Merge "fix(keystone): ensure fernet and credential keys are not deleted"

2025-09-04 16:25:19 +00:00
parent f17a395da5 a396e01985
commit 64dfa3fe45
3 changed files with 11 additions and 0 deletions
--- a/keystone/templates/secret-credential-keys.yaml
+++ b/keystone/templates/secret-credential-keys.yaml
@@ -22,6 +22,7 @@ metadata:
 {{- if .Values.helm3_hook }}
  annotations:
    "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
--- a/keystone/templates/secret-fernet-keys.yaml
+++ b/keystone/templates/secret-fernet-keys.yaml
@@ -23,6 +23,7 @@ metadata:
 {{- if .Values.helm3_hook }}
  annotations:
    "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
--- a/releasenotes/notes/keystone-56908951efdcc19e.yaml
+++ b/releasenotes/notes/keystone-56908951efdcc19e.yaml
@@ -0,0 +1,9 @@
+---
+keystone:
+  - |
+    Annotate credential and fernet keys secrets with the Helm keep policy.
+    While helm does not clean up hook resources today, their documentation
+    says that it is coming and users should annotate resources they do not
+    expect to be deleted appropriately. Some GitOps tools like ArgoCD
+    implement the cleanup today as part of their Helm support.
+...