jscheffl commented on code in PR #68265:
URL: https://github.com/apache/airflow/pull/68265#discussion_r3383584987
##########
chart/templates/api-server/api-server-deployment.yaml:
##########
@@ -86,6 +86,7 @@ spec:
annotations:
checksum/metadata-secret: {{ include (print $.Template.BasePath
"/secrets/metadata-connection-secret.yaml") . | sha256sum }}
checksum/pgbouncer-config-secret: {{ include (print
$.Template.BasePath "/secrets/pgbouncer-config-secret.yaml") . | sha256sum }}
+ checksum/fernet-key: {{ include (print $.Template.BasePath
"/secrets/fernetkey-secret.yaml") . | sha256sum }}
Review Comment:
The template `fernetkey-secret.yaml` is only produced if
`fernetKeySecretName` is not given. So in my view the checksum also should only
be produced if `fernetKeySecretName` not provided.
To make it even better, if `fernetKeySecretName` is given then a hash of the
secret content might be an option for a checksum, but not sure if this is
template-able, but I am sure some dependency can be defined in K8s? Whereas if
provided as K8s secret the rotation will be more complex and most probably
requires a re-deployment with downtime? Not sure how this could be automated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
