Reload Kubernetes deployment to fetch new secret without downtime

8/14/2019

In Kubernetes I have a Deployment that uses a secret and injects them as environment variables:

apiVersion: apps/v1
kind: Deployment
...
envFrom:
  - secretRef:
    name: api-env

I need to update some of the environment variables, so I deleted the secret api-env and created it again with the updated values.

How do I trigger the deployment to update itself with the new env secrets without any downtime?

-- Justin
deployment
kubernetes

1 Answer

8/14/2019

I see a few alternatives, in order of viability:

  1. For k8s' versions >v1.15: kubectl rollout restart deployment $deploymentname: this will restart pods incrementally without causing downtime.
  2. For older versions: Updating the deployment template will trigger a rollout. From this issue: kubectl patch deployment mydeployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"mycontainer","env":[{"name":"RESTART_","value":"'$(date +%s)'"}]}]}}}}'

  3. Mount secrets on volumes instead of as environment variables, as Mounted Secrets are updated automatically

  4. One approach is to consider the Secret/Configmap as immutable and when creating a new one changing the deployment to point to it.

  5. Program your application to watch for changes in the Secrets API.
-- victortv
Source: StackOverflow