Merge pull request #19763 from jakesmith/HPCC-33834-backgroud-vault-update

ghalliday · web-flow · commit 2ebac5ace7b3 · 2025-04-23T11:45:00.000+01:00
HPCC-33834 Allow vaults to be updated without k8s restarts

Reviewed-by: Gavin Halliday &lt;ghalliday@hpccsystems.com&gt;
Merged-by: Gavin Halliday &lt;ghalliday@hpccsystems.com&gt;
diff --git a/helm/hpcc/templates/_helpers.tpl b/helm/hpcc/templates/_helpers.tpl
@@ -2623,7 +2623,7 @@ globalExcludeList below is a hard-coded list of global keys to exclude.
 
 */}}
 {{- define "hpcc.getConfigSHA" }}
-{{- $globalExcludeList := list "~.*::replicas" -}}
+{{- $globalExcludeList := list "~.*::replicas" "~.*::vaults" -}}
 {{- $globalExcludeSectionRegexList := list ".*-job.yaml$" -}}
 {{- $componentExcludeList := ternary (splitList "," (.excludeKeys | default "")) list (hasKey . "excludeKeys") -}}
 {{- $combinedExcludeKeyList := concat $globalExcludeList $componentExcludeList -}}
diff --git a/system/jlib/jsecrets.cpp b/system/jlib/jsecrets.cpp
@@ -1079,12 +1079,24 @@ class CVaultManager : public CInterfaceOf<IVaultManager>
     }
 };
 
-IVaultManager *ensureVaultManager()
+static CConfigUpdateHook vaultManagerUpdateHook;
+static void vaultManagerConfigUpdate(const IPropertyTree *oldComponentConfiguration, const IPropertyTree *oldGlobalConfiguration)
+{
+    Owned<IVaultManager> newVaultManager = new CVaultManager();
+    {
+        CriticalBlock block(secretCS);
+        vaultManager.swap(newVaultManager);
+    }
+}
+IVaultManager *getVaultManager()
 {
     CriticalBlock block(secretCS);
     if (!vaultManager)
+    {
         vaultManager.setown(new CVaultManager());
-    return vaultManager;
+        vaultManagerUpdateHook.installOnce(vaultManagerConfigUpdate, false);
+    }
+    return LINK(vaultManager);
 }
 
 //---------------------------------------------------------------------------------------------------------------------
@@ -1162,7 +1174,7 @@ static IPropertyTree *resolveVaultSecret(const char *category, const char * name
 {
     CVaultKind kind;
     StringBuffer json;
-    IVaultManager *vaultmgr = ensureVaultManager();
+    Owned<IVaultManager> vaultmgr = getVaultManager();
     if (isEmptyString(vaultId))
     {
         if (!vaultmgr->requestSecretByCategory(category, kind, json, name, version))
