jwt persistance and checksum

kw1knode · kw1knode · commit 7dabdcc12800 · 2025-11-19T17:06:41.000-08:00
diff --git a/charts/firehose-ethereum/Chart.yaml b/charts/firehose-ethereum/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: firehose-ethereum
 description: A Helm chart for Kubernetes
 type: application
-version: 1.3.0
+version: 1.4.0
 appVersion: geth-v1.16.5-fh3.0
 keywords:
   - firehose
diff --git a/charts/firehose-ethereum/templates/full-firehose/beacon/statefulSet.yaml b/charts/firehose-ethereum/templates/full-firehose/beacon/statefulSet.yaml
@@ -26,10 +26,11 @@ spec:
             storage: {{ $.Values.fullMode.storage.lighthouse.size | quote }}
   template:
     metadata:
-      {{- with $values.components.lighthouse.podAnnotations }}
       annotations:
+        checksum/jwt-secret: {{ include (print $.Template.BasePath "/full-firehose/reader/jwt-secret.yaml") . | sha256sum }}
+        {{- with $values.components.lighthouse.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "firehose-ethereum.selectorLabels" . | nindent 8 }}
         {{- $componentLabel | nindent 8 }}
diff --git a/charts/firehose-ethereum/templates/full-firehose/op-node/deployment.yaml b/charts/firehose-ethereum/templates/full-firehose/op-node/deployment.yaml
@@ -17,10 +17,11 @@ spec:
   replicas: {{ $values.components.opNode.replicas }}
   template:
     metadata:
-      {{- with $values.components.opNode.podAnnotations }}
       annotations:
+        checksum/jwt-secret: {{ include (print $.Template.BasePath "/full-firehose/reader/jwt-secret.yaml") . | sha256sum }}
+        {{- with $values.components.opNode.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "firehose-ethereum.selectorLabels" . | nindent 8 }}
         {{- $componentLabel | nindent 8 }}
diff --git a/charts/firehose-ethereum/templates/full-firehose/reader/jwt-secret.yaml b/charts/firehose-ethereum/templates/full-firehose/reader/jwt-secret.yaml
@@ -2,7 +2,14 @@
 {{- if and (eq .Values.mode "full") $values.components.reader.enabled }}
 {{- $componentName := "reader" }}
 {{- $componentLabel := include "firehose-ethereum.componentLabelFor" $componentName }}
-{{- $jwt := printf "%s%s" (uuidv4 | replace "-" "") (uuidv4 | replace "-" "") }}
+{{- $secretName := printf "%s-firehose-jwt" .Release.Name }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{- $jwt := "" }}
+{{- if $existingSecret }}
+  {{- $jwt = index $existingSecret.data "jwt.hex" | b64dec }}
+{{- else }}
+  {{- $jwt = printf "%s%s" (uuidv4 | replace "-" "") (uuidv4 | replace "-" "") }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/firehose-ethereum/templates/full-firehose/reader/statefulSet.yaml b/charts/firehose-ethereum/templates/full-firehose/reader/statefulSet.yaml
@@ -26,10 +26,11 @@ spec:
   replicas: {{ $values.components.reader.replicas }}
   template:
     metadata:
-      {{- with $values.components.reader.podAnnotations }}
       annotations:
+        checksum/jwt-secret: {{ include (print $.Template.BasePath "/full-firehose/reader/jwt-secret.yaml") . | sha256sum }}
+        {{- with $values.components.reader.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "firehose-ethereum.selectorLabels" . | nindent 8 }}
         {{- $componentLabel | nindent 8 }}
