Skip to content

Add optional policy hot-reload sidecar#29

Merged
kervel merged 2 commits intomainfrom
feature/policy-hot-reload
Mar 23, 2026
Merged

Add optional policy hot-reload sidecar#29
kervel merged 2 commits intomainfrom
feature/policy-hot-reload

Conversation

@kervel
Copy link
Copy Markdown
Contributor

@kervel kervel commented Mar 5, 2026
edited
Loading

Summary

  • Adds an optional kiwigrid/k8s-sidecar as a native sidecar (restartable init container) to the headscale server deployment
  • When policy.hotReload.enabled is true, ACL policy ConfigMap changes are synced into the pod without requiring a restart
  • Disabled by default — users with Stakater Reloader or similar tools can continue using their existing setup

Inspired by the policy hot-reload concept in #7.

Changes

  • values.yaml / values.schema.json — new policy.hotReload section with configurable image
  • deployment.yaml — conditional sidecar init container, policy volume switches from ConfigMap to emptyDir when hot-reload is on, policy checksum annotation skipped (sidecar handles updates)
  • policy-configmap.yaml — conditional headscale-policy: "true" label for sidecar discovery
  • serviceaccount.yaml — conditional Role/RoleBinding granting ConfigMap list/get/watch
  • configmap.yaml — policy path adjusts to /etc/headscale/policy/policy.json when hot-reload is on

Configuration

policy:
  enabled: true
  hotReload:
    enabled: true
    image:
      repository: kiwigrid/k8s-sidecar
      tag: "1.30.3"
      pullPolicy: IfNotPresent

Test plan

  • helm lint passes with default values
  • helm lint passes with policy.hotReload.enabled=true
  • Template renders sidecar, RBAC, and label only when hot-reload is enabled
  • Template renders standard ConfigMap mount when hot-reload is disabled
  • Works with both policy.enabled=true and client.advertiseRoutes paths
  • Kind smoke test (--with-hot-reload): sidecar running, RBAC created, label applied, policy file synced by sidecar

🤖 Generated with Claude Code

Frank Dekervel and others added 2 commits March 5, 2026 11:34
@claude
Add optional policy hot-reload sidecar (inspired by #7)
e0d5fda 
When policy.hotReload.enabled is true, a kiwigrid/k8s-sidecar runs as a
native sidecar (restartable init container) that watches for ConfigMap
changes labeled headscale-policy=true, syncing policy updates into the
pod without requiring a restart. Disabled by default so users with
Stakater Reloader or similar can continue using their existing setup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
Add --with-hot-reload flag to kind smoke test
da79c2d 
Verifies: sidecar presence, RBAC resources, ConfigMap label,
directory-based policy path, emptyDir volume, and file sync.
Also fixes existing policy path check to handle both modes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@kervel kervel merged commit c79d5f1 into main Mar 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kervel