Updating config (configmap) should update an annotation, causing the pods to restart

[TJM]

Is your feature request related to a problem? Please describe.

Our vault cluster(s) are entirely configured through terraform CI/CD. When I recently added plugin_directory to the config, it did not appear to take effect, even though I could exec in and see that it was in the config file. However, the running vault server was not aware of the change.

Describe the solution you'd like
Generally, when configuration is driven through a configmap, an annotation with a value of the sha256sum of the configmap is added to the statefulset/deployment so that it will know that a change has been made and restart. That seems like a reasonable solution, but I am open to other choices?

Describe alternatives you've considered
manually restarting the vault cluster (kubectl rollout restart sts/vault) and retrying the pipeline

Additional context

• https://stackoverflow.com/questions/37317003/restart-pods-when-configmap-updates-in-kubernetes
• https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments

Additionally, while I was looking at this, I noticed that PID 1 was a shell instead of "dumb-init" like it is supposed to be..

/ $ ps
PID   USER     TIME  COMMAND
    1 vault     0:00 /bin/sh -ec cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; [ -n "${POD_IP}" ] && sed -Ei
   11 vault     0:00 {docker-entrypoi} /usr/bin/dumb-init /bin/sh /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
   12 vault     0:17 vault server -config=/tmp/storageconfig.hcl

... that seems bad? It seems like maybe that should be adding the script between docker entrypoint and vault server?