[codex] Fix Kubernetes config watch reloads#633
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9a605b5fcf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if watchEventInDirs(ev, watchedDirs) && ev.Op&(fsnotify.Write|fsnotify.Create|fsnotify.Rename|fsnotify.Remove|fsnotify.Chmod) != 0 { | ||
| timerC = debouncer.trigger() |
There was a problem hiding this comment.
The new filter treats any event in a watched directory as relevant, so changing unrelated sibling files now triggers config reloads even when config.yaml/allowlist.yaml/denylist.yaml are untouched. This is a behavioral regression from file-level watching and can cause noisy reload loops in directories like /etc or /tmp; with frequent unrelated writes, the debounce timer can keep resetting and delay real config reloads.
Useful? React with 👍 / 👎.
| for dir := range watchedDirs { | ||
| if err := w.Add(dir); err != nil { | ||
| logger.Error("watch add failed", "dir", dir, "error", err) |
There was a problem hiding this comment.
Switching from w.Add(file) to w.Add(dir) drops reload notifications when a configured file path is a symlink whose target lives outside the symlink’s parent directory. In that setup, writes update the target inode but do not emit directory-entry events in the symlink directory, so -watch no longer reloads unless the symlink entry itself changes.
Useful? React with 👍 / 👎.
1 participant
Summary
..datasymlink swaps trigger hot reloads./confinstead of usingsubPath, pass/conf/*.yamlexplicitly, and enable-watchby default.Root Cause
Kubernetes updates projected ConfigMap and Secret volumes by swapping symlinks in the parent directory. A watch on the resolved file can miss that update. The chart also used
subPathmounts, and Kubernetes does not update subPath-mounted ConfigMap files after pod startup.Validation
go test ./...passed.go test ./app -run 'TestWatchFiles|TestWatchEventInDirs|TestWatchDebouncer|TestMainWatchReload' -coverprofile=/tmp/authtranslator-watch.cover -count=1passed.go tool cover -func=/tmp/authtranslator-watch.coverreportswatchFiles,watchEventInDirs, andnewWatchDebouncerat 100.0%.git diff --checkpassed.helm template authtranslator charts/authtranslatorcould not be run becausehelmis not installed in this environment.