From a396e019853e41c42588c82400839c69e368f79c Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Tue, 2 Sep 2025 16:49:02 -0500 Subject: [PATCH] fix(keystone): ensure fernet and credential keys are not deleted Ensure that we do not delete credentials and fernet keys when deploying an upgrade of the chart. Change-Id: I89f5e2fa5f3e1a436ea747a0ab1472159f637e90 Signed-off-by: Doug Goldstein --- keystone/templates/secret-credential-keys.yaml | 1 + keystone/templates/secret-fernet-keys.yaml | 1 + releasenotes/notes/keystone-56908951efdcc19e.yaml | 9 +++++++++ 3 files changed, 11 insertions(+) create mode 100644 releasenotes/notes/keystone-56908951efdcc19e.yaml diff --git a/keystone/templates/secret-credential-keys.yaml b/keystone/templates/secret-credential-keys.yaml index 8a2c5eb5b3..302f31dad3 100644 --- a/keystone/templates/secret-credential-keys.yaml +++ b/keystone/templates/secret-credential-keys.yaml @@ -22,6 +22,7 @@ metadata: {{- if .Values.helm3_hook }} annotations: "helm.sh/hook": pre-install + "helm.sh/resource-policy": keep {{- end }} type: Opaque data: diff --git a/keystone/templates/secret-fernet-keys.yaml b/keystone/templates/secret-fernet-keys.yaml index 8af0973098..603964ae1b 100644 --- a/keystone/templates/secret-fernet-keys.yaml +++ b/keystone/templates/secret-fernet-keys.yaml @@ -23,6 +23,7 @@ metadata: {{- if .Values.helm3_hook }} annotations: "helm.sh/hook": pre-install + "helm.sh/resource-policy": keep {{- end }} type: Opaque data: diff --git a/releasenotes/notes/keystone-56908951efdcc19e.yaml b/releasenotes/notes/keystone-56908951efdcc19e.yaml new file mode 100644 index 0000000000..a20b77fa71 --- /dev/null +++ b/releasenotes/notes/keystone-56908951efdcc19e.yaml @@ -0,0 +1,9 @@ +--- +keystone: + - | + Annotate credential and fernet keys secrets with the Helm keep policy. + While helm does not clean up hook resources today, their documentation + says that it is coming and users should annotate resources they do not + expect to be deleted appropriately. Some GitOps tools like ArgoCD + implement the cleanup today as part of their Helm support. +...