From 06db65bbca89539ea09dda3a843f46f0e6e14e8e Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Fri, 27 Sep 2024 12:09:48 +0100 Subject: [PATCH 01/17] auto-restart --- docs/book/src/SUMMARY.md | 1 + .../src/topics/auto-restart-on-rotation.md | 120 ++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 docs/book/src/topics/auto-restart-on-rotation.md diff --git a/docs/book/src/SUMMARY.md b/docs/book/src/SUMMARY.md index 68073797e..7cd36b2d3 100644 --- a/docs/book/src/SUMMARY.md +++ b/docs/book/src/SUMMARY.md @@ -13,6 +13,7 @@ - [Sync as Kubernetes Secret](./topics/sync-as-kubernetes-secret.md) - [Set as ENV var](./topics/set-as-env-var.md) - [Best Practices](./topics/best-practices.md) + - [Auto Restart on Rotation](./topics/auto-restart-on-rotation.md) - [Providers](./providers.md) - [Troubleshooting](./troubleshooting.md) - [Load tests](./load-tests.md) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md new file mode 100644 index 000000000..cd56db21c --- /dev/null +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -0,0 +1,120 @@ +# Auto restart of pods when secret is rotated + +_This is a suggested implementation which can be used alongside the Secrets Store CSI Driver._ + +When [auto rotation of secrets](./secret-auto-rotation.md) is enabled, workloads which depend upon secrets will need to either +- watch for updates to secrets and reload these in their runtime, or +- be restarted to pick up the latest secrets when they change + +A solution such as [Reloader](https://github.com/stakater/Reloader) could be used to watch for updates to Kubernetes Secrets or ConfigMaps and restart pods when a change is detected. However, if secret values are mounted as volumes in the pods, that solution is not suitable. + +Using custom resources created by the Secrets Store CSI Driver, a Kubernetes Controller can be used to detect when secrets are updated by the driver and to restart affected pods. + +## SecretProviderClassPodStatus custom resource + +The relevant custom resource is [`SecretProviderClassPodStatus`](https://secrets-store-csi-driver.sigs.k8s.io/concepts#secretproviderclasspodstatus). + +Each `SecretProviderClassPodStatus` CR has a one-to-one relationship with a pod which references secrets using the Secrets Store CSI Driver. The CR identifies the pod name, namespace and other attributes. The driver manages the lifecyle of `SecretProviderClassPodStatus` which is linked to the lifecycle of the affected pod. + +```mermaid +stateDiagram-v2 + state "SecretProviderClassPodStatus\nGeneration: 1" as g1 + state "SecretProviderClassPodStatus\nGeneration: n" as gn + + [*] --> g1: pod create with secret from csi + g1 --> gn: secret updated in pod + gn --> [*]: pod restart +``` + +When the driver sets a secret value for a new pod, a `SecretProviderClassPodStatus` CR is created with the `Generation` attribute set to `1`. + +Whenever the driver updates the secret value, the value of the `Generation` attribute is incremented. + +If a pod is restarted, the CR is deleted and a new CR created with `Generation: 1`. + +`SecretProviderClassPodStatus` CRs persist across lifetimes of the secrets-store-csi-driver. + +## Outline of Controller function + +1. Reconcile + + The controller reconciles instances of the `SecretProviderClassPodStatus` CR and deletes (to restart) the associated pod if required. + + If a `SecretProviderClassPodStatus` has `Generation: 1`, it is linked to a newly created pod. The pod should not be restarted. + + If a `SecretProviderClassPodStatus` has `Generation` > 1, it is linked to a pod in which the secrets-store-csi-driver has updated a secret. The pod should be restarted (if it has opted-in for automatic restarting). + +1. Rolling restart + + On reconciling a pod which should be updated, check `metadata.ownerReferences` and walk up to a Deployment (or similar) if present. + + If a `Deployment` is found: + + - Do not restart pod + - Update the Deployment to trigger a rolling restart + - If the number of replicas > 1, update the Deployment once only + + To restart a deployment, the controller sets a timestamped annotation in the deployment + + ``` + template: + metadata: + annotations: + my.controller/restartedAt: "2024-09-05T14:06:29Z" + ``` + + Else: delete pod. + +1. Opt-in to automatic pod restarting + + Automatic restarting of pods when secrets are updated could be an opt-in behaviour. Unless