openmetadata - secret checksum annotation for pod restarts

charts/openmetadata/templates/config/authentication-secret.yaml

@@ -0,0 +1,99 @@
+{{- if .Values.openmetadata.config.authentication.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-authentication-secret
+type: Opaque
+data:
+  AUTHENTICATION_PUBLIC_KEYS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.publicKeys) }}
+  AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.jwtPrincipalClaims) }}
+  {{- if .Values.openmetadata.config.authentication.jwtPrincipalClaimsMapping  }}
+  AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.jwtPrincipalClaimsMapping) }}
+  {{- end }}
+{{- with .Values.openmetadata.config.authentication }}
+  AUTHENTICATION_PROVIDER: {{ .provider | quote | b64enc }}
+  AUTHENTICATION_RESPONSE_TYPE: {{ .responseType | quote | b64enc }}
+  AUTHENTICATION_AUTHORITY: {{ .authority | quote | b64enc }}
+  AUTHENTICATION_CLIENT_ID: {{ .clientId | quote | b64enc }}
+  AUTHENTICATION_CLIENT_TYPE: {{ .clientType | quote | b64enc }}
+  AUTHENTICATION_CALLBACK_URL: {{ .callbackUrl | quote | b64enc }}
+  AUTHENTICATION_ENABLE_SELF_SIGNUP: {{ .enableSelfSignup | quote | b64enc }}
+{{- if and (eq .clientType "confidential") (.oidcConfiguration.enabled) }}
+  OIDC_TYPE: {{ .oidcConfiguration.oidcType | quote | b64enc }}
+  OIDC_SCOPE: {{ .oidcConfiguration.scope | quote | b64enc }}
+  OIDC_DISCOVERY_URI: {{ .oidcConfiguration.discoveryUri | quote | b64enc }}
+  OIDC_USE_NONCE: {{  .oidcConfiguration.useNonce | quote | b64enc }}
+  OIDC_PREFERRED_JWS: {{ .oidcConfiguration.preferredJwsAlgorithm | quote | b64enc }}
+  OIDC_RESPONSE_TYPE: {{ .oidcConfiguration.responseType | quote | b64enc }}
+  OIDC_PROMPT_TYPE: {{ .oidcConfiguration.promptType | quote | b64enc }}
+  OIDC_DISABLE_PKCE: {{ .oidcConfiguration.disablePkce | quote | b64enc }}
+  OIDC_CALLBACK: {{ .oidcConfiguration.callbackUrl | quote | b64enc }}
+  OIDC_SERVER_URL: {{ .oidcConfiguration.serverUrl | quote | b64enc }}
+  OIDC_CLIENT_AUTH_METHOD: {{ .oidcConfiguration.clientAuthenticationMethod | quote | b64enc }}
+  OIDC_TENANT: {{ .oidcConfiguration.tenant | quote | b64enc }}
+  OIDC_MAX_CLOCK_SKEW: {{ .oidcConfiguration.maxClockSkew | quote | b64enc }}
+  OIDC_OM_REFRESH_TOKEN_VALIDITY: {{ .oidcConfiguration.tokenValidity | quote | b64enc }}
+  OIDC_CUSTOM_PARAMS: {{ .oidcConfiguration.customParams | b64enc }}
+  OIDC_MAX_AGE: {{ .oidcConfiguration.maxAge | quote | b64enc }}
+  OIDC_SESSION_EXPIRY: {{ .oidcConfiguration.sessionExpiry | quote | b64enc }}
+{{ end }}
+{{- if eq .provider "ldap" }}
+  AUTHENTICATION_LDAP_HOST: {{ .ldapConfiguration.host | b64enc }}
+  AUTHENTICATION_LDAP_PORT: {{ .ldapConfiguration.port | quote | b64enc }}
+  AUTHENTICATION_LOOKUP_ADMIN_DN: {{ .ldapConfiguration.dnAdminPrincipal | quote | b64enc }}
+  AUTHENTICATION_USER_LOOKUP_BASEDN: {{ .ldapConfiguration.userBaseDN | quote | b64enc }}
+  AUTHENTICATION_GROUP_LOOKUP_BASEDN: {{ .ldapConfiguration.groupBaseDN | quote | b64enc }}
+  AUTHENTICATION_USER_ROLE_ADMIN_NAME: {{ .ldapConfiguration.roleAdminName | quote | b64enc }}
+  AUTHENTICATION_USER_ALL_ATTR: {{ .ldapConfiguration.allAttributeName | quote | b64enc }}
+  AUTHENTICATION_USER_NAME_ATTR: {{ .ldapConfiguration.usernameAttributeName | quote | b64enc }}
+  AUTHENTICATION_USER_GROUP_ATTR: {{ .ldapConfiguration.groupAttributeName | quote | b64enc }}
+  AUTHENTICATION_USER_GROUP_ATTR_VALUE: {{ .ldapConfiguration.groupAttributeValue | quote | b64enc }}
+  AUTHENTICATION_USER_GROUP_MEMBER_ATTR: {{ .ldapConfiguration.groupMemberAttributeName | quote | b64enc }}
+  AUTH_ROLES_MAPPING: {{ .ldapConfiguration.authRolesMapping | quote | b64enc }}
+  AUTH_REASSIGN_ROLES: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .ldapConfiguration.authReassignRoles) }}
+  AUTHENTICATION_USER_MAIL_ATTR: {{ .ldapConfiguration.mailAttributeName | quote | b64enc }}
+  AUTHENTICATION_LDAP_POOL_SIZE: {{ .ldapConfiguration.maxPoolSize | quote | b64enc }}
+  AUTHENTICATION_LDAP_SSL_ENABLED: {{ .ldapConfiguration.sslEnabled | quote | b64enc }}
+  AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: {{ .ldapConfiguration.truststoreConfigType | quote | b64enc }}
+  {{- if eq .ldapConfiguration.truststoreConfigType "CustomTrustStore" }}
+  AUTHENTICATION_LDAP_TRUSTSTORE_PATH: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.trustStoreFilePath | quote | b64enc }}
+  AUTHENTICATION_LDAP_SSL_KEY_FORMAT: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.trustStoreFileFormat | quote | b64enc }}
+  AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.verifyHostname | quote | b64enc }}
+  AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.examineValidityDates | quote | b64enc }}
+  {{ end }}
+  {{- if eq .ldapConfiguration.truststoreConfigType "HostName" }}
+  AUTHENTICATION_LDAP_ALLOW_WILDCARDS: {{ .ldapConfiguration.trustStoreConfig.hostNameConfig.allowWildCards | quote | b64enc }}
+  AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: {{ .ldapConfiguration.trustStoreConfig.hostNameConfig.acceptableHostNames | b64enc}}
+  {{ end }}
+  {{- if eq .ldapConfiguration.truststoreConfigType "JVMDefault" }}
+  AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: {{ .ldapConfiguration.trustStoreConfig.jvmDefaultConfig.verifyHostname | quote | b64enc }}
+  {{ end }}
+  {{- if eq .ldapConfiguration.truststoreConfigType "TrustAll" }}
+  AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: {{ .ldapConfiguration.trustStoreConfig.trustAllConfig.examineValidityDates | quote | b64enc }}
+  {{ end }}
+{{ end }}
+{{- if eq .provider "saml" }}
+  SAML_DEBUG_MODE: {{ .saml.debugMode | quote | b64enc }}
+  SAML_IDP_ENTITY_ID: {{ .saml.idp.entityId | quote | b64enc }}
+  SAML_IDP_SSO_LOGIN_URL: {{ .saml.idp.ssoLoginUrl | quote | b64enc }}
+  SAML_AUTHORITY_URL: {{ .saml.idp.authorityUrl | quote | b64enc }}
+  SAML_IDP_NAME_ID: {{ .saml.idp.nameId | quote | b64enc }}
+  SAML_SP_ENTITY_ID: {{ .saml.sp.entityId | quote | b64enc }}
+  SAML_SP_ACS: {{ .saml.sp.acs | quote | b64enc }}
+  SAML_SP_CALLBACK: {{ .saml.sp.callback | quote | b64enc }}
+  SAML_STRICT_MODE: {{ .saml.security.strictMode | quote | b64enc }}
+  SAML_VALIDATE_XML: {{ .saml.security.validateXml | quote | b64enc }}
+  SAML_SP_TOKEN_VALIDITY: {{ .saml.security.tokenValidity | quote | b64enc }}
+  SAML_SEND_ENCRYPTED_NAME_ID: {{ .saml.security.sendEncryptedNameId | quote | b64enc }}
+  SAML_SEND_SIGNED_AUTH_REQUEST: {{ .saml.security.sendSignedAuthRequest | quote | b64enc }}
+  SAML_SIGNED_SP_METADATA: {{ .saml.security.signSpMetadata | quote | b64enc }}
+  SAML_WANT_MESSAGE_SIGNED: {{ .saml.security.wantMessagesSigned | quote | b64enc }}
+  SAML_WANT_ASSERTION_SIGNED: {{ .saml.security.wantAssertionsSigned | quote | b64enc }}
+  SAML_WANT_ASSERTION_ENCRYPTED: {{ .saml.security.wantAssertionEncrypted | quote | b64enc }}
+  # Key Store should only be considered if wantAssertionEncrypted will be true
+  {{- if .saml.security.wantAssertionEncrypted }}
+  SAML_KEYSTORE_FILE_PATH: {{ .saml.security.keyStoreFilePath | quote | b64enc }}
+  {{ end }}
+{{ end }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/authorizer-secret.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.openmetadata.config.authorizer.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-authorizer-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.authorizer }}
+  AUTHORIZER_CLASS_NAME: {{ .className | quote | b64enc }}
+  AUTHORIZER_REQUEST_FILTER: {{ .containerRequestFilter | quote | b64enc }}
+  AUTHORIZER_PRINCIPAL_DOMAIN: {{ .principalDomain | quote | b64enc }}
+  AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: {{ .enforcePrincipalDomain | quote | b64enc }}
+  AUTHORIZER_ENABLE_SECURE_SOCKET: {{ .enableSecureSocketConnection | quote | b64enc }}
+  AUTHORIZER_ADMIN_PRINCIPALS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .initialAdmins ) }}
+  AUTHORIZER_ALLOWED_DOMAINS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .allowedDomains) }}
+  AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .allowedEmailRegistrationDomains) }}
+  AUTHORIZER_USE_ROLES_FROM_PROVIDER: {{ .useRolesFromProvider | quote | b64enc }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/config-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-config-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config }}
+  LOG_LEVEL: {{ .logLevel | b64enc }}
+  OPENMETADATA_CLUSTER_NAME: {{ .clusterName | b64enc }}
+{{ end }}

charts/openmetadata/templates/config/db-secret.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.openmetadata.config.database.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-db-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.database }}
+  DB_HOST: {{ .host | b64enc }}
+  DB_PORT: {{ .port | toString | b64enc }}
+  DB_DRIVER_CLASS: {{ .driverClass | b64enc }}
+  DB_SCHEME: {{ .dbScheme | b64enc }}
+  OM_DATABASE: {{ .databaseName | b64enc }}
+  DB_PARAMS: {{ .dbParams | b64enc | quote }}
+  DB_USER: {{ .auth.username | b64enc }}
+  DB_CONNECTION_POOL_MAX_SIZE: {{ .maxSize | quote | b64enc }}
+  DB_CONNECTION_POOL_MIN_SIZE: {{ .minSize | quote | b64enc }}
+  DB_CONNECTION_POOL_INITIAL_SIZE: {{ .initialSize | quote | b64enc }}
+  DB_CONNECTION_CHECK_CONNECTION_WHILE_IDLE: {{ .checkConnectionWhileIdle | quote | b64enc }}
+  DB_CONNECTION_CHECK_CONNECTION_ON_BORROW: {{ .checkConnectionOnBorrow | quote | b64enc }}
+  DB_CONNECTION_EVICTION_INTERVAL: {{ .evictionInterval | quote | b64enc }}
+  DB_CONNECTION_MIN_IDLE_TIME: {{ .minIdleTime | quote | b64enc }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/eventmonitor-secret.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.openmetadata.config.eventMonitor.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-eventmonitor-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.eventMonitor }}
+  EVENT_MONITOR: {{ .type | b64enc }}
+  EVENT_MONITOR_BATCH_SIZE: {{ .batchSize | quote | b64enc }}
+{{ end }}
+  EVENT_MONITOR_PATH_PATTERN: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.eventMonitor.pathPattern) }}
+  EVENT_MONITOR_LATENCY: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.eventMonitor.latency) }}
+{{ end }}

charts/openmetadata/templates/config/fernetkey-secret.yaml

@@ -0,0 +1,12 @@
+{{- if not .Values.openmetadata.config.fernetkey.secretRef }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-fernetkey-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.fernetkey }}
+  FERNET_KEY: {{ .value | b64enc | quote }}
+{{ end }}
+{{ end }}
+

charts/openmetadata/templates/config/jwt-secret.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.openmetadata.config.jwtTokenConfiguration.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-jwt-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.jwtTokenConfiguration }}
+  RSA_PUBLIC_KEY_FILE_PATH: {{ .rsapublicKeyFilePath | quote | b64enc }}
+  RSA_PRIVATE_KEY_FILE_PATH: {{ .rsaprivateKeyFilePath | quote | b64enc }}
+  JWT_ISSUER: {{ .jwtissuer | quote | b64enc }}
+  JWT_KEY_ID: {{ .keyId | quote | b64enc }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/omd-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-omd-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.openmetadata }}
+  SERVER_HOST: {{ .host | b64enc }}
+  SERVER_PORT: {{ .port | quote | b64enc }}
+  SERVER_ADMIN_PORT: {{ .adminPort | quote | b64enc }}
+  SERVER_MAX_THREADS: {{ .maxThreads | quote | b64enc }}
+  SERVER_MIN_THREADS: {{ .minThreads | quote | b64enc }}
+  SERVER_IDLE_THREAD_TIMEOUT: {{ .idleThreadTimeout | quote | b64enc }}
+{{- end }}
+{{- $aiProxyState := dict "enabled" false }}
+{{- with .Values.collate }}
+  {{- with .aiProxy }}
+    {{- $_ := set $aiProxyState "enabled" (default false .enabled) }}
+  {{- end }}
+{{- end }}
+{{- if $aiProxyState.enabled }}
+  AI_PLATFORM_ENABLED: dHJ1ZQo=
+  AI_CHAT_PREVIEW: ZmFsc2U=
+{{- else }}
+  AI_PLATFORM_ENABLED: ZmFsc2U=
+  AI_CHAT_PREVIEW: dHJ1ZQo=
+{{ end }}

charts/openmetadata/templates/config/pipeline-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-pipeline-secret
+type: Opaque
+data:
+{{- if .Values.openmetadata.config.pipelineServiceClientConfig.enabled }}
+{{- with .Values.openmetadata.config.pipelineServiceClientConfig }}
+{{- if eq (include "OpenMetadata.utils.checkEmptyString" .hostIp) "true" }}
+  PIPELINE_SERVICE_CLIENT_HOST_IP: {{ .hostIp | quote | b64enc }}
+{{- end }}
+  PIPELINE_SERVICE_CLIENT_ENABLED: {{ .enabled | quote | b64enc }}
+  PIPELINE_SERVICE_CLIENT_CLASS_NAME: {{ .className | quote | b64enc }}
+  PIPELINE_SERVICE_IP_INFO_ENABLED: {{ .ingestionIpInfoEnabled | quote | b64enc }}
+  PIPELINE_SERVICE_CLIENT_ENDPOINT: {{ .apiEndpoint | b64enc }}
+  PIPELINE_SERVICE_CLIENT_VERIFY_SSL: {{ .verifySsl | quote | b64enc }}
+  PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: {{ .healthCheckInterval | quote | b64enc }}
+  PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: {{ .sslCertificatePath | quote | b64enc }}
+  SERVER_HOST_API_URL: {{ .metadataApiEndpoint | b64enc }}
+  {{- if .auth.enabled }}
+  AIRFLOW_USERNAME: {{ .auth.username | b64enc }}
+  AIRFLOW_TRUST_STORE_PATH: {{ .auth.trustStorePath | quote | b64enc }}
+  {{- end }}
+{{ end }}
+{{- else }}
+  PIPELINE_SERVICE_CLIENT_ENABLED: {{ .Values.openmetadata.config.pipelineServiceClientConfig.enabled | quote | b64enc }}
+{{- end }}

charts/openmetadata/templates/config/rdf-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.openmetadata.config.rdf.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-rdf-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.rdf }}
+  RDF_ENABLED: {{ .enabled | quote | b64enc }}
+  RDF_BASE_URI: {{ .baseUri | quote | b64enc }}
+  RDF_STORAGE_TYPE: {{ .storageType | quote | b64enc }}
+  RDF_REMOTE_ENDPOINT: {{ .remoteEndpoint | b64enc }}
+  RDF_REMOTE_USERNAME: {{ .username | quote | b64enc }}
+  RDF_DATASET: {{ .dataset | quote | b64enc }}
+{{ end }}
+{{- end}}

charts/openmetadata/templates/config/search-secret.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.openmetadata.config.elasticsearch.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-search-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.elasticsearch }}
+  ELASTICSEARCH_HOST: {{ .host | quote | b64enc }}
+  SEARCH_TYPE: {{ .searchType | quote | b64enc }}
+  ELASTICSEARCH_PORT: {{ .port | quote | b64enc }}
+  ELASTICSEARCH_SCHEME: {{ .scheme | quote | b64enc }}
+  ELASTICSEARCH_INDEX_MAPPING_LANG: {{ .searchIndexMappingLanguage | quote| b64enc }}
+  ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: {{ .keepAliveTimeoutSecs | quote | b64enc }}
+  ELASTICSEARCH_CLUSTER_ALIAS: {{ .clusterAlias | quote | b64enc }}
+  ELASTICSEARCH_PAYLOAD_BYTES_SIZE: {{ .payLoadSize | int | toString | b64enc }}
+  {{- if .trustStore.enabled }}
+  ELASTICSEARCH_TRUST_STORE_PATH: {{ .trustStore.path | b64enc }}
+  {{ end }}
+  {{- if .auth.enabled }}
+  ELASTICSEARCH_USER: {{ .auth.username | quote | b64enc }}
+  {{ end }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/secretsmanager-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.openmetadata.config.secretsManager.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-secretsmanager-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.secretsManager }}
+  SECRET_MANAGER: {{ .provider | quote | b64enc }}
+  SECRET_MANAGER_PREFIX: {{ .prefix | quote | b64enc }}
+  SECRET_MANAGER_TAGS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .tags) }}
+  {{- if .additionalParameters.enabled }}
+  OM_SM_REGION: {{ .additionalParameters.region | quote | b64enc }}
+  {{ end }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/config/web-secret.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.openmetadata.config.web.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "OpenMetadata.fullname" . }}-web-secret
+type: Opaque
+data:
+{{- with .Values.openmetadata.config.web }}
+  WEB_CONF_URI_PATH: {{ .uriPath | quote | b64enc }}
+  WEB_CONF_HSTS_ENABLED: {{ .hsts.enabled | quote | b64enc }}
+  WEB_CONF_HSTS_MAX_AGE: {{ .hsts.maxAge | quote | b64enc }}
+  WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: {{ .hsts.includeSubDomains | quote | b64enc }}
+  WEB_CONF_HSTS_PRELOAD: {{ .hsts.preload | quote | b64enc }}
+  WEB_CONF_FRAME_OPTION_ENABLED: {{ .frameOptions.enabled | quote | b64enc }}
+  WEB_CONF_FRAME_OPTION: {{ .frameOptions.option | quote | b64enc }}
+  WEB_CONF_FRAME_ORIGIN: {{ .frameOptions.origin | quote | b64enc }}
+  WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: {{ .contentTypeOptions.enabled | quote | b64enc }}
+  WEB_CONF_XSS_PROTECTION_ENABLED: {{ .xssProtection.enabled | quote | b64enc }}
+  WEB_CONF_XSS_PROTECTION_ON: {{ .xssProtection.onXss | quote | b64enc }}
+  WEB_CONF_XSS_PROTECTION_BLOCK: {{ .xssProtection.block | quote | b64enc }}
+  WEB_CONF_XSS_CSP_ENABLED: {{ .csp.enabled | quote | b64enc }}
+  WEB_CONF_XSS_CSP_POLICY: {{ .csp.policy | quote | b64enc }}
+  WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: {{ .csp.reportOnlyPolicy | quote | b64enc }}
+  WEB_CONF_REFERRER_POLICY_ENABLED: {{ .referrerPolicy.enabled | quote | b64enc }}
+  WEB_CONF_REFERRER_POLICY_OPTION: {{ .referrerPolicy.option | quote | b64enc }}
+  WEB_CONF_PERMISSION_POLICY_ENABLED: {{ .permissionPolicy.enabled | quote | b64enc }}
+  WEB_CONF_PERMISSION_POLICY_OPTION: {{ .permissionPolicy.option | quote | b64enc }}
+  WEB_CONF_CACHE_CONTROL: {{ .cacheControl | quote | b64enc }}
+  WEB_CONF_PRAGMA: {{ .pragma | quote | b64enc }}
+{{ end }}
+{{ end }}

charts/openmetadata/templates/cron-deploy-pipelines.yaml

@@ -19,8 +19,20 @@ spec:
     spec:
       template:
         metadata:
-          {{- with .Values.podAnnotations }}
           annotations:
+            checksum/fernetkey-secret: {{ include (print $.Template.BasePath "/config/fernetkey-secret.yaml") . | sha256sum }}
+            checksum/db-secret: {{ include (print $.Template.BasePath "/config/db-secret.yaml") . | sha256sum }}
+            checksum/search-secret: {{ include (print $.Template.BasePath "/config/search-secret.yaml") . | sha256sum }}
+            checksum/pipeline-secret: {{ include (print $.Template.BasePath "/config/pipeline-secret.yaml") . | sha256sum }}
+            checksum/authorizer-secret: {{ include (print $.Template.BasePath "/config/authorizer-secret.yaml") . | sha256sum }}
+            checksum/omd-secret: {{ include (print $.Template.BasePath "/config/omd-secret.yaml") . | sha256sum }}
+            checksum/secretsmanager-secret: {{ include (print $.Template.BasePath "/config/secretsmanager-secret.yaml") . | sha256sum }}
+            checksum/jwt-secret: {{ include (print $.Template.BasePath "/config/jwt-secret.yaml") . | sha256sum }}
+            checksum/web-secret: {{ include (print $.Template.BasePath "/config/web-secret.yaml") . | sha256sum }}
+            checksum/authentication-secret: {{ include (print $.Template.BasePath "/config/authentication-secret.yaml") . | sha256sum }}
+            checksum/eventmonitor-secret: {{ include (print $.Template.BasePath "/config/eventmonitor-secret.yaml") . | sha256sum }}
+            checksum/config-secret: {{ include (print $.Template.BasePath "/config/config-secret.yaml") . | sha256sum }}
+          {{- with .Values.podAnnotations }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
           labels: