UNCLASSIFIED - NO CUI

Skip to content

Add checksums to all helmreleases

Micah Nagel requested to merge checksums-for-hrs into master

General MR

Summary

Adds a checksum/bigbang-values annotation to each helmrelease which contains the sha256sum of the values secret. There are 2 unique cases:

  • packages helmreleases: Cannot use the full file as the checksum because it contains secrets for all packages, so instead we make a checksum based on the JSON for the <pkg>.values
  • wrapper helmreleases: Not sure of the best way to handle this one - without significant templating added it will likely trigger changes in the annotation more often than necessary. The usage of the full file is not possible for a similar reason to ^ but in this case the secret construction is far more complicated and pulls from values across Big Bang. The simple approach taken in this MR simply adds a checksum based on the package specific wrapper values (i.e. networkPolicies, monitoring, istio, etc), but does not capture any of the BB state which might affect some wrapper pieces. These could be added if desired, but it will begin to duplicate the template for the full secret which is quite long and would be brittle if anything changed.

Also includes two other changes:

  • Adds the wrapper.enabled key under the sample package for reference
  • Omits additional values from the wrapper secret for consistency (not used by wrapper, not necessary to pass down)

Closes #1443 (closed)

Merge request reports