Clarify and enhance secret rotation in Seismic DMS (!677) · Merge requests · OSDU Software / OSDU Data Platform / Deployment and Operations / helm-charts-azure

Konstantin Gukov requested to merge msft/simpler-stakater-reloader-setup into master Sep 05, 2023

Add more secrets that are cached on SDMS startup -> require app restart if updated
Do not mount the secrets that aren't used. All pods will be restarted anyway.

What secrets are cached on SDMS startup

Here's the full list in SDMS API: https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/-/blob/master/app/sdms/src/cloud/providers/azure/keyvault.ts?ref_type=heads#L46

Why the pods will restart even if no secrets are mounted

From stakater docs:

secret.reloader.stakater.com/reload or configmap.reloader.stakater.com/reload annotation will reload the pod upon changes in specified configmap or secret, irrespective of the usage of configmap or secret.

Also, after manually changing the secret in the Key Vault, we can see seismic-file-metadata restarts, even though there's no secrets mounted on this service:

Clarify and enhance secret rotation in Seismic DMS

What secrets are cached on SDMS startup

Why the pods will restart even if no secrets are mounted

Merge request reports