shared-secrets should detect secret existing prior to performing creation work
Summary
In order to further optimize the behaviors of the shared-secrets
chart, we should detect if the secret we're about to create already exists before performing the generation work. This is especially true for SSH host keys & registry JWT signing keys.
We should perform 2 checks, possibly as a single step:
- Does the Secret object exist? Currently performed after generation work
- Does the Secret contain the key we're supposed to be creating? Not performed. If secret already exists, ignored entirely. (Except for railsSecret #1683)
Observations:
- Checking for the key within the secret will suffice to find if the secret exists
- Updating an existing secret should be performed with
kubectl patch
(see #1683) - If the Secret does not exist, then we can't patch it.
Current behavior
Work is performed, needed or not.
Expected behavior
- Work is performed only if it is actually needed.
- Work is non-destructive.
Versions
- Chart:
v2.4.6
/master