Name and Version
bitnami/redis 20.6.3
What architecture are you using?
amd64
What steps will reproduce the bug?
- Start with an empty deployment environment and the following values:
architecture: standalone
auth:
enabled: true
master:
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "100Mi"
persistence:
enabled: true
tls:
enabled: true
autoGenerated: true
- Run the following command to deploy Redis:
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl apply -f -
Redis is successfully deployed.
- Run the following command to check for diffs:
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl diff -f -
Observed Diff:
- checksum/secret: dd4b1164e04884db75f070df18ce8f45027481216c93a89a3f0209f41acedea2
+ checksum/secret: ce23a18a82b6efbd5aa7104b1e0c7d8359ddce635b61678ee723a01b60371652
- Apply the changes:
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl apply -f -
- Run the diff again:
No Diff: The checksum remains stable after this step.
Are you using any custom parameters or values?
Yes, it was mentioned above: custom values and --dry-run=server to guarantee access for secrets.
What is the expected behavior?
The checksum/secret annotation should not change between runs unless there is an actual change in the secret values. This would prevent unnecessary rolling updates and stabilize Redis deployments, particularly for short-lived environments.
What do you see instead?
When using Redis with Bitnami Helm charts and deploying via an idempotent templating approach (e.g., ArgoCD), the checksum/secret annotation in Redis StatefulSet gets updated on subsequent runs of helm template. This causes the StatefulSet to trigger rolling updates unnecessarily, as the secret checksum changes after the first run.
This behavior impacts temporary or short-lived environments (e.g., feature branches), where the secrets do not stabilize before the environment is destroyed.
Additional information
This behavior appears to be linked to ArgoCD’s idempotent reconciliation strategy, where it regenerates templates on each sync.
Long-running deployment are not affected, as the checksum stabilizes over time.
Related issues in Bitnami Charts:
#29406
#24870
This issue is particularly disruptive in CI/CD pipelines for feature branch environments where consistency is critical for testing.
Name and Version
bitnami/redis 20.6.3
What architecture are you using?
amd64
What steps will reproduce the bug?
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl apply -f -Redis is successfully deployed.
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl diff -f -Observed Diff:
helm template --dry-run=server my-redis bitnami/redis --values values.yaml | kubectl apply -f -No Diff: The checksum remains stable after this step.
Are you using any custom parameters or values?
Yes, it was mentioned above: custom values and
--dry-run=serverto guarantee access for secrets.What is the expected behavior?
The
checksum/secretannotation should not change between runs unless there is an actual change in the secret values. This would prevent unnecessary rolling updates and stabilize Redis deployments, particularly for short-lived environments.What do you see instead?
When using Redis with Bitnami Helm charts and deploying via an idempotent templating approach (e.g., ArgoCD), the checksum/secret annotation in Redis StatefulSet gets updated on subsequent runs of helm template. This causes the StatefulSet to trigger rolling updates unnecessarily, as the secret checksum changes after the first run.
This behavior impacts temporary or short-lived environments (e.g., feature branches), where the secrets do not stabilize before the environment is destroyed.
Additional information
This behavior appears to be linked to ArgoCD’s idempotent reconciliation strategy, where it regenerates templates on each sync.
Long-running deployment are not affected, as the checksum stabilizes over time.
Related issues in Bitnami Charts:
#29406
#24870
This issue is particularly disruptive in CI/CD pipelines for feature branch environments where consistency is critical for testing.