upgrade cert-controller and set restartOnSecretRefresh

kubernetes-retired · Feb 4, 2021 · 1e3c09d · 1e3c09d
1 parent 9327e36
commit 1e3c09d
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 38 deletions.
diff --git a/incubator/hnc/cmd/manager/main.go b/incubator/hnc/cmd/manager/main.go
@@ -50,16 +50,17 @@ var (
 )
 
 var (
-	metricsAddr          string
-	maxReconciles        int
-	enableLeaderElection bool
-	leaderElectionId     string
-	novalidation         bool
-	debugLogs            bool
-	testLog              bool
-	internalCert         bool
-	qps                  int
-	webhookServerPort    int
+	metricsAddr            string
+	maxReconciles          int
+	enableLeaderElection   bool
+	leaderElectionId       string
+	novalidation           bool
+	debugLogs              bool
+	testLog                bool
+	internalCert           bool
+	qps                    int
+	webhookServerPort      int
+	restartOnSecretRefresh bool
 )
 
 func init() {
@@ -90,6 +91,7 @@ func main() {
 	flag.IntVar(&webhookServerPort, "webhook-server-port", 443, "The port that the webhook server serves at.")
 	uaArg := arrayArg{val: &config.UnpropagatedAnnotations}
 	flag.Var(&uaArg, "unpropagated-annotation", "An annotation that, if present, will be stripped out of any propagated copies of an object. May be specified multiple times, with each instance specifying one annotation. See the user guide for more information.")
+	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
 	flag.Parse()
 
 	// Enable OpenCensus exporters to export metrics
@@ -159,7 +161,7 @@ func main() {
 
 	// Make sure certs are generated and valid if webhooks are enabled and internal certs are used.
 	setupLog.Info("Starting certificate generation")
-	certsCreated, err := validators.CreateCertsIfNeeded(mgr, novalidation, internalCert)
+	certsCreated, err := validators.CreateCertsIfNeeded(mgr, novalidation, internalCert, restartOnSecretRefresh)
 	if err != nil {
 		setupLog.Error(err, "unable to set up cert rotation")
 		os.Exit(1)

diff --git a/incubator/hnc/go.mod b/incubator/hnc/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/onsi/ginkgo v1.14.1
 	github.com/onsi/gomega v1.10.2
-	github.com/open-policy-agent/cert-controller v0.0.0-20210129015139-6ff9721a1c47
+	github.com/open-policy-agent/cert-controller v0.0.0-20210202184811-4842e4760ab0
 	github.com/spf13/cobra v1.0.0
 	go.opencensus.io v0.22.3
 	go.uber.org/zap v1.15.0

diff --git a/incubator/hnc/go.sum b/incubator/hnc/go.sum
@@ -386,6 +386,8 @@ github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/open-policy-agent/cert-controller v0.0.0-20210129015139-6ff9721a1c47 h1:BgnF2xjLk/885j3lG+tPTvaP4cJiF3pBByODPw/0910=
 github.com/open-policy-agent/cert-controller v0.0.0-20210129015139-6ff9721a1c47/go.mod h1:vZFB1b92JmUOIDEWHGO/lCnrKqrCQA5jCZkwPlF2nmc=
+github.com/open-policy-agent/cert-controller v0.0.0-20210202184811-4842e4760ab0 h1:sHzYAUWw+tDcbhXo10NTYh1s7nPdJU94R7Y3KLoUOIo=
+github.com/open-policy-agent/cert-controller v0.0.0-20210202184811-4842e4760ab0/go.mod h1:vZFB1b92JmUOIDEWHGO/lCnrKqrCQA5jCZkwPlF2nmc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=

diff --git a/incubator/hnc/internal/validators/setup.go b/incubator/hnc/internal/validators/setup.go
@@ -25,7 +25,7 @@ const (
 var dnsName = fmt.Sprintf("%s.%s.svc", serviceName, secretNamespace)
 
 // CreateCertsIfNeeded creates all certs for webhooks. This function is called from main.go.
-func CreateCertsIfNeeded(mgr ctrl.Manager, novalidation, internalCert bool) (chan struct{}, error) {
+func CreateCertsIfNeeded(mgr ctrl.Manager, novalidation, internalCert, restartOnSecretRefresh bool) (chan struct{}, error) {
 	setupFinished := make(chan struct{})
 	if novalidation || !internalCert {
 		close(setupFinished)
@@ -46,6 +46,7 @@ func CreateCertsIfNeeded(mgr ctrl.Manager, novalidation, internalCert bool) (cha
 			Type: cert.Validating,
 			Name: vwhName,
 		}},
+		RestartOnSecretRefresh: restartOnSecretRefresh,
 	})
 }
 

diff --git a/incubator/hnc/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go b/incubator/hnc/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go
diff --git a/incubator/hnc/vendor/modules.txt b/incubator/hnc/vendor/modules.txt
@@ -214,7 +214,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge
 github.com/onsi/gomega/matchers/support/goraph/node
 github.com/onsi/gomega/matchers/support/goraph/util
 github.com/onsi/gomega/types
-# github.com/open-policy-agent/cert-controller v0.0.0-20210129015139-6ff9721a1c47
+# github.com/open-policy-agent/cert-controller v0.0.0-20210202184811-4842e4760ab0
 ## explicit
 github.com/open-policy-agent/cert-controller/pkg/rotator
 # github.com/peterbourgon/diskv v2.0.1+incompatible