Skip to content

fix: dynamic apple secret#3727

Open
rebelchris wants to merge 1 commit intomainfrom
fix-dynamic-secret
Open

fix: dynamic apple secret#3727
rebelchris wants to merge 1 commit intomainfrom
fix-dynamic-secret

Conversation

@rebelchris
Copy link
Contributor

@rebelchris rebelchris commented Mar 20, 2026

Since apple secret can't be over 6 months we rather do it dynamic on build and long-live them.

Contemplated doing it on pulumi level, but not sure it had any benefit to it?

@pulumi
Copy link

pulumi bot commented Mar 20, 2026
edited
Loading

🍹 The Update (preview) for dailydotdev/api/prod (at 668b7ab) was successful.

✨ Neo Explanation

This deployment adds Apple Sign-In support by introducing a new Apple auth Kubernetes Secret and rotating the shared app secret to include Apple OAuth credentials, which cascades a rolling update across all 7 services and 36 CronJobs alongside a new application version. The replacement of the shared app secret carries a small risk of pod startup failures during the transition window.

Root Cause Analysis

This deployment introduces Apple Sign-In support to the API. The changes include adding Apple OAuth credentials as a new Kubernetes Secret, updating the main app secret with Apple-specific configuration keys (APPLE_KEY_ID, APPLE_SIGNING_KEY_PATH, APPLE_TEAM_ID), and mounting the Apple auth credentials into all running services. This is paired with a new application version being rolled out across all workloads.

Dependency Chain

Two root changes cascade across the entire cluster:

  1. New Apple Auth Secret (apple-auth-secret created) → All 7 deployments and 36 CronJobs are updated to mount this new secret as a volume at /opt/app/apple, alongside the existing GeoIP data volume (which is retained but shifted to its own volume entry).

  2. Main K8s Secret replacement (vpc-native-k8s-secret) → The shared app secret is being replaced to swap out APPLE_CLIENT_SECRET for the newer Apple auth fields (APPLE_KEY_ID, APPLE_TEAM_ID, APPLE_SIGNING_KEY_PATH). Because Kubernetes secrets with changed data require replacement, this triggers a create-then-delete cycle.

  3. New app image version → Database migration jobs (both Postgres and ClickHouse) for the new version are created, and the old version's migration jobs are deleted. All deployments and CronJobs are updated to run the new container image.

Risk analysis

The replacement of vpc-native-k8s-secret is the primary risk. This is the shared secret consumed by all services — during the brief window between the old secret being deleted and the new one being active, pods that restart or scale up may fail to start due to a missing secret reference. Kubernetes will create the replacement before deleting the old one (+- replace order), which mitigates but does not fully eliminate this risk.

Resource Changes

    Name                                                       Type                           Operation
~   vpc-native-generate-search-invites-cron                    kubernetes:batch/v1:CronJob    update
~   vpc-native-hourly-notification-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-update-source-public-threshold-cron             kubernetes:batch/v1:CronJob    update
~   vpc-native-user-posts-analytics-refresh-cron               kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-images-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-users-cron                         kubernetes:batch/v1:CronJob    update
~   vpc-native-personalized-digest-deployment                  kubernetes:apps/v1:Deployment  update
~   vpc-native-update-views-cron                               kubernetes:batch/v1:CronJob    update
~   vpc-native-ws-deployment                                   kubernetes:apps/v1:Deployment  update
~   vpc-native-validate-active-users-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-update-tag-recommendations-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-update-source-tag-view-cron                     kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-analytics-clickhouse-cron          kubernetes:batch/v1:CronJob    update
+   vpc-native-apple-auth-secret                               kubernetes:core/v1:Secret      create
+   vpc-native-api-clickhouse-migration-8a1f056e               kubernetes:batch/v1:Job        create
~   vpc-native-update-tags-str-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-opportunities-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-expire-super-agent-trial-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-update-current-streak-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-analytics-history-clickhouse-cron  kubernetes:batch/v1:CronJob    update
~   vpc-native-channel-digests-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-user-companies-cron                kubernetes:batch/v1:CronJob    update
~   vpc-native-sync-subscription-with-cio-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-update-achievement-rarity-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-calculate-top-readers-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-stale-user-transactions-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-generic-referral-reminder-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-personalized-digest-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-private-deployment                              kubernetes:apps/v1:Deployment  update
~   vpc-native-user-profile-updated-sync-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-worker-job-deployment                           kubernetes:apps/v1:Deployment  update
-   vpc-native-api-db-migration-a8abc537                       kubernetes:batch/v1:Job        delete
~   vpc-native-clean-expired-better-auth-sessions-cron         kubernetes:batch/v1:CronJob    update
~   vpc-native-check-analytics-report-cron                     kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-gifted-plus-cron                          kubernetes:batch/v1:CronJob    update
~   vpc-native-deployment                                      kubernetes:apps/v1:Deployment  update
~   vpc-native-rotate-weekly-quests-cron                       kubernetes:batch/v1:CronJob    update
~   vpc-native-daily-digest-cron                               kubernetes:batch/v1:CronJob    update
~   vpc-native-update-highlighted-views-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-squad-posts-analytics-refresh-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-bg-deployment                                   kubernetes:apps/v1:Deployment  update
... and 10 other changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@idoshamun idoshamun Awaiting requested review from idoshamun

@capJavert capJavert Awaiting requested review from capJavert

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rebelchris