Skip to content

fix: pin docker-registry haSharedSecret to avoid sandbox manifest churn#7108

Merged
pingsutw merged 2 commits intov2from
fix/sandbox-deterministic-ha-secret
Mar 28, 2026
Merged

fix: pin docker-registry haSharedSecret to avoid sandbox manifest churn#7108
pingsutw merged 2 commits intov2from
fix/sandbox-deterministic-ha-secret

Conversation

@pingsutw
Copy link
Copy Markdown
Member

@pingsutw pingsutw commented Mar 28, 2026
edited
Loading

Tracking issue

N/A

Why are the changes needed?

Every time make sandbox-build is run, docker/sandbox-bundled/manifests/complete.yaml and dev.yaml show as modified in git — even when no deployment configuration has changed. This creates unnecessary noise in git status and risks accidental commits of non-functional changes.

What changes were proposed in this pull request?

The docker-registry Helm subchart generates a random haSharedSecret via randAlphaNum 16 when secrets.haSharedSecret is not set. This also changes the checksum/secret annotation on every run.

The fix pins secrets.haSharedSecret to a static value (flytesandboxsecret) in charts/flyte-sandbox/values.yaml. This is safe since the sandbox is a local development environment, not a production deployment.

Changed files:

  • charts/flyte-sandbox/values.yaml — added static secrets.haSharedSecret
  • docker/sandbox-bundled/manifests/complete.yaml — regenerated with pinned secret
  • docker/sandbox-bundled/manifests/dev.yaml — regenerated with pinned secret

How was this patch tested?

Ran make -C docker/sandbox-bundled manifests twice consecutively and confirmed the generated manifests are identical between runs (no diff).

Labels

  • fixed: For any bug fixed.

Check all the applicable boxes

  • I updated the documentation accordingly.

  • All new and existing tests passed.

  • All commits are signed-off.

  • main

    • Flyte 2 WIP #6583
      • fix: pin docker-registry haSharedSecret to avoid sandbox manifest churn 👈

pingsutw added 2 commits March 27, 2026 23:57
@pingsutw
fix: pin docker-registry haSharedSecret to avoid sandbox manifest churn
c58b659 
The docker-registry Helm subchart generates a random haSharedSecret on
every helm template run when the value is not set. This causes
complete.yaml and dev.yaml to always show as modified after running
`make sandbox-build`, even with no actual deployment changes.

Pin the secret to a static value in flyte-sandbox values.yaml since this
is a local development sandbox environment.

Signed-off-by: Kevin Su <pingsutw@apache.org>
@pingsutw
rebase
7ab86b6 
Signed-off-by: Kevin Su <pingsutw@apache.org>
@github-actions github-actions bot mentioned this pull request Mar 28, 2026
Draft
3 tasks
@pingsutw pingsutw self-assigned this Mar 28, 2026
@pingsutw pingsutw added this to the V2 GA milestone Mar 28, 2026
@pingsutw pingsutw merged commit 47272c4 into v2 Mar 28, 2026
17 checks passed
@pingsutw pingsutw deleted the fix/sandbox-deterministic-ha-secret branch March 28, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@machichima machichima machichima approved these changes

Assignees

@pingsutw pingsutw

Labels

flyte2

Projects

None yet

Milestone

V2 GA

Development

Successfully merging this pull request may close these issues.

2 participants

@pingsutw @machichima