the pod declares its opt-in, it should not be restarted by the controller. + + The opt-in could be indicated via an optional annotation set on the pod: + ``` + kind: pod + metadata: + annotations: + my.controller/restartOnChange: true + ``` + +## Implementation notes + +The [operator-sdk](https://github.com/operator-framework/operator-sdk) can be used to scaffold an implementation project. + +1. Scaffolding the project + + ``` + operator-sdk init --repo= + operator-sdk create api --version v1alpha1 --kind SecretProviderClassPodStatus --resource=false --controller=true + ``` + +1. Custom resources + + The controller does not manage custom resources of its own. It simply watches a custom resource provided by the Secrets Store CSI Driver. + +1. Permissions required + + The controller requires RBAC permissions to operate on various k8s resources. + + To watch `SecretProviderClassPodStatus` + ``` + // +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasspodstatuses,verbs=get;list;watch + ``` + + To lookup and if necessary delete `Pod` + ``` + // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;delete + ``` + + To lookup possible owner of `Pod` + ``` + // +kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=replicasets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch + ``` + + To lookup and if necessary trigger update of `Deployment` + ``` + // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch;update + ``` From ea9235786b39fe64988b564210557d0b2083793f Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Fri, 27 Sep 2024 12:09:48 +0100 Subject: [PATCH 02/17] auto-restart --- docs/book/src/SUMMARY.md | 1 + .../src/topics/auto-restart-on-rotation.md | 120 ++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 docs/book/src/topics/auto-restart-on-rotation.md diff --git a/docs/book/src/SUMMARY.md b/docs/book/src/SUMMARY.md index 68073797e..7cd36b2d3 100644 --- a/docs/book/src/SUMMARY.md +++ b/docs/book/src/SUMMARY.md @@ -13,6 +13,7 @@ - [Sync as Kubernetes Secret](./topics/sync-as-kubernetes-secret.md) - [Set as ENV var](./topics/set-as-env-var.md) - [Best Practices](./topics/best-practices.md) + - [Auto Restart on Rotation](./topics/auto-restart-on-rotation.md) - [Providers](./providers.md) - [Troubleshooting](./troubleshooting.md) - [Load tests](./load-tests.md) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md new file mode 100644 index 000000000..cd56db21c --- /dev/null +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -0,0 +1,120 @@ +# Auto restart of pods when secret is rotated + +_This is a suggested implementation which can be used alongside the Secrets Store CSI Driver._ + +When [auto rotation of secrets](./secret-auto-rotation.md) is enabled, workloads which depend upon secrets will need to either +- watch for updates to secrets and reload these in their runtime, or +- be restarted to pick up the latest secrets when they change + +A solution such as [Reloader](https://github.com/stakater/Reloader) could be used to watch for updates to Kubernetes Secrets or ConfigMaps and restart pods when a change is detected. However, if secret values are mounted as volumes in the pods, that solution is not suitable. + +Using custom resources created by the Secrets Store CSI Driver, a Kubernetes Controller can be used to detect when secrets are updated by the driver and to restart affected pods. + +## SecretProviderClassPodStatus custom resource + +The relevant custom resource is [`SecretProviderClassPodStatus`](https://secrets-store-csi-driver.sigs.k8s.io/concepts#secretproviderclasspodstatus). + +Each `SecretProviderClassPodStatus` CR has a one-to-one relationship with a pod which references secrets using the Secrets Store CSI Driver. The CR identifies the pod name, namespace and other attributes. The driver manages the lifecyle of `SecretProviderClassPodStatus` which is linked to the lifecycle of the affected pod. + +```mermaid +stateDiagram-v2 + state "SecretProviderClassPodStatus\nGeneration: 1" as g1 + state "SecretProviderClassPodStatus\nGeneration: n" as gn + + [*] --> g1: pod create with secret from csi + g1 --> gn: secret updated in pod + gn --> [*]: pod restart +``` + +When the driver sets a secret value for a new pod, a `SecretProviderClassPodStatus` CR is created with the `Generation` attribute set to `1`. + +Whenever the driver updates the secret value, the value of the `Generation` attribute is incremented. + +If a pod is restarted, the CR is deleted and a new CR created with `Generation: 1`. + +`SecretProviderClassPodStatus` CRs persist across lifetimes of the secrets-store-csi-driver. + +## Outline of Controller function + +1. Reconcile + + The controller reconciles instances of the `SecretProviderClassPodStatus` CR and deletes (to restart) the associated pod if required. + + If a `SecretProviderClassPodStatus` has `Generation: 1`, it is linked to a newly created pod. The pod should not be restarted. + + If a `SecretProviderClassPodStatus` has `Generation` > 1, it is linked to a pod in which the secrets-store-csi-driver has updated a secret. The pod should be restarted (if it has opted-in for automatic restarting). + +1. Rolling restart + + On reconciling a pod which should be updated, check `metadata.ownerReferences` and walk up to a Deployment (or similar) if present. + + If a `Deployment` is found: + + - Do not restart pod + - Update the Deployment to trigger a rolling restart + - If the number of replicas > 1, update the Deployment once only + + To restart a deployment, the controller sets a timestamped annotation in the deployment + + ``` + template: + metadata: + annotations: + my.controller/restartedAt: "2024-09-05T14:06:29Z" + ``` + + Else: delete pod. + +1. Opt-in to automatic pod restarting + + Automatic restarting of pods when secrets are updated could be an opt-in behaviour. Unless the pod declares its opt-in, it should not be restarted by the controller. + + The opt-in could be indicated via an optional annotation set on the pod: + ``` + kind: pod + metadata: + annotations: + my.controller/restartOnChange: true + ``` + +## Implementation notes + +The [operator-sdk](https://github.com/operator-framework/operator-sdk) can be used to scaffold an implementation project. + +1. Scaffolding the project + + ``` + operator-sdk init --repo= + operator-sdk create api --version v1alpha1 --kind SecretProviderClassPodStatus --resource=false --controller=true + ``` + +1. Custom resources + + The controller does not manage custom resources of its own. It simply watches a custom resource provided by the Secrets Store CSI Driver. + +1. Permissions required + + The controller requires RBAC permissions to operate on various k8s resources. + + To watch `SecretProviderClassPodStatus` + ``` + // +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasspodstatuses,verbs=get;list;watch + ``` + + To lookup and if necessary delete `Pod` + ``` + // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;delete + ``` + + To lookup possible owner of `Pod` + ``` + // +kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=replicasets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=get;list;watch + // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch + ``` + + To lookup and if necessary trigger update of `Deployment` + ``` + // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch;update + ``` From c2ad53a9fdd83c46e0415c892d2181d41c40e8a2 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:06:33 +0100 Subject: [PATCH 03/17] mermaid --- docs/book/book.toml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/book/book.toml b/docs/book/book.toml index 9415d1bc0..5730d8cb1 100644 --- a/docs/book/book.toml +++ b/docs/book/book.toml @@ -8,6 +8,10 @@ title = "Secrets Store CSI Driver" [output.html] curly-quotes = true git-repository-url = "https://sigs.k8s.io/secrets-store-csi-driver" +additional-js = ["mermaid.min.js", "mermaid-init.js"] [preprocessor.toc] command = "bin/mdbook-toc" + +[preprocessor.mermaid] +command = "mdbook-mermaid" \ No newline at end of file From 9d930b1e025daf35429d97e9e14254fc90b5fffa Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:11:45 +0100 Subject: [PATCH 04/17] mermaid --- docs/book/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/book/Makefile b/docs/book/Makefile index 828764467..6430d6879 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -23,6 +23,7 @@ $(MDBOOK): MDBOOK_TOC := $(TOOLS_BIN_DIR)/mdbook-toc $(MDBOOK_TOC): $(CRATE_INSTALL) --git badboy/mdbook-toc --tag 0.7.0 --to $(TOOLS_BIN_DIR) --force + $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.14.0 --to $(TOOLS_BIN_DIR) --force DEPS := $(MDBOOK) $(MDBOOK_TOC) From d830b7fce6899f7648dfcc6644c7e23f2b29e110 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:14:37 +0100 Subject: [PATCH 05/17] mermaid --- docs/book/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/book/Makefile b/docs/book/Makefile index 6430d6879..758bb3ac9 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -23,6 +23,9 @@ $(MDBOOK): MDBOOK_TOC := $(TOOLS_BIN_DIR)/mdbook-toc $(MDBOOK_TOC): $(CRATE_INSTALL) --git badboy/mdbook-toc --tag 0.7.0 --to $(TOOLS_BIN_DIR) --force + +MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid +$(MDBOOK_MERMAID): $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.14.0 --to $(TOOLS_BIN_DIR) --force DEPS := $(MDBOOK) $(MDBOOK_TOC) From ed41ab2eeae9ae64c21f7ac829d3e7097c9786a0 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:21:11 +0100 Subject: [PATCH 06/17] mermaid --- docs/book/book.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/book.toml b/docs/book/book.toml index 5730d8cb1..748aa11e7 100644 --- a/docs/book/book.toml +++ b/docs/book/book.toml @@ -14,4 +14,4 @@ additional-js = ["mermaid.min.js", "mermaid-init.js"] command = "bin/mdbook-toc" [preprocessor.mermaid] -command = "mdbook-mermaid" \ No newline at end of file +command = "bin/mdbook-mermaid" \ No newline at end of file From 62be1fb580d2e223bcb0e140087d1ea0bc6b6350 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:23:28 +0100 Subject: [PATCH 07/17] mermaid --- docs/book/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/Makefile b/docs/book/Makefile index 758bb3ac9..c886dc1fb 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -28,7 +28,7 @@ MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid $(MDBOOK_MERMAID): $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.14.0 --to $(TOOLS_BIN_DIR) --force -DEPS := $(MDBOOK) $(MDBOOK_TOC) +DEPS := $(MDBOOK) $(MDBOOK_TOC) $(MDBOOK_MERMAID) .PHONY: build build: $(DEPS) From 251459e42c2a1f5c4f7a868c855134e9ab55232f Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:27:09 +0100 Subject: [PATCH 08/17] mermaid --- docs/book/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/Makefile b/docs/book/Makefile index c886dc1fb..c211e22b0 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -26,7 +26,7 @@ $(MDBOOK_TOC): MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid $(MDBOOK_MERMAID): - $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.14.0 --to $(TOOLS_BIN_DIR) --force + $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.11.2 --to $(TOOLS_BIN_DIR) --force DEPS := $(MDBOOK) $(MDBOOK_TOC) $(MDBOOK_MERMAID) From bd0c93f12830bdc778b0ba1d385e7c86706c6f17 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:28:54 +0100 Subject: [PATCH 09/17] mermaid --- docs/book/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/Makefile b/docs/book/Makefile index c211e22b0..68d863430 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -26,7 +26,7 @@ $(MDBOOK_TOC): MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid $(MDBOOK_MERMAID): - $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.11.2 --to $(TOOLS_BIN_DIR) --force + $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.8.3 --to $(TOOLS_BIN_DIR) --force DEPS := $(MDBOOK) $(MDBOOK_TOC) $(MDBOOK_MERMAID) From 35070d9276cfb91a9f43d7228c7f63791b20184f Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:33:35 +0100 Subject: [PATCH 10/17] mermaid --- docs/book/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/book/Makefile b/docs/book/Makefile index 68d863430..a23018360 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -27,6 +27,7 @@ $(MDBOOK_TOC): MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid $(MDBOOK_MERMAID): $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.8.3 --to $(TOOLS_BIN_DIR) --force + $(MDBOOK_MERMAID) install DEPS := $(MDBOOK) $(MDBOOK_TOC) $(MDBOOK_MERMAID) From ba3aa84f7f8bb4805490f3f5abc3d74a56e0aaee Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 10 Oct 2024 17:33:35 +0100 Subject: [PATCH 11/17] mermaid Signed-off-by: ewan-chalmers --- docs/book/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/book/Makefile b/docs/book/Makefile index 68d863430..a23018360 100644 --- a/docs/book/Makefile +++ b/docs/book/Makefile @@ -27,6 +27,7 @@ $(MDBOOK_TOC): MDBOOK_MERMAID := $(TOOLS_BIN_DIR)/mdbook-mermaid $(MDBOOK_MERMAID): $(CRATE_INSTALL) --git badboy/mdbook-mermaid --tag v0.8.3 --to $(TOOLS_BIN_DIR) --force + $(MDBOOK_MERMAID) install DEPS := $(MDBOOK) $(MDBOOK_TOC) $(MDBOOK_MERMAID) From dd84820a1db4f720db9252b40d3b29a479140307 Mon Sep 17 00:00:00 2001 