villebro opened a new pull request, #51:
URL: https://github.com/apache/superset-kubernetes-operator/pull/51
## Summary
Adds a new "rotate" lifecycle task that runs `superset re-encrypt-secrets`
between migrate and init, enabling automated secret key rotation. The task
re-encrypts all stored secrets from the old key to the new key.
- New top-level fields `previousSecretKey` (dev) / `previousSecretKeyFrom`
(prod) on the parent CRD, with CEL validation for environment mode and mutual
exclusivity
- `PREVIOUS_SECRET_KEY` rendered in `superset_config.py` and injected as an
env var for all Python components (fallback decryption during transition)
- Presence-based enablement via `spec.lifecycle.rotate: {}` (like clone)
- Checksum-based trigger: re-runs when `secretKeyFrom` /
`previousSecretKeyFrom` references change, or when `trigger` field is bumped
(for in-place Secret content updates)
- Default `requiresDrain: true` — after re-encryption, stored secrets use
the new key and running components with the old key would fail to decrypt
- Pipeline sequence: clone → migrate → **rotate** → init, with full checksum
cascade
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
