Skip to content

fix: dynamic apple secret#3727

Open
rebelchris wants to merge 4 commits intomainfrom
fix-dynamic-secret
Open

fix: dynamic apple secret#3727
rebelchris wants to merge 4 commits intomainfrom
fix-dynamic-secret

Conversation

@rebelchris
Copy link
Contributor

@rebelchris rebelchris commented Mar 20, 2026

Since apple secret can't be over 6 months we rather do it dynamic on build and long-live them.

Contemplated doing it on pulumi level, but not sure it had any benefit to it?

@pulumi
Copy link

pulumi bot commented Mar 20, 2026
edited
Loading

🍹 The Update (preview) for dailydotdev/api/prod (at bec6125) was successful.

✨ Neo Explanation

This deployment rolls out a new application version with Apple Sign-In support added: a new Apple auth secret is provisioned and mounted into all services, the shared app secret is being replaced with updated Apple credential keys, and both DB and ClickHouse migration jobs are being cycled for the new version.

Root Cause Analysis

Two changes triggered this deployment: a new code version being rolled out across the entire platform, and the addition of Apple Sign-In authentication support. The new code version updates all services simultaneously, while the Apple auth feature introduces a new Kubernetes Secret (apple-auth-secret) and replaces the existing shared secret with updated Apple credentials (APPLE_KEY_ID, APPLE_SIGNING_KEY_PATH, APPLE_TEAM_ID replacing APPLE_CLIENT_SECRET).

Dependency Chain

  1. New code version → all 7 deployments and 38 cron jobs get their container images bumped to the new version
  2. Apple auth secret creation (vpc-native-apple-auth-secret) → every deployment and cron job gets a new volume mount at /opt/app/apple (backed by the new secret) added alongside the existing GeoIP volume mount at /usr/share/geoip
  3. Shared k8s secret replacement (vpc-native-k8s-secret) → the main application secret is being replaced (not just updated) due to the data key changes for Apple credentials; this cascades to all workloads that reference it
  4. Migration jobs → old DB and ClickHouse migration jobs (from the previous version) are deleted and new ones are created for the incoming version

Risk analysis

The vpc-native-k8s-secret replacement is the primary risk point — Kubernetes Secrets that are replaced (delete + recreate) may cause a brief window where the secret is unavailable, which could impact any pods that reference it at restart time. The migration jobs (DB and ClickHouse) will run against production databases as part of this deployment.

Resource Changes

    Name                                                       Type                           Operation
-   vpc-native-api-clickhouse-migration-beb03344               kubernetes:batch/v1:Job        delete
+   vpc-native-apple-auth-secret                               kubernetes:core/v1:Secret      create
+   vpc-native-api-db-migration-867ffa8e                       kubernetes:batch/v1:Job        create
~   vpc-native-check-analytics-report-cron                     kubernetes:batch/v1:CronJob    update
+-  vpc-native-k8s-secret                                      kubernetes:core/v1:Secret      create-replacement
~   vpc-native-update-highlighted-views-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-validate-active-users-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-update-current-streak-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-personalized-digest-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-users-cron                         kubernetes:batch/v1:CronJob    update
~   vpc-native-update-source-tag-view-cron                     kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-analytics-clickhouse-cron          kubernetes:batch/v1:CronJob    update
~   vpc-native-worker-job-deployment                           kubernetes:apps/v1:Deployment  update
~   vpc-native-rotate-daily-quests-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-channel-highlights-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-bg-deployment                                   kubernetes:apps/v1:Deployment  update
~   vpc-native-private-deployment                              kubernetes:apps/v1:Deployment  update
~   vpc-native-clean-expired-better-auth-sessions-cron         kubernetes:batch/v1:CronJob    update
~   vpc-native-ws-deployment                                   kubernetes:apps/v1:Deployment  update
~   vpc-native-hourly-notification-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-post-analytics-history-day-clickhouse-cron      kubernetes:batch/v1:CronJob    update
~   vpc-native-daily-digest-cron                               kubernetes:batch/v1:CronJob    update
~   vpc-native-update-trending-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-user-companies-cron                kubernetes:batch/v1:CronJob    update
~   vpc-native-calculate-top-readers-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-opportunities-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-squad-posts-analytics-refresh-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-channel-highlights-cron                         kubernetes:batch/v1:CronJob    update
~   vpc-native-update-tags-str-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-update-tag-recommendations-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-stale-user-transactions-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-temporal-deployment                             kubernetes:apps/v1:Deployment  update
~   vpc-native-update-views-cron                               kubernetes:batch/v1:CronJob    update
~   vpc-native-personalized-digest-deployment                  kubernetes:apps/v1:Deployment  update
~   vpc-native-channel-digests-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-expire-super-agent-trial-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-gifted-plus-cron                          kubernetes:batch/v1:CronJob    update
~   vpc-native-sync-subscription-with-cio-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-analytics-history-clickhouse-cron  kubernetes:batch/v1:CronJob    update
~   vpc-native-generate-search-invites-cron                    kubernetes:batch/v1:CronJob    update
~   vpc-native-update-source-public-threshold-cron             kubernetes:batch/v1:CronJob    update
... and 12 other changes

idoshamun
idoshamun reviewed Mar 22, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@idoshamun idoshamun idoshamun approved these changes

@capJavert capJavert Awaiting requested review from capJavert

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rebelchris @idoshamun