Skip to content

shared-secrets should detect secret existing prior to performing creation work

Summary

In order to further optimize the behaviors of the shared-secrets chart, we should detect if the secret we're about to create already exists before performing the generation work. This is especially true for SSH host keys & registry JWT signing keys.

We should perform 2 checks, possibly as a single step:

  • Does the Secret object exist? Currently performed after generation work
  • Does the Secret contain the key we're supposed to be creating? Not performed. If secret already exists, ignored entirely. (Except for railsSecret #1683)

Observations:

  • Checking for the key within the secret will suffice to find if the secret exists
  • Updating an existing secret should be performed with kubectl patch (see #1683)
  • If the Secret does not exist, then we can't patch it.

Current behavior

Work is performed, needed or not.

Expected behavior

  • Work is performed only if it is actually needed.
  • Work is non-destructive.

Versions

  • Chart: v2.4.6 / master