feat(pod): support roll deployment for external TLS certificates

fix(pod): pipe secret correctly to func sha256sum
The privious implemented feature pipe the secret not correctly to the sha256sum function. This leads everytime to the same sha256 sum. This patch fixes this bug.
2025-11-30 13:58:34 +01:00 · 2025-11-30 13:49:15 +01:00
2 changed files with 41 additions and 2 deletions
--- a/templates/_pod.tpl
+++ b/templates/_pod.tpl
@@ -4,9 +4,13 @@
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
-{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }}
+{{- if and .Values.certificate.enabled }}
 {{- $secretName := include "athens-proxy.certificates.server.name" $ }}
-{{ printf "checksum/secret-%s: %s" $secretName (print (lookup "v1" "Secret" .Release.Namespace $secretName) | sha256sum) }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
 {{- $secretName = .Values.certificate.existingSecret.secretName }}
 {{- end }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | toYaml | sha256sum) }}
 {{- end }}
 {{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 {{ printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
--- a/unittests/deployment/certificate.yaml
+++ b/unittests/deployment/certificate.yaml
@@ -67,6 +67,41 @@ tests:
          name: tls
          mountPath: /etc/athens-proxy/tls
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
          name: tls
          secret:
            secretName: athens-proxy-unittest-tls
      template: templates/deployment.yaml
 - it: Rendering with external TLS config
  set:
    certificate.enabled: true
    certificate.existingSecret.enabled: true
    certificate.existingSecret.secretName: my-own-secret
  asserts:
    - exists:
        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSCERT_FILE
          value: /etc/athens-proxy/tls/tls.crt
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].env
        content:
          name: ATHENS_TLSKEY_FILE
          value: /etc/athens-proxy/tls/tls.key
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.containers[0].volumeMounts
        content:
          name: tls
          mountPath: /etc/athens-proxy/tls
      template: templates/deployment.yaml
    - contains:
        path: spec.template.spec.volumes
        content:
Author	SHA1	Message	Date
Markus Pesch	f54f1aca01	feat(pod): support roll deployment for external TLS certificates All checks were successful Helm / helm-lint (push) Successful in 4s Details Helm / helm-unittest (push) Successful in 18s Details Release / publish-chart (push) Successful in 19s Details	2025-11-30 13:58:34 +01:00
Markus Pesch	502c78296e	fix(pod): pipe secret correctly to func sha256sum The privious implemented feature pipe the secret not correctly to the sha256sum function. This leads everytime to the same sha256 sum. This patch fixes this bug.	2025-11-30 13:49:15 +01:00