Skip to content

Commit

Permalink
Add annotation on config change
Browse files Browse the repository at this point in the history 
When updating the Vault config (and corresponding)
configmap, we now generate a checksum of the config
and set it as an annotation on both the configmap
and the Vault StatefulSet pod template.

This allows the deployer to know what pods need to
be restarted to pick up the a changed config.

We still recommend using the standard upgrade
[method for Vault on Kubernetes](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#upgrading-vault-on-kubernetes),
i.e., using the `OnDelete` strategy
for the Vault StatefulSet, so updating the config
and doing a `helm upgrade` should not trigger the
pods to restart, and then deleting pods one
at a time, starting with the standby pods.

With `kubectl` and `jq`, you can check check which
pods need to be updated by first getting the value
of the current configmap checksum:

```shell
kubectl get pods -o json | jq -r ".items[] | select(.metadata.annotations.\"config/checksum\" != $(kubectl get configmap vault-config -o json | jq '.metadata.annotations."config/checksum"') ) | .metadata.name"
```

Fixes #748.
  • Loading branch information
Christopher Swenson committed Mar 7, 2024
1 parent 7a127f8 commit 16dd8e3
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 21 deletions.
30 changes: 28 additions & 2 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,9 +457,10 @@ Sets the injector deployment update strategy
{{/*
Sets extra pod annotations
*/}}
{{- define "vault.annotations" -}}
{{- if .Values.server.annotations }}
{{- define "vault.annotations" }}
annotations:
config/checksum: {{ include "vault.config" . | sha256sum }}
{{- if .Values.server.annotations }}
{{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }}
Expand Down Expand Up @@ -1075,3 +1076,28 @@ Supported inputs are Values.ui
{{- end -}}
{{- end }}
{{- end -}}

{{/*
config file from values
*/}}
{{- define "vault.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
22 changes: 3 additions & 19 deletions templates/server-config-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,11 @@ metadata:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
config/checksum: {{ include "vault.config" . | sha256sum }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{ template "vault.config" . }}
{{- end }}
{{- end }}
{{- end }}
Expand Down

0 comments on commit 16dd8e3

Please sign in to comment.