Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delay when the certs are mounted and available for use #35

Open
aramase opened this issue Jul 19, 2021 · 8 comments
Open

Delay when the certs are mounted and available for use #35

aramase opened this issue Jul 19, 2021 · 8 comments

Comments

@aramase
Copy link

aramase commented Jul 19, 2021
edited

I'm using the cert-controller in one of the projects to bootstrap a mutating webhook. I've configured the rotator using the example provided in the doc. Interestingly in most of the CI runs and local testing, I'm seeing a delay when the certs are available in the mount. Seeing it take upto 1m30s in few instances before the certs are ready in the mount path. The delay could be because the Kubernetes secret update is delayed and the mount republish is missed at the first attempt.

Is this a known behavior? Is that why there is RestartOnSecretRefresh property in struct?

	github.com/open-policy-agent/cert-controller v0.2.0
	k8s.io/kubernetes v1.21.2
	sigs.k8s.io/controller-runtime v0.9.2

Usage:

	// Make sure certs are generated and valid if cert rotation is enabled.
	setupFinished := make(chan struct{})
	if !disableCertRotation {
		entryLog.Info("setting up cert rotation")
		if err := rotator.AddRotator(mgr, &rotator.CertRotator{
			SecretKey: types.NamespacedName{
				Namespace: util.GetNamespace(),
				Name:      secretName,
			},
			CertDir:        webhookCertDir,
			CAName:         caName,
			CAOrganization: caOrganization,
			DNSName:        dnsName,
			IsReady:        setupFinished,
			Webhooks:       webhooks,
		}); err != nil {
			entryLog.Error(err, "unable to set up cert rotation")
			os.Exit(1)
		}
	} else {
		close(setupFinished)
	}
@aramase
Copy link
Author

aramase commented Jul 19, 2021

cc @maxsmythe @adrianludwin

@adrianludwin
Copy link
Contributor

adrianludwin commented Jul 19, 2021 via email

@aramase
Copy link
Author

aramase commented Jul 19, 2021
edited

@adrianludwin thanks for the response. I haven't been able to repro this in gatekeeper. The behavior is mostly deterministic and the certs are available within few seconds after startup. I wonder why there is a difference in behavior for other projects that take up dep.

@adrianludwin
Copy link
Contributor

adrianludwin commented Jul 19, 2021 via email

@maxsmythe
Copy link
Contributor

G8r doesn't currently use the restart strategy.

One potential thing that helps g8r: there are multiple pods invoking cert rotator, so it's possible that the secret is only missing for the first pod, while other pods only start after the first pod has written out a cert.

@adrianludwin
Copy link
Contributor

adrianludwin commented Jul 19, 2021 via email

@aramase
Copy link
Author

aramase commented Jul 19, 2021

One potential thing that helps g8r: there are multiple pods invoking cert rotator, so it's possible that the secret is only missing for the first pod, while other pods only start after the first pod has written out a cert.

Thanks Max! I wondered the same and tried with replicas: 1 but haven't been able to repro this issue with gatekeeper.

@maxsmythe
Copy link
Contributor

Weird, not sure why then. The observation that the secret is updated and therefore the mounted file should be updated is handled by K8s itself, so not sure there is anything we can do to influence that. If you want to see how G8r uses cert manager, it lives here:

https://github.com/open-policy-agent/gatekeeper/blob/master/main.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxsmythe @aramase @adrianludwin