K
Q

Reload Kubernetes deployment to fetch new secret without downtime

8/14/2019

In Kubernetes I have a Deployment that uses a secret and injects them as environment variables:

apiVersion: apps/v1
kind: Deployment
...
envFrom:
  - secretRef:
    name: api-env

I need to update some of the environment variables, so I deleted the secret api-env and created it again with the updated values.

How do I trigger the deployment to update itself with the new env secrets without any downtime?

-- Justin
deployment
kubernetes

Similar Questions

Match Istio Virtual Services routes for different paths on same port
Istio Virtual Service: only allow certain api's to be accessed by a list of Ip addresses
Kubernetes Cluster Resource Recovery
How to issue letsencrypt certificate for k8s (AKS) using terraform resources?
Dynamically configure alertmanager routes with kubernetes labels?
Dapr Sub/Pub & Kubernetes : How to scale a pod where each subscriber-pod receives a message

1 Answer

8/14/2019

I see a few alternatives, in order of viability:

  1. For k8s' versions >v1.15: kubectl rollout restart deployment $deploymentname: this will restart pods incrementally without causing downtime.

  2. For older versions: Updating the deployment template will trigger a rollout. From this issue: kubectl patch deployment mydeployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"mycontainer","env":[{"name":"RESTART_","value":"'$(date +%s)'"}]}]}}}}'

  3. Mount secrets on volumes instead of as environment variables, as Mounted Secrets are updated automatically

  4. One approach is to consider the Secret/Configmap as immutable and when creating a new one changing the deployment to point to it.

  5. Program your application to watch for changes in the Secrets API.
-- victortv
Source: StackOverflow