/
start.go
191 lines (163 loc) · 6.75 KB
/
start.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
"context"
"fmt"
"io"
"time"
"github.com/go-logr/logr"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"golang.org/x/sync/errgroup"
_ "k8s.io/client-go/plugin/pkg/client/auth"
ctrl "sigs.k8s.io/controller-runtime"
"github.com/jetstack/cert-manager/pkg/api"
"github.com/jetstack/cert-manager/pkg/controller/cainjector"
logf "github.com/jetstack/cert-manager/pkg/logs"
"github.com/jetstack/cert-manager/pkg/util"
)
type InjectorControllerOptions struct {
Namespace string
LeaderElect bool
LeaderElectionNamespace string
LeaseDuration time.Duration
RenewDeadline time.Duration
RetryPeriod time.Duration
StdOut io.Writer
StdErr io.Writer
// logger to be used by this controller
log logr.Logger
}
func (o *InjectorControllerOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.Namespace, "namespace", "", ""+
"If set, this limits the scope of cainjector to a single namespace. "+
"If set, cainjector will not update resources with certificates outside of the "+
"configured namespace.")
fs.BoolVar(&o.LeaderElect, "leader-elect", true, ""+
"If true, cainjector will perform leader election between instances to ensure no more "+
"than one instance of cainjector operates at a time")
fs.StringVar(&o.LeaderElectionNamespace, "leader-election-namespace", "", ""+
"Namespace used to perform leader election (defaults to controller's namespace). "+
"Only used if leader election is enabled")
fs.DurationVar(&o.LeaseDuration, "leader-election-lease-duration", 15*time.Second, ""+
"The duration that non-leader candidates will wait after observing a leadership "+
"renewal until attempting to acquire leadership of a led but unrenewed leader "+
"slot. This is effectively the maximum duration that a leader can be stopped "+
"before it is replaced by another candidate. This is only applicable if leader "+
"election is enabled.")
fs.DurationVar(&o.RenewDeadline, "leader-election-renew-deadline", 10*time.Second, ""+
"The interval between attempts by the acting master to renew a leadership slot "+
"before it stops leading. This must be less than or equal to the lease duration. "+
"This is only applicable if leader election is enabled.")
fs.DurationVar(&o.RetryPeriod, "leader-election-retry-period", 2*time.Second, ""+
"The duration the clients should wait between attempting acquisition and renewal "+
"of a leadership. This is only applicable if leader election is enabled.")
}
func NewInjectorControllerOptions(out, errOut io.Writer) *InjectorControllerOptions {
o := &InjectorControllerOptions{
StdOut: out,
StdErr: errOut,
}
return o
}
// NewCommandStartInjectorController is a CLI handler for starting cert-manager
func NewCommandStartInjectorController(ctx context.Context, out, errOut io.Writer) *cobra.Command {
o := NewInjectorControllerOptions(out, errOut)
cmd := &cobra.Command{
Use: "ca-injector",
Short: fmt.Sprintf("CA Injection Controller for Kubernetes (%s) (%s)", util.AppVersion, util.AppGitCommit),
Long: `
cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into
webhooks and APIServices from cert-manager certificates.
It will ensure that annotated webhooks and API services always have the correct
CA data from the referenced certificates, which can then be used to serve API
servers and webhook servers.`,
// TODO: Refactor this function from this package
RunE: func(cmd *cobra.Command, args []string) error {
o.log = logf.Log.WithName("ca-injector")
logf.V(logf.InfoLevel).InfoS("starting", "version", util.AppVersion, "revision", util.AppGitCommit)
return o.RunInjectorController(ctx)
},
}
flags := cmd.Flags()
o.AddFlags(flags)
return cmd
}
func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) error {
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: api.Scheme,
Namespace: o.Namespace,
LeaderElection: o.LeaderElect,
LeaderElectionNamespace: o.LeaderElectionNamespace,
LeaderElectionID: "cert-manager-cainjector-leader-election",
LeaderElectionReleaseOnCancel: true,
LeaseDuration: &o.LeaseDuration,
RenewDeadline: &o.RenewDeadline,
RetryPeriod: &o.RetryPeriod,
MetricsBindAddress: "0",
})
if err != nil {
return fmt.Errorf("error creating manager: %v", err)
}
g, gctx := errgroup.WithContext(ctx)
g.Go(func() (err error) {
defer func() {
o.log.Error(err, "manager goroutine exited")
}()
if err = mgr.Start(gctx); err != nil {
return fmt.Errorf("error running manager: %v", err)
}
return nil
})
select {
case <-gctx.Done(): // Exit early if we are shutting down or if the manager has exited with an error
// Wait for error group to complete and return
return g.Wait()
case <-mgr.Elected(): // Don't launch the controllers unless we have been elected leader
// Continue with setting up controller
}
// Retry the start up of the certificate based controller in case the
// cert-manager CRDs have not been installed yet or in case the CRD API is
// not working. E.g. The conversion webhook has not yet had its CA bundle
// injected by the secret based controller, which is launched in its own
// goroutine.
// When shutting down, return the last error if there is one.
// Never retry if the controller exits cleanly.
g.Go(func() (err error) {
for {
err = cainjector.RegisterCertificateBased(gctx, mgr)
if err == nil {
return
}
o.log.Error(err, "Error registering certificate based controllers. Retrying after 5 seconds.")
select {
case <-time.After(time.Second * 5):
case <-gctx.Done():
return
}
}
})
// Secrets based controller is started in its own goroutine so that it can
// perform injection of the CA bundle into any webhooks required by the
// cert-manager CRD API.
// We do not retry this controller because it only interacts with core APIs
// which should always be in a working state.
g.Go(func() (err error) {
if err = cainjector.RegisterSecretBased(gctx, mgr); err != nil {
return fmt.Errorf("error registering secret controller: %v", err)
}
return
})
return g.Wait()
}