martincekada opened a new pull request, #66468:
URL: https://github.com/apache/airflow/pull/66468
## Root cause
The api-server deployment template
(`chart/templates/api-server/api-server-deployment.yaml`) has `checksum/...`
annotations for several config sources — `airflow-config`, `extra-configmaps`,
`extra-secrets`, `metadata-secret`, `pgbouncer-config-secret`, and (since
#60111) `jwt-secret` — but is missing one for the api-server ConfigMap rendered
from `apiServer.apiServerConfig`.
When users change `apiServer.apiServerConfig`:
- The `airflow-api-server-config` ConfigMap is updated.
- The api-server deployment's pod template hash is **not** bumped, so no
rolling restart happens.
- The api-server pods keep running with the previous `webserver_config.py`.
The mount uses `subPath`, so kubelet does not auto-refresh the file inside
running pods either.
The user-visible symptom is that custom auth/security changes silently fail
to take effect after `helm upgrade` until someone manually runs `kubectl
rollout restart deploy/<release>-api-server`.
## Solution
Add a `checksum/api-server-config` annotation to
`chart/templates/api-server/api-server-deployment.yaml`, guarded by the same
condition that controls whether
`chart/templates/configmaps/api-server-configmap.yaml` actually renders:
```yaml
{{- if and .Values.apiServer.apiServerConfig (not
.Values.apiServer.apiServerConfigConfigMapName) }}
checksum/api-server-config: {{ include (print $.Template.BasePath
"/configmaps/api-server-configmap.yaml") . | sha256sum }}
{{- end }}
```
This mirrors the pattern used in #60111 for `checksum/jwt-secret`. Same
shape of bug, same shape of fix, +3/0 in one template.
## Changes
- Added `checksum/api-server-config` annotation to the api-server deployment
template.
- Conditional matches the api-server ConfigMap render condition: only when
`apiServer.apiServerConfig` is set and `apiServer.apiServerConfigConfigMapName`
is not (i.e., when the chart manages the ConfigMap).
closes: #66467
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes (please specify the tool below)
<!-- Generated-by: Claude Code (Anthropic) following
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
