feat: add automatic re-issuance of failed custom hostname certificates#259
Merged
Conversation
Recreate PR #124 on current main after the branch diverged onto an unrelated history. Adds a fast-track recovery path for custom-hostname Certificates stuck in a failed state, bypassing cert-manager's exponential backoff. Key changes: - add CertificateReissuanceConfig to GatewayConfig (retryInterval default 5m, maxRetries default 3) - detect failed Certificates in ensureListenerCertificates; delete past the retry interval to trigger Kubernetes GC of the chain (CertificateRequest, Order, Challenge, solver resources) and recreate fresh on the next reconcile - track re-issuance count as annotations on the downstream Gateway so it survives Certificate deletion; clear on recovery to bound ACME retries - coexists with the listener cert health-gating added for #212
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recreates #124 on current
main. The original branch (feat/reissuancecerts) diverged onto an unrelated history (no common ancestor withmain), so a normal rebase was impossible — this reapplies the net diff on a fresh branch.What it does
Fast-track recovery for custom-hostname
Certificates stuck in a failed state, bypassing cert-manager's exponential backoff:CertificateReissuanceConfigadded to gateway config —retryInterval(default 5m),maxRetries(default 3).Certificates inensureListenerCertificates; past the retry interval, delete to trigger Kubernetes GC of the whole chain (CertificateRequest,Order,Challenge, solverHTTPRoute/HTTPRouteFilter) and recreate fresh next reconcile.Gateway(survivesCertificatedeletion); cleared on recovery to bound ACME retries.Since #124 was written
maingrew a listener cert health-gating layer (evaluateListenerCertHealth/listenerCertHealth, from #212). This PR coexists with it — both cert-failure paths are present and independently tested.Design question for reviewers: #212 = don't serve / isolate a bad cert; this = actively re-issue it. They don't conflict mechanically. Left standalone so the diff maps 1:1 to #124 — flag if you'd prefer it folded into the
listenerCertHealthflow.Verification
go build ./...,gofmt,go vet— cleanTestReissueFailedCertificate— 10/10 subtests passTestListenerCertificateHealthGating(Expired/abandoned customer certs can freeze an entire edge — health-gate cert propagation + isolate per-cert failures #212) — still green alongsidezz_generated.{deepcopy,defaults}.goregenerated viamake generateRelated