From 3c8fb86231e7435c5eb2b24913e70b9de9d9f196 Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Thu, 29 May 2025 11:22:05 +0200
Subject: [PATCH] fix(deployment): define annotations to automatically roll
 deployments

The following patch extends the chart to automatically roll the deployment, when
one of the configurations, stored in a config map or secret, has been changed.

The implementation add annotations which triggers `helm update` or ArgoCD to
roll the deployment. Further information can be found on the official helm
website:

  https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
---
 .../prometheus-postgres-exporter/_pod.tpl     |  31 +++
 .../deployment.yaml                           |   2 +
 unittests/deployment/deployment.yaml          | 205 +++++++++++++++++-
 3 files changed, 236 insertions(+), 2 deletions(-)

diff --git a/templates/prometheus-postgres-exporter/_pod.tpl b/templates/prometheus-postgres-exporter/_pod.tpl
index f18b6cc..a8d5da3 100644
--- a/templates/prometheus-postgres-exporter/_pod.tpl
+++ b/templates/prometheus-postgres-exporter/_pod.tpl
@@ -4,6 +4,37 @@
 
 {{- define "prometheus-postgres-exporter.pod.annotations" -}}
 {{ include "prometheus-postgres-exporter.annotations" . }}
+
+# The following annotations are required to trigger a rolling update. Further information can be found in the official
+# documentation of helm:
+#
+#   https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+#
+
+{{/* database */}}
+{{- if and .Values.config.database.existingSecret.enabled .Values.config.database.existingSecret.secretName }}
+{{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.database.existingSecret.secretName ) }}
+checksum/secret-database: {{ print $secret.spec | sha256sum }}
+{{- else }}
+checksum/secret-database: {{ include (print $.Template.BasePath "/prometheus-postgres-exporter/secretDatabase.yaml") . | sha256sum }}
+{{- end }}
+
+{{/* exporter config */}}
+{{- if and .Values.config.exporterConfig.existingSecret.enabled .Values.config.exporterConfig.existingSecret.secretName }}
+{{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.exporterConfig.existingSecret.secretName ) }}
+checksum/secret-exporter-config: {{ print $secret.spec | sha256sum }}
+{{- else }}
+checksum/secret-exporter-config: {{ include (print $.Template.BasePath "/prometheus-postgres-exporter/secretExporterConfig.yaml") . | sha256sum }}
+{{- end }}
+
+{{/* web config */}}
+{{- if and .Values.config.webConfig.existingSecret.enabled .Values.config.webConfig.existingSecret.secretName }}
+{{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.webConfig.existingSecret.secretName ) }}
+checksum/secret-web-config: {{ print $secret.spec | sha256sum }}
+{{- else }}
+checksum/secret-web-config: {{ include (print $.Template.BasePath "/prometheus-postgres-exporter/secretWebConfig.yaml") . | sha256sum }}
+{{- end }}
+
 {{- end }}
 
