Skip to content

Automatically reload secret#68

Merged
jessebot merged 8 commits intomainfrom
automatically-reload-secret
Aug 16, 2025
Merged

Automatically reload secret#68
jessebot merged 8 commits intomainfrom
automatically-reload-secret

Conversation

@jessebot
Copy link
Collaborator

@jessebot jessebot commented Aug 16, 2025
edited
Loading

We have rearranged things a bit to suit a more updateable approach. We've added the kiwigrid/k8s-sidecar docker image as a sidecar to update the Secret every 10 seconds by default.

Adds a new method to the docker container main.py called reload_secret_vars to reload the secret every time someone requests parameters. You can now also configure what file the docker container checks for changes with the SECRET_VARS_FILE env var.

New Helm Parameters

secretVars:
  # -- name of an existing secret to use for the secret keys to provide to
  # applicationSets via the plugin generator
  existingSecret: "my-secret"
  # key in existingSecret to use as the file name for the
  # appset-env-generator-plugin container to load
  secretKey: secret_vars.yaml

# configReloader sidecar that automatically loads in changes to your Secret
configReloader:
  image:
    # -- registry and repo for the configreloader image
    repository: quay.io/kiwigrid/k8s-sidecar
    # -- tag to point at for k8s-sidecar
    tag: 1.30.3
    # -- image pullPolicy for the main container
    pullPolicy: IfNotPresent

  # -- the label to check for on the Secret (secretVars.existingSecret)
  label: "argocd-appset-secret-plugin"
  # -- the label value to check for on the Secret (secretVars.existingSecret)
  labelValue: "1"
  # -- interval to wait before retrying a check for changes (in seconds)
  interval: 10
  # -- full path on container to put secret file
  folder: "/var/run/secret-plugin"

Updated example Secret

apiVersion: v1
kind: Secret
metadata:
  # configurable with secretVars.existingSecret helm parameter
  name: argocd-secret-vars
  # this needs to be where-ever argocd is running
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
    # can be configured to use a different label and value with by setting
    # configReloader.label and configReloader.labelValue helm parameters
    argocd-appset-secret-plugin: 1
type: stringData
data:
  # configurable with secretVars.secretKey helm parameter
  secret_vars.yaml: |
    app_name: "beepboop"

@jessebot jessebot requested a review from cloudymax August 16, 2025 15:17
@jessebot jessebot self-assigned this Aug 16, 2025
@jessebot jessebot added the enhancement New feature or request label Aug 16, 2025
@jessebot jessebot merged commit 7c40325 into main Aug 16, 2025
2 of 3 checks passed
@jessebot jessebot deleted the automatically-reload-secret branch August 16, 2025 15:37
@jessebot jessebot mentioned this pull request Aug 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cloudymax cloudymax cloudymax approved these changes

Assignees

@jessebot jessebot

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jessebot @cloudymax