Best Way to Reload Secrets in a Kubernetes Controller?

By
William Rossbach
-
0
16
Asked By CleverCactus123 On

I'm developing a Kubernetes controller using Go, and I'm facing an issue with how it handles tokens stored in environment variables. The main problem is that it doesn't notice updates to the Secrets, which means it keeps using outdated values. I've heard about Reloader but I'd prefer that my controller manages reloads on its own without depending on external tools. Here are a few solutions I've considered:

1. Mount the Secret as files and use inotify to trigger a reload when those files change.
2. Mount the Secret as files but avoid caching their values in memory, reading directly from the files whenever needed.
3. Use a Secret reference (secretRef) and have the controller monitor the Secret through the Kubernetes API, although this option requires the controller to have read permissions on Secrets.

What do you think is the best approach for this? And by the way, is there a better place to ask questions like this?

6 Answers

Answered By DynamicDolphin18 On

In my opinion, Option 2 seems like the best way to handle this situation.

Answered By SmartSparrow32 On

It really depends on your scale! How often do those tokens change, and how frequently are they accessed? Instead of polling the Kubernetes API each time, maybe you could fetch the token on failure and implement a retry mechanism? Keeping it simple might steer you toward inotify, but that does involve some file system overhead. Caching in memory might be a good compromise until you need a refresh!

Answered By HexaHammer76 On

Option 2 could work well. If you're worried about the performance of repeatedly reading the file, consider caching the file in memory for short periods to minimize overhead.

Answered By NativeNemo67 On

I'm all for Option 3 since it feels more native to how controllers are supposed to operate.

Answered By TechieTurtle91 On

You can definitely give read permissions to specific Secrets instead of all of them. Watching the Secret object and reloading on changes sounds like a solid approach to me! It's practically the same as mounting, but you get to manage it natively within your controller.

Answered By CodeWhisperer44 On

Going with Option 3 might be the best call for real-time updates. Remember that it can take a moment for Secrets to show up in files that are mounted, but pulling them from the API feels more integrated for a controller.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.