From 757469762b249cbb15cf62bacb356f51f6496d22 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Sun, 30 Nov 2025 13:31:44 +0100 Subject: [PATCH] feat(pod): roll deployment for TLS certificates The patch add the annotation `checksum/secret-` with the sha512 value of the secret. This ensures a rolling update if the TLS secrets has been updated. Such an update can be triggered by the cert-manager. --- templates/_pod.tpl | 6 ++++-- unittests/deployment/certificate.yaml | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/templates/_pod.tpl b/templates/_pod.tpl index aa43490..b38a803 100644 --- a/templates/_pod.tpl +++ b/templates/_pod.tpl @@ -4,6 +4,10 @@ {{- define "athens-proxy.pod.annotations" }} {{- include "athens-proxy.annotations" . }} +{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }} +{{- $secretName := include "athens-proxy.certificates.server.name" $ }} +{{ printf "checksum/secret-%s: %s" $secretName (print (lookup "v1" "Secret" .Release.Namespace $secretName) | sha256sum) }} +{{- end }} {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }} {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }} {{- end }} @@ -21,8 +25,6 @@ {{- end }} {{- end }} - - {{/* labels */}} {{- define "athens-proxy.pod.labels" -}} diff --git a/unittests/deployment/certificate.yaml b/unittests/deployment/certificate.yaml index c6b15ab..f3fb7e5 100644 --- a/unittests/deployment/certificate.yaml +++ b/unittests/deployment/certificate.yaml @@ -46,6 +46,9 @@ tests: certificate.new.issuerRef.kind: ClusterIssuer certificate.new.issuerRef.name: MyIssuer asserts: + - exists: + path: spec.template.metadata.annotations["checksum/secret-athens-proxy-unittest-tls"] + template: templates/deployment.yaml - contains: path: spec.template.spec.containers[0].env content: