fix: StatefulSet checksums

[monrax]

Summary

Replaces runtime lookup-based checksum generation with template-based checksums for ConfigMaps and Secrets, ensuring consistent checksums during helm template and avoiding issues with cluster lookups (i.e. random checksums causing unnecessary pod restarts on every helm upgrade, even when config/secrets haven't changed).

Details

• New helper functions in _helpers.tpl:
  • graylog.configChecksum: computes sha256sum of the Graylog ConfigMap template
  • graylog.datanode.configChecksum: computes sha256sum of the Datanode ConfigMap template
  • graylog.secretsChecksum: computes sha256sum of the Secrets template with caching
• Refactored graylog.yaml and datanode.yaml StatefulSets:
  • Removed lookup function calls and randAlphaNum fallback logic
  • Now uses the new helper functions for checksum/config and checksum/secret annotations

The secrets checksum helper caches its result in the template context ($.__secretsChecksum) to prevent regeneration on each call, ensuring both StatefulSets get the same checksum value.

Linked issues

N/A

PR Checklist

Please check the items that apply to your change.

• Tests added/updated
• Documentation updated
• This PR includes a new feature
• This PR includes a bugfix
• This PR includes a refactor

Testing Checklist

Static Validation

• Linter check passes: helm lint ./charts/graylog
• Helm renders local template sucessfully: helm template graylog ./charts/graylog --validate

Installation

• Fresh installation completes successfully: helm install graylog ./charts/graylog
• All pods reach Running state: kubectl rollout status statefulset/graylog
• Helm tests pass: helm test graylog

Functional (if applicable)

• Web UI accessible and login works
• DataNodes visible in System > Cluster Configuration
• Inputs can be created and receive data

Upgrade (if applicable)

• Upgrade from previous release succeeds
• Scaling up/down works correctly
• Configuration changes apply correctly

Specific to this PR

For all the following, watch pods using kubectl get pods -w:

• Verify that all pods are restarted when the root credentials change:

helm upgrade graylog ./charts/graylog --reuse-values --set graylog.config.rootPassword=admin

• Verify that only graylog-n pods are restarted when graylog-specific configurations options are set: `

helm upgrade graylog ./charts/graylog --reuse-values --set graylog.config.timezone="Europe/Madrid"

• Verify that only graylog-datanode-n pods are restarted when datanode-specific options are set: `

helm upgrade graylog ./charts/graylog --reuse-values --set datanode.config.opensearchHeap="3g"

• Verify that no pods are restarted when options not related to either the Graylog or DN workloads change:

helm upgrade graylog ./charts/graylog --reuse-values --set graylog.service.type=LoadBalancer

• Verify that all pods are restarted when the MongoDB URL changes:

helm upgrade graylog ./charts/graylog --reuse-values --set mongodb.replicas=1 --set mongodb.arbiters=0

Notes for reviewers

• Verify all applicable tests above pass
• Validate that the linked issues are no longer reproducible, if applicable
• Sync up with the author before merging
• The commit history should be preserved - use rebase-merge or standard merge options when applicable