🐛 Adds ability to configure cert lookahead interval for webhook pod. (#1304)

Fixes #1249

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

cmd/root.go

@@ -62,6 +62,7 @@ var (
 	secretName, secretNamespace           string
 	crdRequeueInterval                    time.Duration
 	certCheckInterval                     time.Duration
+	certLookaheadInterval                 time.Duration
 	enableAWSSession                      bool
 )
 

cmd/webhook.go

@@ -83,7 +83,7 @@ var webhookCmd = &cobra.Command{
 					cancel()
 				case <-ticker.C:
 					setupLog.Info("validating certs")
-					err = crds.CheckCerts(c, dnsName, time.Now().Add(crds.LookaheadInterval+time.Minute))
+					err = crds.CheckCerts(c, dnsName, time.Now().Add(certLookaheadInterval))
 					if err != nil {
 						cancel()
 					}
@@ -176,4 +176,5 @@ func init() {
 	webhookCmd.Flags().StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "path to check for certs")
 	webhookCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
 	webhookCmd.Flags().DurationVar(&certCheckInterval, "check-interval", 5*time.Minute, "certificate check interval")
+	webhookCmd.Flags().DurationVar(&certLookaheadInterval, "lookahead-interval", crds.LookaheadInterval, "certificate check interval")
 }

deploy/charts/external-secrets/README.md

@@ -4,7 +4,7 @@
 
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square)
 
 External secret management for Kubernetes
 
@@ -40,6 +40,8 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
 | certController.extraArgs | object | `{}` |  |
 | certController.extraEnv | list | `[]` |  |
+| certController.extraVolumeMounts | list | `[]` |  |
+| certController.extraVolumes | list | `[]` |  |
 | certController.fullnameOverride | string | `""` |  |
 | certController.image.pullPolicy | string | `"IfNotPresent"` |  |
 | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
@@ -75,6 +77,8 @@ The command removes all the Kubernetes components associated with the chart and
 | deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
 | extraArgs | object | `{}` |  |
 | extraEnv | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
@@ -108,12 +112,14 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | tolerations | list | `[]` |  |
 | webhook.affinity | object | `{}` |  |
-| webhook.certCheckInterval | string | `"5m"` |  |
+| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
 | webhook.certDir | string | `"/tmp/certs"` |  |
 | webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
 | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
 | webhook.extraArgs | object | `{}` |  |
 | webhook.extraEnv | list | `[]` |  |
+| webhook.extraVolumeMounts | list | `[]` |  |
+| webhook.extraVolumes | list | `[]` |  |
 | webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
 | webhook.fullnameOverride | string | `""` |  |
 | webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
@@ -121,6 +127,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
 | webhook.imagePullSecrets | list | `[]` |  |
+| webhook.lookaheadInterval | string | `"1h"` | Specifices the lookaheadInterval for certificate validity |
 | webhook.nameOverride | string | `""` |  |
 | webhook.nodeSelector | object | `{}` |  |
 | webhook.podAnnotations | object | `{}` | Annotations to add to Pod |

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -51,6 +51,9 @@ spec:
           - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
           - --cert-dir={{ .Values.webhook.certDir }}
           - --check-interval={{ .Values.webhook.certCheckInterval }}
+          {{- if .Values.webhook.lookaheadInterval }}
+          - --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
+          {{- end }}
           {{- range $key, $value := .Values.webhook.extraArgs }}
             {{- if $value }}
           - --{{ $key }}={{ $value }}

deploy/charts/external-secrets/values.yaml

@@ -135,7 +135,10 @@ podDisruptionBudget:
 webhook:
   # -- Specifies whether a webhook deployment be created.
   create: true
+  # -- Specifices the time to check if the cert is valid
   certCheckInterval: "5m"
+  # -- Specifices the lookaheadInterval for certificate validity
+  lookaheadInterval: ""
   replicaCount: 1
   certDir: /tmp/certs
   # -- specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore