feat: automatically roll deployments

The following patch extends the chart to automatically roll the deployment, when one of the configurations, stored in a config map or secret, has been changed. The implementation add annotations which triggers `helm update` or ArgoCD to roll the deployment. Further information can be found on the official helm website: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
2025-05-29 12:23:44 +02:00 · 2025-05-29 12:23:44 +02:00 · f8b7a887f6
commit f8b7a887f6
parent 51ee91fed1
3 changed files with 80 additions and 1 deletions
--- a/templates/prometheus-fail2ban-exporter/_pod.tpl
+++ b/templates/prometheus-fail2ban-exporter/_pod.tpl
@ -4,6 +4,21 @@

 {{- define "prometheus-fail2ban-exporter.pod.annotations" -}}
 {{ include "prometheus-fail2ban-exporter.annotations" . }}
+
+# The following annotations are required to trigger a rolling update. Further information can be found in the official
+# documentation of helm:
+#
+#   https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+#
+
+{{/* web config */}}
+{{- if and .Values.config.webConfig.existingSecret.enabled .Values.config.webConfig.existingSecret.secretName }}
+{{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.webConfig.existingSecret.secretName ) }}
+checksum/secret-web-config: {{ print $secret.spec | sha256sum }}
+{{- else }}
+checksum/secret-web-config: {{ include (print $.Template.BasePath "/prometheus-fail2ban-exporter/secretWebConfig.yaml") . | sha256sum }}
+{{- end }}
+
 {{- end }}

