          objectName: ThisIsACertificate
          objectAlias: SslCertificate.pfx
          objectType: cert
    tenantID: XXXXXXXXXXXXXXXX
  secretObjects:
  - data:
    - key: certificat
      objectName: SslCertificate.pfx
    secretName: test-secrets
    type: Opaque