 {{/* labels */}}
diff --git a/templates/prometheus-postgres-exporter/deployment.yaml b/templates/prometheus-postgres-exporter/deployment.yaml
index 3287681..215eda9 100644
--- a/templates/prometheus-postgres-exporter/deployment.yaml
+++ b/templates/prometheus-postgres-exporter/deployment.yaml
@@ -18,6 +18,8 @@ spec:
       {{- include "prometheus-postgres-exporter.pod.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      annotations:
+        {{- include "prometheus-postgres-exporter.pod.annotations" . | nindent 8 }}
       labels:
         {{- include "prometheus-postgres-exporter.pod.labels" . | nindent 8 }}
     spec:
diff --git a/unittests/deployment/deployment.yaml b/unittests/deployment/deployment.yaml
index c5ed8b8..486b4ee 100644
--- a/unittests/deployment/deployment.yaml
+++ b/unittests/deployment/deployment.yaml
@@ -7,18 +7,29 @@ release:
   namespace: testing
 templates:
 - templates/prometheus-postgres-exporter/deployment.yaml
+- templates/prometheus-postgres-exporter/secretDatabase.yaml
+- templates/prometheus-postgres-exporter/secretExporterConfig.yaml
+- templates/prometheus-postgres-exporter/secretWebConfig.yaml
 tests:
 - it: Rendering default
+  set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
   asserts:
   - hasDocuments:
       count: 1
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: Deployment
       name: prometheus-postgres-exporter-unittest
       namespace: testing
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
-      path: metadata.annotations
+      path: metadata.annotations.checksum/secret-database
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: metadata.labels
       value:
@@ -27,27 +38,51 @@ tests:
         app.kubernetes.io/name: prometheus-postgres-exporter
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: prometheus-postgres-exporter-0.1.0
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.replicas
       value: 1
+    template: templates/prometheus-postgres-exporter/deployment.yaml
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-database
+    template: templates/prometheus-postgres-exporter/deployment.yaml
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-exporter-config
+    template: templates/prometheus-postgres-exporter/deployment.yaml
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-web-config
+    template: templates/prometheus-postgres-exporter/deployment.yaml
+  - equal:
+      path: spec.template.metadata.labels
+      value:
+        app.kubernetes.io/instance: prometheus-postgres-exporter-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: prometheus-postgres-exporter
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: prometheus-postgres-exporter-0.1.0
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.affinity
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - contains:
       path: spec.template.spec.containers[0].envFrom
       content:
         secretRef:
           name: prometheus-postgres-exporter-unittest-database-env
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].args
       value:
       - --config.file=/etc/prometheus-postgres-exporter/config.d/exporterConfig.yaml
       - --web.config.file=/etc/prometheus-postgres-exporter/config.d/webConfig.yaml
       - --web.listen-address=:9187
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].volumeMounts
       value:
       - mountPath: /etc/prometheus-postgres-exporter/config.d
         name: config-d
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -59,42 +94,59 @@ tests:
               name: prometheus-postgres-exporter-unittest-exporter-config
           - secret:
               name: prometheus-postgres-exporter-unittest-web-config
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].image
       value: quay.io/prometheuscommunity/postgres-exporter:v0.1.0
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.hostname
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.subdomain
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.tolerations
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.strategy
       value:
@@ -102,17 +154,31 @@ tests:
         rollingUpdate:
           maxSurge: 1
           maxUnavailable: 1
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom replicas
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.replicas: 3
   asserts:
   - equal:
       path: spec.replicas
       value: 3
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom affinity
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
@@ -136,9 +202,16 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test additional arguments
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.args:
     - "--foo=bar"
     - "--bar=foo"
@@ -151,26 +224,42 @@ tests:
       - --web.listen-address=:9187
       - --foo=bar
       - --bar=foo
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.image.registry: registry.example.local
     deployment.postgresExporter.image.repository: path/special/prometheus-postgres-exporter
   asserts:
   - equal:
       path: spec.template.spec.containers[0].image
       value: registry.example.local/path/special/prometheus-postgres-exporter:v0.1.0
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom imagePullPolicy
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.image.pullPolicy: Always
   asserts:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test config.database.existingSecret
   set:
+    # Normal test values
     config.database.existingSecret.enabled: true
     config.database.existingSecret.secretName: custom-database-secret
   asserts:
@@ -179,9 +268,16 @@ tests:
       content:
         secretRef:
           name: custom-database-secret
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test config.exporterConfig.existingSecret
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     config.exporterConfig.existingSecret.enabled: true
     config.exporterConfig.existingSecret.secretName: exporter-config-secret
   asserts:
@@ -190,6 +286,7 @@ tests:
       value:
       - mountPath: /etc/prometheus-postgres-exporter/config.d
         name: config-d
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -201,9 +298,16 @@ tests:
               name: exporter-config-secret
           - secret:
               name: prometheus-postgres-exporter-unittest-web-config
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test config.webConfig.existingSecret
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     config.webConfig.existingSecret.enabled: true
     config.webConfig.existingSecret.secretName: web-config-secret
   asserts:
@@ -212,6 +316,7 @@ tests:
       value:
       - mountPath: /etc/prometheus-postgres-exporter/config.d
         name: config-d
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -223,9 +328,16 @@ tests:
               name: prometheus-postgres-exporter-unittest-exporter-config
           - secret:
               name: web-config-secret
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom resource limits and requests
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.resources:
       limits:
         cpu: 100m
@@ -242,6 +354,7 @@ tests:
           resourceFieldRef:
             divisor: "1"
             resource: limits.cpu
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.containers[0].resources
       value:
@@ -251,9 +364,16 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test custom securityContext
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.securityContext:
       capabilities:
         add:
@@ -277,9 +397,16 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test dnsConfig
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.dnsConfig:
       nameservers:
       - "8.8.8.8"
@@ -291,17 +418,31 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test dnsPolicy
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.dnsPolicy: ClusterFirst
   asserts:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.hostNetwork: true
     deployment.hostname: pg-exporter
     deployment.subdomain: exporters.internal
@@ -309,15 +450,24 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test imagePullSecrets
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.imagePullSecrets:
     - name: my-pull-secret
     - name: my-special-secret
@@ -327,9 +477,16 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test nodeSelector
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.nodeSelector:
       foo: bar
   asserts:
@@ -337,33 +494,61 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test priorityClassName
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.priorityClassName: my-priority
   asserts:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test restartPolicy
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.restartPolicy: Always
   asserts:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.terminationGracePeriodSeconds: 120
   asserts:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test tolerations
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.tolerations:
     - key: database/type
       operator: Equal
@@ -377,9 +562,16 @@ tests:
         operator: Equal
         value: postgres
         effect: NoSchedule
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test topologySpreadConstraints
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.topologySpreadConstraints:
     - topologyKey: kubernetes.io/hostname
       whenUnsatisfiable: DoNotSchedule
@@ -395,9 +587,16 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: prometheus-postgres-exporter
+    template: templates/prometheus-postgres-exporter/deployment.yaml
 
 - it: Test additional volumeMounts and volumes
   set:
+    # Ensure that the secrets and config maps are well configured.
+    config.database.secret.databaseUsername: "postgres"
+    config.database.secret.databasePassword: "postgres"
+    config.database.secret.databaseConnectionUrl: "localhost:5432/postgres?sslmode=disable"
+
+    # Normal test values
     deployment.postgresExporter.volumeMounts:
     - name: data
       mountPath: /usr/lib/prometheus-postgres-exporter/data
@@ -413,6 +612,7 @@ tests:
         mountPath: /usr/lib/prometheus-postgres-exporter/data
       - name: config-d
         mountPath: /etc/prometheus-postgres-exporter/config.d
+    template: templates/prometheus-postgres-exporter/deployment.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -426,4 +626,5 @@ tests:
           - secret:
               name: prometheus-postgres-exporter-unittest-exporter-config
           - secret:
-              name: prometheus-postgres-exporter-unittest-web-config
\ No newline at end of file
+              name: prometheus-postgres-exporter-unittest-web-config
+    template: templates/prometheus-postgres-exporter/deployment.yaml
\ No newline at end of file