 {{/* labels */}}
--- a/templates/prometheus-fail2ban-exporter/daemonSet.yaml
+++ b/templates/prometheus-fail2ban-exporter/daemonSet.yaml
@ -17,6 +17,8 @@ spec:
      {{- include "prometheus-fail2ban-exporter.pod.selectorLabels" . | nindent 6 }}
  template:
    metadata:
+      annotations:
+        {{- include "prometheus-fail2ban-exporter.pod.annotations" . | nindent 8 }}
      labels:
        {{- include "prometheus-fail2ban-exporter.pod.labels" . | nindent 8 }}
    spec:
--- a/unittests/daemonset/daemonset.yaml
+++ b/unittests/daemonset/daemonset.yaml
@ -7,18 +7,22 @@ release:
  namespace: testing
 templates:
 - templates/prometheus-fail2ban-exporter/daemonSet.yaml
+- templates/prometheus-fail2ban-exporter/secretWebConfig.yaml
 tests:
 - it: Rendering default
  asserts:
  - hasDocuments:
      count: 1
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - containsDocument:
      apiVersion: apps/v1
      kind: DaemonSet
      name: prometheus-fail2ban-exporter-unittest
      namespace: testing
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: metadata.annotations
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: metadata.labels
      value:
@ -27,15 +31,31 @@ tests:
        app.kubernetes.io/name: prometheus-fail2ban-exporter
        app.kubernetes.io/version: 0.1.0
        helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+  - equal:
+      path: spec.template.metadata.labels
+      value:
+        app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: prometheus-fail2ban-exporter
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.affinity
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.containers[0].envFrom
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.containers[0].args
      value:
      # - --web.config.file=/etc/prometheus-fail2ban-exporter/config.d/webConfig.yaml
      - --web.listen-address=:9191
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.containers[0].volumeMounts
      value:
@ -43,6 +63,7 @@ tests:
        name: socket
      - mountPath: /etc/prometheus-fail2ban-exporter/config.d
        name: config-d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.volumes
      value:
@ -53,42 +74,59 @@ tests:
      - name: config-d
        secret:
          secretName: prometheus-fail2ban-exporter-unittest-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.containers[0].image
      value: git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter:0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.containers[0].imagePullPolicy
      value: IfNotPresent
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.containers[0].resources
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.containers[0].securityContext
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.dnsConfig
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.dnsPolicy
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.hostname
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.hostNetwork
      value: false
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.imagePullSecrets
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.nodeSelector
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.priorityClassName
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.restartPolicy
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.subdomain
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.terminationGracePeriodSeconds
      value: 60
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.tolerations
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - notExists:
      path: spec.template.spec.topologySpreadConstraints
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.updateStrategy
      value:
@ -96,6 +134,7 @@ tests:
          maxSurge: 1
          maxUnavailable: 0
        type: "RollingUpdate"
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test custom affinity
  set:
@ -122,6 +161,7 @@ tests:
                values:
                - antarctica-east1
                - antarctica-west1
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test additional arguments
  set:
@ -136,6 +176,7 @@ tests:
      - --web.listen-address=:9191
      - --foo=bar
      - --bar=foo
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test custom imageRegistry and imageRepository
  set:
@ -145,6 +186,7 @@ tests:
  - equal:
      path: spec.template.spec.containers[0].image
      value: registry.example.local/path/special/prometheus-fail2ban-exporter:0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test custom imagePullPolicy
  set:
@ -153,6 +195,7 @@ tests:
  - equal:
      path: spec.template.spec.containers[0].imagePullPolicy
      value: Always
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test config.webConfig.existingSecret
  set:
@ -166,6 +209,7 @@ tests:
        name: socket
      - mountPath: /etc/prometheus-fail2ban-exporter/config.d
        name: config-d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.volumes
      value:
@ -176,6 +220,7 @@ tests:
      - name: config-d
        secret:
          secretName: web-config-secret
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test custom resource limits and requests
  set:
@ -195,6 +240,7 @@ tests:
          resourceFieldRef:
            divisor: "1"
            resource: limits.cpu
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.containers[0].resources
      value:
@ -204,6 +250,7 @@ tests:
        requests:
          cpu: 25m
          memory: 100MB
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test custom securityContext
  set:
@ -230,6 +277,7 @@ tests:
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1000
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test dnsConfig
  set:
@ -244,6 +292,7 @@ tests:
        nameservers:
        - "8.8.8.8"
        - "8.8.4.4"
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test dnsPolicy
  set:
@ -252,6 +301,7 @@ tests:
  - equal:
      path: spec.template.spec.dnsPolicy
      value: ClusterFirst
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test hostNetwork, hostname, subdomain
  set:
@ -262,12 +312,15 @@ tests:
  - equal:
      path: spec.template.spec.hostNetwork
      value: true
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.hostname
      value: pg-exporter
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.subdomain
      value: exporters.internal
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test imagePullSecrets
  set:
@ -280,6 +333,7 @@ tests:
      value:
      - name: my-pull-secret
      - name: my-special-secret
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test nodeSelector
  set:
@ -290,6 +344,7 @@ tests:
      path: spec.template.spec.nodeSelector
      value:
        foo: bar
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test priorityClassName
  set:
@ -298,6 +353,7 @@ tests:
  - equal:
      path: spec.template.spec.priorityClassName
      value: my-priority
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test restartPolicy
  set:
@ -306,6 +362,7 @@ tests:
  - equal:
      path: spec.template.spec.restartPolicy
      value: Always
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test terminationGracePeriodSeconds
  set:
@ -314,6 +371,7 @@ tests:
  - equal:
      path: spec.template.spec.terminationGracePeriodSeconds
      value: 120
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test tolerations
  set:
@ -330,6 +388,7 @@ tests:
        operator: Equal
        value: fail2ban
        effect: NoSchedule
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test topologySpreadConstraints
  set:
@ -348,6 +407,7 @@ tests:
        labelSelector:
          matchLabels:
            app.kubernetes.io/instance: prometheus-fail2ban-exporter
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

 - it: Test additional volumeMounts and volumes
  set:
@ -366,6 +426,7 @@ tests:
        mountPath: /usr/lib/prometheus-fail2ban-exporter/data
      - name: config-d
        mountPath: /etc/prometheus-fail2ban-exporter/config.d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
  - equal:
      path: spec.template.spec.volumes
      value:
@ -374,4 +435,5 @@ tests:
          path: /usr/lib/prometheus-fail2ban-exporter/data
      - name: config-d
        secret:
-          secretName: prometheus-fail2ban-exporter-unittest-web-config
+          secretName: prometheus-fail2ban-exporter-unittest-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml