Merge pull request #38 from phasehq/feat--use-daemons-for-operator-sync

feat: use daemons for operator sync

Author: nimish-ks

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-alpine
+FROM python:3.12.1-alpine3.19
 
 # Set the working directory in the container
 WORKDIR /app

cr-template.yaml

@@ -8,6 +8,7 @@ spec:
   phaseAppEnv: "production" # OPTIONAL The Phase application environment to fetch secrets from
   phaseAppEnvPath: "/" # OPTIONAL Path within the Phase application environment to fetch secrets from
   phaseHost: "https://console.phase.dev" # OPTIONAL - URL of a Phase Console instance
+  pollingInterval: 5 # OPTIONAL - Interval in seconds to poll for secret updates. Default is 60 seconds.
   authentication:
     serviceToken:
       serviceTokenSecretReference:

crd-template.yaml

@@ -126,6 +126,7 @@ spec:
                   description: Interval at which to poll for secret updates.
                   type: integer
                   default: 60
+                  minimum: 5
               required:
                 - phaseApp
                 - managedSecretReferences
@@ -157,7 +158,6 @@ spec:
                       observedGeneration:
                         description: Generation that the condition was set based upon.
                         type: integer
-                        format: int64
                         minimum: 0
                       reason:
                         description: Programmatic identifier for the reason of the condition's last transition.

helm-repo/index.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 entries:
   phase:
   - apiVersion: v2
-    created: "2025-09-27T18:45:20.618693+05:30"
+    created: "2026-01-12T19:28:48.14049+05:30"
     description: A Helm chart for deploying the Phase Secrets Manager
     digest: cdd437fc2cce88e078da782dd69b18eb2ddc22fe380df1ca72c767f550cecd6d
     home: https://github.com/phasehq/kubernetes-secrets-operator
@@ -18,50 +18,34 @@ entries:
     - https://github.com/phasehq/console
     type: application
     urls:
-    - https://helm.phase.dev/phase-0.4.2.tgz
+    - phase-0.4.2.tgz
     version: 0.4.2
+  phase-kubernetes-operator:
   - apiVersion: v2
-    created: "2025-09-27T18:45:20.618273+05:30"
-    description: A Helm chart for deploying the Phase Secrets Manager
-    digest: 45321c29e26c00c8c052cc5cfeeca7b383caa0958fa97415ed81e3d2817c011b
-    home: https://github.com/phasehq/kubernetes-secrets-operator
-    icon: https://phase.dev/apple-touch-icon.png
-    keywords:
-    - phase
-    - deployment
-    maintainers:
-    - email: nimish@phase.dev
-      name: Nimish
-    name: phase
-    sources:
-    - https://github.com/phasehq/console
-    type: application
-    urls:
-    - https://helm.phase.dev/phase-0.4.1.tgz
-    version: 0.4.1
-  - apiVersion: v2
-    created: "2025-09-24T20:12:36.640449+05:30"
-    description: A Helm chart for deploying the Phase Secrets Manager
-    digest: e7c0c633fe75fef2c20c4499e740cf6c940e0437c0b30101e09930f58d54a8a9
+    appVersion: 1.4.0
+    created: "2026-01-12T19:28:48.140947+05:30"
+    description: A Helm chart for deploying the Phase Kubernetes Operator
+    digest: c63fff0a875204cdb096952570f1e045fced435c7e13d03be06209bf40032e66
     home: https://github.com/phasehq/kubernetes-secrets-operator
     icon: https://phase.dev/apple-touch-icon.png
     keywords:
     - phase
-    - deployment
+    - kubernetes
+    - operator
+    - secrets
     maintainers:
-    - email: nimish@phase.dev
-      name: Nimish
-    name: phase
+    - email: info@phase.dev
+      name: Phase Security Inc.
+    name: phase-kubernetes-operator
     sources:
-    - https://github.com/phasehq/console
+    - https://github.com/phasehq/kubernetes-secrets-operator
     type: application
     urls:
-    - phase-0.4.0.tgz
-    version: 0.4.0
-  phase-kubernetes-operator:
+    - phase-kubernetes-operator-1.4.0.tgz
+    version: 1.4.0
   - apiVersion: v2
     appVersion: 1.3.0
-    created: "2025-09-27T18:45:20.619088+05:30"
+    created: "2026-01-12T19:28:48.140716+05:30"
     description: A Helm chart for deploying the Phase Kubernetes Operator
     digest: ac562ccaea71b4ae9bdefeeef9b3660f092b998d673ca96f7f557d05aff93895
     home: https://github.com/phasehq/kubernetes-secrets-operator
@@ -79,6 +63,6 @@ entries:
     - https://github.com/phasehq/kubernetes-secrets-operator
     type: application
     urls:
-    - https://helm.phase.dev/phase-kubernetes-operator-1.3.0.tgz
+    - phase-kubernetes-operator-1.3.0.tgz
     version: 1.3.0
-generated: "2025-09-27T18:45:20.617165+05:30"
+generated: "2026-01-12T19:28:48.139841+05:30"

helm-repo/phase-kubernetes-operator-1.4.0.tgz

@@ -5,10 +5,10 @@ description: A Helm chart for deploying the Phase Kubernetes Operator
 type: application
 
 # Version of the chart
-version: 1.3.0
+version: 1.4.0
 
 # Version of the application (operator) that is being deployed
-appVersion: "1.3.0"
+appVersion: "1.4.0"
 
 # Keywords, maintainers, and source URLs can also be added here
 keywords:

phase-kubernetes-operator/Chart.yaml

@@ -126,6 +126,7 @@ spec:
                   description: Interval at which to poll for secret updates.
                   type: integer
                   default: 60
+                  minimum: 5
               required:
                 - phaseApp
                 - managedSecretReferences
@@ -157,7 +158,6 @@ spec:
                       observedGeneration:
                         description: Generation that the condition was set based upon.
                         type: integer
-                        format: int64
                         minimum: 0
                       reason:
                         description: Programmatic identifier for the reason of the condition's last transition.

phase-kubernetes-operator/crds/crd-template.yaml

@@ -1,4 +1,3 @@
-import sys
 import logging
 from utils.phase_io import Phase
 from utils.secret_referencing import resolve_all_secrets
@@ -32,14 +31,14 @@ def phase_secrets_fetch(phase_service_token=None, phase_service_host=None, env_n
 
             except ValueError as e:
                 logger.error(f"Failed to fetch secrets: {e}")
-                sys.exit(1)
+                raise
 
         # Create a dictionary with keys and resolved values outside the loop
         all_secrets_dict = {secret["key"]: secret["value"] for secret in resolved_secrets}
 
     except Exception as e:
         logger.error(f"Failed to fetch secrets: {e}")
-        sys.exit(1)
+        raise
 
     # Return secrets as a dictionary, ensure this is outside the try-except block
     return all_secrets_dict

src/cmd/secrets/fetch.py

@@ -12,8 +12,23 @@
 from utils.misc import phase_get_context
 from dateutil import parser
 
-@kopf.timer('secrets.phase.dev', 'v1alpha1', 'phasesecrets', interval=60)
-def phase_secret_sync(spec, name, namespace, logger, uid, **kwargs):
+@kopf.daemon('secrets.phase.dev', 'v1alpha1', 'phasesecrets')
+def phase_secret_sync(spec, name, namespace, logger, uid, stopped, **kwargs):
+    while not stopped:
+        polling_interval = max(spec.get('pollingInterval', 60), 5)
+        
+        try:
+            _phase_sync_secrets(spec, name, namespace, logger, uid, **kwargs)
+        except Exception as e:
+            logger.error(
+                f"Unexpected error in daemon while syncing PhaseSecret {name} in namespace {namespace}: {e}"
+            )
+        
+        # Wait for the next poll
+        if stopped.wait(polling_interval):
+            break
+
+def _phase_sync_secrets(spec, name, namespace, logger, uid, **kwargs):
     try:
         api_instance = CoreV1Api()
         managed_secret_references = spec.get('managedSecretReferences', [])

src/main.py

@@ -1,6 +1,6 @@
 import os
 import re
-__version__ = "1.3.0"
+__version__ = "1.4.0"
 __ph_version__ = "v1"
 
 description = "Securely manage application secrets and environment variables with Phase."