Skip to content

Restart psi-secrets after refresh so serve reloads fresh cache #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdoss merged 1 commit into from
Apr 17, 2026
Merged

Restart psi-secrets after refresh so serve reloads fresh cache #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions psi/unitgen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,15 @@ def generate_provider_refresh_service(provider: str) -> str:

This wrapper is a plain oneshot with no ``RemainAfterExit``, so its
``ActiveEnterTimestamp`` updates every run. The timer uses
``OnUnitActiveSec`` against the wrapper and re-arms correctly. Each run
calls ``systemctl restart`` on the setup unit, which DOES re-run the
ExecStart even when it was ``active (exited)``.
``OnUnitActiveSec`` against the wrapper and re-arms correctly. Each run:

1. ``systemctl restart psi-{provider}-setup.service`` — re-runs setup,
which re-registers secrets with fresh hex IDs and writes the updated
cache file to disk.
2. ``systemctl try-restart psi-secrets.service`` — restarts serve so it
reloads the fresh cache from disk. Without this, serve's in-memory
cache keeps the old hex IDs after each refresh and every subsequent
lookup misses the cache until the next operator-triggered restart.
"""
return (
"[Unit]\n"
Expand All @@ -172,6 +178,7 @@ def generate_provider_refresh_service(provider: str) -> str:
"[Service]\n"
"Type=oneshot\n"
f"ExecStart=/usr/bin/systemctl restart psi-{provider}-setup.service\n"
"ExecStart=/usr/bin/systemctl try-restart psi-secrets.service\n"
)


Expand Down
8 changes: 8 additions & 0 deletions tests/test_unitgen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,14 @@ def test_orders_after_setup_unit(self) -> None:
content = generate_provider_refresh_service("infisical")
assert "After=psi-infisical-setup.service" in content

def test_restarts_psi_secrets_so_serve_reloads_the_fresh_cache(self) -> None:
"""After setup writes a fresh cache with new hex IDs, psi-secrets must
restart to reload it — otherwise serve keeps the old IDs in memory and
every subsequent lookup misses the cache.
"""
content = generate_provider_refresh_service("infisical")
assert "ExecStart=/usr/bin/systemctl try-restart psi-secrets.service" in content


class TestProviderRefreshTimer:
def test_targets_the_refresh_wrapper_not_the_setup_unit(self) -> None:
Expand Down
Loading