fix(keystone): ensure fernet and credential keys are not deleted

Ensure that we do not delete credentials and fernet keys when deploying an upgrade of the chart. Change-Id: I89f5e2fa5f3e1a436ea747a0ab1472159f637e90 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
2025-09-02 16:49:02 -05:00
parent 937ad1c58a
commit a396e01985
3 changed files with 11 additions and 0 deletions
--- a/keystone/templates/secret-credential-keys.yaml
+++ b/keystone/templates/secret-credential-keys.yaml
@@ -22,6 +22,7 @@ metadata:
 {{- if .Values.helm3_hook }}
  annotations:
    "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
--- a/keystone/templates/secret-fernet-keys.yaml
+++ b/keystone/templates/secret-fernet-keys.yaml
@@ -23,6 +23,7 @@ metadata:
 {{- if .Values.helm3_hook }}
  annotations:
    "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
--- a/releasenotes/notes/keystone-56908951efdcc19e.yaml
+++ b/releasenotes/notes/keystone-56908951efdcc19e.yaml
@@ -0,0 +1,9 @@
+---
+keystone:
+  - |
+    Annotate credential and fernet keys secrets with the Helm keep policy.
+    While helm does not clean up hook resources today, their documentation
+    says that it is coming and users should annotate resources they do not
+    expect to be deleted appropriately. Some GitOps tools like ArgoCD
+    implement the cleanup today as part of their Helm support.
+...