Since deploying the Datadog helm chart, I get the following

pulumi preview

diff even if nothing has changed. This ultimately causes my datadog pods to get recreated, which is not desirable. I am deploying to AKS K8s (1.21.2) using Pulumi 3.12.0

pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:preprod::aks::pulumi:pulumi:Stack::aks-preprod]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ spec: {
              ~ template: {
                  ~ metadata: {
                      ~ annotations: {
                          ~ checksum/clusteragent_token: "32a656c3c7aeb06e5c36xxx" => "8027d4026d2e72484f1xxx"
                        }
                    }
                }
            }
        +-kubernetes:core/v1:Secret: (replace)
            [id=default/datadog-chart-cluster-agent]
            [urn=urn:pulumi:preprod::aks::kubernetes:<http://helm.sh/v3:Chart$kubernetes:core/v1:Secret::default/datadog-chart-cluster-agent|helm.sh/v3:Chart$kubernetes:core/v1:Secret::default/datadog-chart-cluster-agent>]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ data: {
            }
        ~ kubernetes:apps/v1:DaemonSet: (update)
            [id=default/datadog-chart]
            [urn=urn:pulumi:preprod::aks::kubernetes:<http://helm.sh/v3:Chart$kubernetes:apps/v1:DaemonSet::default/datadog-chart|helm.sh/v3:Chart$kubernetes:apps/v1:DaemonSet::default/datadog-chart>]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ spec: {
              ~ template: {
                  ~ metadata: {
                      ~ annotations: {
                          ~ checksum/clusteragent_token: "bcc328b0b69baa07a7fae32a6baxxx" => "5200e78e7733904901f9511a094e8xxx"
                        }
                    }
                }
Resources:
    ~ 2 to update
    +-1 to replace
    3 changes. 103 unchanged

And the pruned logs from the

pulumi up

look like this:

-- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleting original 
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]
 ~  kubernetes:apps/v1:DaemonSet default/datadog-chart updating [diff: ~spec]
 -- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleting original 
 -- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleted original
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]; Deployment initialization complete
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updated [diff: ~spec]; Deployment initialization complete 
 ~  kubernetes:apps/v1:DaemonSet default/datadog-chart updated [diff: ~spec] 
 +- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent replacing [diff: ~data];
 +- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent replaced [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent creating replacement [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent creating replacement [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent created replacement [diff: ~data];

Can someone help point me in the right direction?

My guess is there is something in the chart that is getting changed on every deployment, likely due to some hook

I suspect the

Secret

has a fixed name in the helm chart? The issue with

ConfigMap

mentioned up above likely applies to

Secret

as well: When you use a fixed name for a

Secret

, Pulumi deletes and replaces it in order to force a recreation of pods that mount the secret in. If you can have Pulumi name the

Secret

for you, it will create a new secret, update the pods to depend on it, and perform a standard rollout.

Thanks for your responses. @bored-table-20691 I dont see any evidence of their being hooks or a way to disable them. Nothing specified in the readme or configuration. Is there somewhere else I could look to find this? @brave-ambulance-98491 I'm not specifying a

Secret

or

ConfigMap

for Datadog, but these are created when deploying the chart:

Can you share a link to the chart a

FYI, how I'm deploying the chart:

var datadogChart = new Chart("datadog-chart",
    new ChartArgs
    {
        Chart = "datadog",
        Version = args.DatadogChartVersion,
        Namespace = "default",
        Values = new Dictionary<string, object>
        {
            ["datadog"] = new Dictionary<string, object>
            {
                ["apiKey"] = args.DatadogApiKey,
                ["site"] = "<http://datadoghq.eu|datadoghq.eu>",
                ["logs"] = new Dictionary<string, object>
                {
                    ["enabled"] = true,
                    ["containerCollectAll"] = true
                },
                ["kubelet"] = new Dictionary<string, object>
                {
                    ["tlsVerify"] = false
                }
            },
        },
        FetchOptions = new ChartFetchArgs
        {
            Repo = "<https://helm.datadoghq.com>"
        }
    },
    new ComponentResourceOptions
    {
        Provider = provider,
    });

# clusterAgent.token -- Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z) token: ""

Ok great, thanks. Let me try this. What do you mean by using a random Pulumi provider?

Yep exactly.

No problem - appreciate the help! I will report back

Glad it worked out