vhurtevent
commented
4 months ago Open vhurtevent opened 4 months ago
vhurtevent
commented
4 months ago vhurtevent
commented
4 months ago Link to issue with similar request : https://github.com/zalando/postgres-operator/issues/1968
vhurtevent
commented
4 months ago I am testing the use of annotation zalando-postgres-operator-rolling-update-required
Add it to pod template in statefulset ressource trigger a resync and recreation of pods.
I will then test with a Kyverno policy to add anno on secret change.
Please, answer some short questions which should help us to understand your problem / question better?
Hello, we are working on DBaaS service based on postgres-operator for Postgres instances and Hashicorp Vault for database roles and credentials management. Initially, Postgres system credentials are provided by postgres-operator through the Kubernetes secrets
and passed through envvar to postgres pods.
We are using inhouse code and Vault Config Operator (VCO) to register Postgres instance in Vault and create roles (static and dynamic). The postgres admin role is managed by Vault with possible rotation. We are also using Vault Secret Operator (VSO) to sync back credentials from Vault to the initial Kubernetes secret.
But we are missing a way to cleanly trigger Postgres pods/nodes restart to sync envvar and inside-pods Postgres admin and standby credential. We tried the rolloutRestartTargets feature of VSO or stakater/Reloader to trigger statefulset rollout but the UpdateStragtegy is staticly defined to onDelete and pods are not restarted.
Is there a way to cleanly rollout statefulset to restarts pods/nodes in case of password rotation from Vault ?