9

We are using secret as environment variables on pod, but every time we have updated on secrets, we are redeploying the pods to take changes effect. We are looking for a mechanism where Pods get restarted automatically whenever secrets gets updated. Any help on this?

Thanks in advance.

OsTeNg24
  • 274
  • 1
  • 15
ramesh reddy
  • 429
  • 2
  • 5
  • 12

3 Answers3

4

There are many ways to handle this.

First, use Deployment instead of "naked" Pods that are not managed. The Deployment will create new Pods for you, when the Pod template is changed.

Second, to manage Secrets may be a bit tricky. It would be great if you can use a setup where you can use Kustomize SecretGenerator - then each new Secret will get its unique name. In addition, that unique name is reflected to the Deployment automatically - and your pods will automatically be recreated when a Secret is changed - this match your origin problem. When Secret and Deployment is handled this way, you apply the changes with:

kubectl apply -k <folder>
Jonas
  • 121,568
  • 97
  • 310
  • 388
  • 1
    i use deployments to create pods and using secrets as env variable on POD level but not using Kustomize Generator. how can i make sure pods are getting restarted when secrets are changed. – ramesh reddy Oct 27 '20 at 13:39
4

If you mount your secrets to pod it will get updated automatically you don't have to restart your pod as mentioned here

Other approaches are staker reloader which can reload your deployments based on configs, secrets etc

Mohsin Amjad
  • 1,045
  • 6
  • 14
  • 1
    i am not mounting secrets, using as Env Var . is it possible to get pod restarted when secrets get updated – ramesh reddy Oct 28 '20 at 08:50
  • 1
    I've already mentioned either you have to mount or use external service, if you are not mounting secrets then you can use "staker reloader", please look at the docs of it as there is clearly mentioned how to do rolling update on secrets change – Mohsin Amjad Oct 28 '20 at 11:37
  • i am not allowed to use external service – ramesh reddy Oct 28 '20 at 13:26
0

There are multiple ways of doing this:

  • Simply restart the pod

    • this can be done manually, or,
    • you could use an operator provided by VMware carvel kapp controller (documentation), using kapp controller you can reload the secrets/ configmap without needing to restart the pods (which effectively runs helm template <package> on a periodic basis and applies the changes if it founds any differences in helm template), check out my design for reloading the log level without needing to restart the pod.

  • Using service bindings https://servicebinding.io/

Vishrant
  • 15,456
  • 11
  • 71
  • 120