From: ewan-chalmers Date: Thu, 24 Oct 2024 11:14:54 +0100 Subject: [PATCH 12/17] caveat --- docs/book/src/topics/auto-restart-on-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index cd56db21c..e84e8694d 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -1,6 +1,6 @@ # Auto restart of pods when secret is rotated -_This is a suggested implementation which can be used alongside the Secrets Store CSI Driver._ +> NOTE: This is a suggested implementation which can be used alongside the Secrets Store CSI Driver. The solution is neither supported nor tested by the Secrets Store CSI Driver project. When [auto rotation of secrets](./secret-auto-rotation.md) is enabled, workloads which depend upon secrets will need to either - watch for updates to secrets and reload these in their runtime, or From ab3b512b092eefd965f5ca5bd9d30d10bffaabfe Mon Sep 17 00:00:00 2001 From: Ewan Chalmers Date: Fri, 3 Jan 2025 10:45:01 +0000 Subject: [PATCH 13/17] Apply suggestions from code review Co-authored-by: Anish Ramasekar --- docs/book/src/topics/auto-restart-on-rotation.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index e84e8694d..0fd406561 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -1,20 +1,20 @@ # Auto restart of pods when secret is rotated -> NOTE: This is a suggested implementation which can be used alongside the Secrets Store CSI Driver. The solution is neither supported nor tested by the Secrets Store CSI Driver project. +> NOTE: This is a suggested implementation that can be used alongside the Secrets Store CSI Driver. This solution is neither supported nor tested by the Secrets Store CSI Driver project. -When [auto rotation of secrets](./secret-auto-rotation.md) is enabled, workloads which depend upon secrets will need to either -- watch for updates to secrets and reload these in their runtime, or +When [auto rotation of secrets](./secret-auto-rotation.md) is enabled, workloads that depend on secrets will need to either: +- watch for updates to the secrets and reload these in their runtime, or - be restarted to pick up the latest secrets when they change -A solution such as [Reloader](https://github.com/stakater/Reloader) could be used to watch for updates to Kubernetes Secrets or ConfigMaps and restart pods when a change is detected. However, if secret values are mounted as volumes in the pods, that solution is not suitable. +A solution like [Reloader](https://github.com/stakater/Reloader) can watch updates to Kubernetes Secrets or ConfigMaps and restart pods when a change is detected. However, if secret values are mounted as volumes in the pods, that solution is not suitable. -Using custom resources created by the Secrets Store CSI Driver, a Kubernetes Controller can be used to detect when secrets are updated by the driver and to restart affected pods. +Using custom resources created by the Secrets Store CSI Driver, a Kubernetes controller can detect when secrets are updated by the driver and restart the associated pods. ## SecretProviderClassPodStatus custom resource The relevant custom resource is [`SecretProviderClassPodStatus`](https://secrets-store-csi-driver.sigs.k8s.io/concepts#secretproviderclasspodstatus). -Each `SecretProviderClassPodStatus` CR has a one-to-one relationship with a pod which references secrets using the Secrets Store CSI Driver. The CR identifies the pod name, namespace and other attributes. The driver manages the lifecyle of `SecretProviderClassPodStatus` which is linked to the lifecycle of the affected pod. +Each `SecretProviderClassPodStatus` custom resource (CR) has a one-to-one relationship with a pod that references secrets using the Secrets Store CSI Driver. The CR includes the pod name, namespace and other attributes. The driver manages the lifecycle of `SecretProviderClassPodStatus` which is tied to the lifecycle of the associated pod. ```mermaid stateDiagram-v2 From f92bf6250092cfecf7c32d8f353894cef8b395ae Mon Sep 17 00:00:00 2001 From: Ewan Chalmers Date: Fri, 3 Jan 2025 10:59:14 +0000 Subject: [PATCH 14/17] review comment --- docs/book/src/topics/auto-restart-on-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index 0fd406561..756a489e4 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -12,7 +12,7 @@ Using custom resources created by the Secrets Store CSI Driver, a Kubernetes con ## SecretProviderClassPodStatus custom resource -The relevant custom