feat(operator): add support for new secrets watcher support#305
Merged
aviator-app[bot] merged 2 commits intomainfrom Apr 9, 2026
Merged
feat(operator): add support for new secrets watcher support#305aviator-app[bot] merged 2 commits intomainfrom
aviator-app[bot] merged 2 commits intomainfrom
Conversation
Contributor
Current Aviator status
This PR was merged using Aviator.
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
Merged
xjerod
force-pushed
the
jerod/union-operator-secret-watcher
branch
from
bd35620 to
d890f1b
Compare
xjerod
force-pushed
the
jerod/union-operator-secret-watcher
branch
from
d890f1b to
5827e6e
Compare
laurabarton
approved these changes
Apr 9, 2026
Merged
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 9, 2026
## Summary
Bump chart version to **2026.4.2** and image tag (appVersion) to **2026.4.5**.
---
## Helm Chart Changes (since 2026.4.1)
### feat(operator): add support for new secrets watcher (#305)
Adds a new secretsWatcher feature to the union-operator that triggers rolling restarts of deployments when secrets change.
- **values.yaml**: new `config.operator.secretsWatcher` block (`enabled: false`, `dryRun: true`)
- **configmap.yaml**: renders the secretsWatcher config into the operator ConfigMap when set
- **serviceaccount.yaml**: conditionally adds RBAC (`get`/`list`/`watch`/`update`/`patch` on replicasets/deployments) when enabled
**Configuration** — add to your dataplane values override:
```yaml
config:
operator:
secretsWatcher:
enabled: true
dryRun: false
```
No changes required for existing deployments. The secrets watcher is disabled by default.
Zone pod labels for all Union-owned workloads (#305)
Adds a platform.union.ai/zone pod label to all Union-owned deployments and daemonsets for improved observability and targeting.
- Controlplane workloads (authz, cacheservice, console) get zone: `controlplane`
- Dataplane workloads (clusterresourcesync, flyteconnector, imagebuilder, nodeexecutor, nodeobserver, propeller, propeller-webhook) get zone: `dataplane`
---
Image Changes (2026.4.3 → 2026.4.5)
feat(operator): add secrets watcher module (cloud #15061)
Adds a SecretsWatcher to the union-operator that detects Kubernetes secret content changes (via SHA-256 hashing) and triggers rolling restarts of affected
deployments.
- Feature-flagged via `secretsWatcher.enabled` (default: `false`), ships with `dryRun: true`
- Prometheus metrics: `deployments_updated`, `secrets_processed`, `errors`
---
Related PRs
- Cloud: #15061
- Helm charts: [#305](#305)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a platform.union.ai/zone pod label to all Union-owned deployments/daemonsets. Controlplane services get zone: "controlplane" and dataplane services get zone: "dataplane". Affected workloads across both charts:
Adds a new secretsWatcher feature to the union-operator that triggers rolling restarts of deployments when secrets change. Key changes: