machine-controller pods should restart on rotation of credentials

[dharapvj]

Description of the feature you would like to add / User story

Currently, for few cloud providers, like Openstack and Azure, the credentials for service account expire after certain number of days. It is not possible to get un-expiring passwords for service accounts for some of these cloud providers. So we must rotate the credentials by running kubeone apply --force-upgrade

But currently, post rotation, machine-controller pods (controller as well as webhook) do not get restarted and they continue to use old credentials.

So.. we can do one of the below options:

1. Make changes in kubeone logic to restart machine-controller in such cases.
2. Add annotations for stakater reloader for on machine-controller and webhook pods so we can add stakater reloader as kubeone addon and it will take care of restarting machine-controller pods when the secrets get updated with new credentials.

[stroebitzer]

I had a very similar issue with Grafana and KKP version 2.20.4

I had a misconfiguration in the url in the values.yaml file in the Grafana section.

Fixing the url in the values.yaml did not cause the Grafana Pod to get restarted. The change was rolled out via Helm.

[dharapvj]

Added issue on kubermatic for grafana as well. I will provide fix for grafana via checksum annotation already

[kron4eg]

Easiest way to handle this is like we do in KKP, all dependent resources are hashed and their hashes are used as annotations in the pod spec. Once hash is changed pod spec will be altered and that will cause automatic rollout of deployment.

[ahmedwaleedmalik]

reloader would be the simplest solution for this tbh. Because unlike KKP for KubeOne there is no active reconciliation going on so maybe it'd be helpful as an addon in general as well.

[kron4eg]

we redeploy machine-controller every time, regardless if Deployment has changed or not, it's like kinda reconciliation 🤷