resource is [`SecretProviderClassPodStatus`](https://secrets-store-csi-driver.sigs.k8s.io/concepts#secretproviderclasspodstatus). +The relevant custom resource is [`SecretProviderClassPodStatus`](./concepts#secretproviderclasspodstatus). Each `SecretProviderClassPodStatus` custom resource (CR) has a one-to-one relationship with a pod that references secrets using the Secrets Store CSI Driver. The CR includes the pod name, namespace and other attributes. The driver manages the lifecycle of `SecretProviderClassPodStatus` which is tied to the lifecycle of the associated pod. From f85a10a95512a05a94eb06ce276741c6bb9050fa Mon Sep 17 00:00:00 2001 From: Ewan Chalmers Date: Fri, 3 Jan 2025 11:04:21 +0000 Subject: [PATCH 15/17] review comment --- docs/book/src/topics/auto-restart-on-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index 756a489e4..4446734c8 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -12,7 +12,7 @@ Using custom resources created by the Secrets Store CSI Driver, a Kubernetes con ## SecretProviderClassPodStatus custom resource -The relevant custom resource is [`SecretProviderClassPodStatus`](./concepts#secretproviderclasspodstatus). +The relevant custom resource is [`SecretProviderClassPodStatus`](../concepts#secretproviderclasspodstatus). Each `SecretProviderClassPodStatus` custom resource (CR) has a one-to-one relationship with a pod that references secrets using the Secrets Store CSI Driver. The CR includes the pod name, namespace and other attributes. The driver manages the lifecycle of `SecretProviderClassPodStatus` which is tied to the lifecycle of the associated pod. From b25eeb70995c9f0cb5e3680b73417eaac80d7dc2 Mon Sep 17 00:00:00 2001 From: Ewan Chalmers Date: Fri, 3 Jan 2025 14:35:08 +0000 Subject: [PATCH 16/17] review comments SPC relationship --- docs/book/src/topics/auto-restart-on-rotation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index 4446734c8..67a07e39b 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -14,7 +14,7 @@ Using custom resources created by the Secrets Store CSI Driver, a Kubernetes con The relevant custom resource is [`SecretProviderClassPodStatus`](../concepts#secretproviderclasspodstatus). -Each `SecretProviderClassPodStatus` custom resource (CR) has a one-to-one relationship with a pod that references secrets using the Secrets Store CSI Driver. The CR includes the pod name, namespace and other attributes. The driver manages the lifecycle of `SecretProviderClassPodStatus` which is tied to the lifecycle of the associated pod. +Each `SecretProviderClassPodStatus` custom resource (CR) has a one-to-one relationship with a pod that references secrets using a Secrets Store CSI Driver [SecretProviderClass](../concepts#secretproviderclass). The CR includes the pod name, namespace and other attributes. The driver manages the lifecycle of `SecretProviderClassPodStatus` which is tied to the lifecycle of the associated pod. ```mermaid stateDiagram-v2 From 57cf852d1ea7ebd62e34d79a2b78c4255d11169a Mon Sep 17 00:00:00 2001 From: Ewan Chalmers Date: Fri, 3 Jan 2025 14:50:48 +0000 Subject: [PATCH 17/17] review comments: caveat --- docs/book/src/topics/auto-restart-on-rotation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/book/src/topics/auto-restart-on-rotation.md b/docs/book/src/topics/auto-restart-on-rotation.md index 67a07e39b..c20f2d5da 100644 --- a/docs/book/src/topics/auto-restart-on-rotation.md +++ b/docs/book/src/topics/auto-restart-on-rotation.md @@ -10,6 +10,8 @@ A solution like [Reloader](https://github.com/stakater/Reloader) can watch updat Using custom resources created by the Secrets Store CSI Driver, a Kubernetes controller can detect when secrets are updated by the driver and restart the associated pods. +> NOTE: The suggested implementation will result in an increase in secret store reads and secret writes (k8s mounts) by the Secrets Store CSI Driver. Each time the driver updates a mounted secret and the controller subsequently restarts the associated pod, the driver will then read and mount the secret _again_ for the newly created pod. This undesirable consequence ahould be weighed against the convenience of enabling workloads to be reloaded with updated secrets, without code changes. + ## SecretProviderClassPodStatus custom resource The relevant custom resource is [`SecretProviderClassPodStatus`](../concepts#secretproviderclasspodstatus).