fix: add image.repository validation and secret checksum annotation (red-hat-data-services#31, red-hat-data-services#51)

tarun-etikala · claude · tarun-etikala · commit 8277620445ff · 2026-04-16T11:53:45.000-04:00
- Fail fast with a clear error when image.repository is empty instead
  of rendering an invalid ":latest" image reference
- Add checksum/secret annotation to pod template so pods auto-restart
  when secret values change (e.g. API_KEY rotation via make deploy)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml
@@ -11,14 +11,16 @@ spec:
       {{- include "agent.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
       labels:
         {{- include "agent.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         runAsNonRoot: true
       containers:
         - name: {{ include "agent.name" . }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: "{{ required "image.repository is required — set CONTAINER_IMAGE in .env" .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
