From 3efb7e7e659ef3061fc6e67485ca4e0b0d45fb43 Mon Sep 17 00:00:00 2001
From: diverdane <dane.leblanc@cyberark.com>
Date: Wed, 23 Dec 2020 15:02:53 -0500
Subject: [PATCH] Fixes Conjur pod restarts with auto account creation enabled

This change eliminates continual, never-ending Conjur pod crashes that
occur if a Conjur cluster is Helm installed with the automatic Conjur account
creation feature enabled (e.g. with `--set account.create=true`), and then
the Conjur pod gets restarted for any reason before a Helm upgrade has been
performed.

Addresses Issue #119
---
 CHANGELOG.md                         |  7 +++++++
 conjur-oss/templates/deployment.yaml | 15 ++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d45658a..6eef8ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - The Conjur OSS helm chart has Community support for deploying Conjur OSS to OpenShift 4.x
   [cyberark/conjur-oss-helm-chart#60](https://github.com/cyberark/conjur-oss-helm-chart/issues/60)
 
+### Fixed
+- Eliminates indefinite Conjur pod crashes that would occur if a Conjur
+  cluster is Helm installed with the automatic Conjur account creation feature
+  enabled (e.g. with `--set account.create=true`), and then the Conjur pod
+  gets restarted for any reason before a Helm upgrade has been performed.
+  [cyberark/conjur-oss-helm-chart#119](https://github.com/cyberark/conjur-oss-helm-chart/issues/119)
+
 ## [v2.0.2] - 2020-12-02
 
 ### Changed
diff --git a/conjur-oss/templates/deployment.yaml b/conjur-oss/templates/deployment.yaml
index 462e23e..7ef06af 100644
--- a/conjur-oss/templates/deployment.yaml
+++ b/conjur-oss/templates/deployment.yaml
@@ -109,14 +109,15 @@ spec:
         {{- end }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
 {{- if .Values.account.create }}
-{{- if .Release.IsUpgrade }}
-        # For Helm upgrade, we want to make server startup idempotent, i.e.
-        # tolerant of the chart setting 'account.create=true' being reused.
+        # Try to start up the server with account creation. If that fails,
+        # see if the configured account has already been created, and if so,
+        # restart the server without account creation.
         command: ["bash"]
-        args: ["-c", "conjurctl server --account={{ .Values.account.name }} || conjurctl server"]
-{{ else }}
-        args: ["server", "--account={{ .Values.account.name }}"]
-{{- end }}
+        args: ["-c",
+               "conjurctl server --account={{ .Values.account.name }} \
+                | grep -v 'API key for admin:' \
+                || (conjurctl role retrieve-key {{ .Values.account.name }}:user:admin > /dev/null \
+                    && conjurctl server)"]
 {{ else }}
         args: ["server"]
 {{- end }}