Fixes Conjur pod restarts with auto account creation enabled

This change eliminates continual, never-ending Conjur pod crashes that occur if a Conjur cluster is Helm installed with the automatic Conjur account creation feature enabled (e.g. with `--set account.create=true`), and then the Conjur pod gets restarted for any reason before a Helm upgrade has been performed. Addresses Issue #119
cyberark · Dec 23, 2020 · 3efb7e7 · 3efb7e7
1 parent f7dec72
commit 3efb7e7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - The Conjur OSS helm chart has Community support for deploying Conjur OSS to OpenShift 4.x
   [cyberark/conjur-oss-helm-chart#60](https://github.com/cyberark/conjur-oss-helm-chart/issues/60)
 
+### Fixed
+- Eliminates indefinite Conjur pod crashes that would occur if a Conjur
+  cluster is Helm installed with the automatic Conjur account creation feature
+  enabled (e.g. with `--set account.create=true`), and then the Conjur pod
+  gets restarted for any reason before a Helm upgrade has been performed.
+  [cyberark/conjur-oss-helm-chart#119](https://github.com/cyberark/conjur-oss-helm-chart/issues/119)
+
 ## [v2.0.2] - 2020-12-02
 
 ### Changed

diff --git a/conjur-oss/templates/deployment.yaml b/conjur-oss/templates/deployment.yaml
@@ -109,14 +109,15 @@ spec:
         {{- end }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
 {{- if .Values.account.create }}
-{{- if .Release.IsUpgrade }}
-        # For Helm upgrade, we want to make server startup idempotent, i.e.
-        # tolerant of the chart setting 'account.create=true' being reused.
+        # Try to start up the server with account creation. If that fails,
+        # see if the configured account has already been created, and if so,
+        # restart the server without account creation.
         command: ["bash"]
-        args: ["-c", "conjurctl server --account={{ .Values.account.name }} || conjurctl server"]
-{{ else }}
-        args: ["server", "--account={{ .Values.account.name }}"]
-{{- end }}
+        args: ["-c",
+               "conjurctl server --account={{ .Values.account.name }} \
+                | grep -v 'API key for admin:' \
+                || (conjurctl role retrieve-key {{ .Values.account.name }}:user:admin > /dev/null \
+                    && conjurctl server)"]
 {{ else }}
         args: ["server"]
 {{- end }}