mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
🐛 Adds ability to configure cert lookahead interval for webhook pod. (#1304)
Fixes #1249 Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
This commit is contained in:
parent
f7c0fc9151
commit
ccea3d532f
5 changed files with 18 additions and 3 deletions
|
@ -62,6 +62,7 @@ var (
|
|||
secretName, secretNamespace string
|
||||
crdRequeueInterval time.Duration
|
||||
certCheckInterval time.Duration
|
||||
certLookaheadInterval time.Duration
|
||||
enableAWSSession bool
|
||||
)
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ var webhookCmd = &cobra.Command{
|
|||
cancel()
|
||||
case <-ticker.C:
|
||||
setupLog.Info("validating certs")
|
||||
err = crds.CheckCerts(c, dnsName, time.Now().Add(crds.LookaheadInterval+time.Minute))
|
||||
err = crds.CheckCerts(c, dnsName, time.Now().Add(certLookaheadInterval))
|
||||
if err != nil {
|
||||
cancel()
|
||||
}
|
||||
|
@ -176,4 +176,5 @@ func init() {
|
|||
webhookCmd.Flags().StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "path to check for certs")
|
||||
webhookCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
|
||||
webhookCmd.Flags().DurationVar(&certCheckInterval, "check-interval", 5*time.Minute, "certificate check interval")
|
||||
webhookCmd.Flags().DurationVar(&certLookaheadInterval, "lookahead-interval", crds.LookaheadInterval, "certificate check interval")
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square)
|
||||
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square)
|
||||
|
||||
External secret management for Kubernetes
|
||||
|
||||
|
@ -40,6 +40,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| certController.extraArgs | object | `{}` | |
|
||||
| certController.extraEnv | list | `[]` | |
|
||||
| certController.extraVolumeMounts | list | `[]` | |
|
||||
| certController.extraVolumes | list | `[]` | |
|
||||
| certController.fullnameOverride | string | `""` | |
|
||||
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
||||
|
@ -75,6 +77,8 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| extraArgs | object | `{}` | |
|
||||
| extraEnv | list | `[]` | |
|
||||
| extraVolumeMounts | list | `[]` | |
|
||||
| extraVolumes | list | `[]` | |
|
||||
| fullnameOverride | string | `""` | |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
||||
|
@ -108,12 +112,14 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
||||
| tolerations | list | `[]` | |
|
||||
| webhook.affinity | object | `{}` | |
|
||||
| webhook.certCheckInterval | string | `"5m"` | |
|
||||
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
|
||||
| webhook.certDir | string | `"/tmp/certs"` | |
|
||||
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
|
||||
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| webhook.extraArgs | object | `{}` | |
|
||||
| webhook.extraEnv | list | `[]` | |
|
||||
| webhook.extraVolumeMounts | list | `[]` | |
|
||||
| webhook.extraVolumes | list | `[]` | |
|
||||
| webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
|
||||
| webhook.fullnameOverride | string | `""` | |
|
||||
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
|
||||
|
@ -121,6 +127,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
||||
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
|
||||
| webhook.imagePullSecrets | list | `[]` | |
|
||||
| webhook.lookaheadInterval | string | `"1h"` | Specifices the lookaheadInterval for certificate validity |
|
||||
| webhook.nameOverride | string | `""` | |
|
||||
| webhook.nodeSelector | object | `{}` | |
|
||||
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
|
||||
|
|
|
@ -51,6 +51,9 @@ spec:
|
|||
- --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
|
||||
- --cert-dir={{ .Values.webhook.certDir }}
|
||||
- --check-interval={{ .Values.webhook.certCheckInterval }}
|
||||
{{- if .Values.webhook.lookaheadInterval }}
|
||||
- --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.webhook.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
|
|
|
@ -135,7 +135,10 @@ podDisruptionBudget:
|
|||
webhook:
|
||||
# -- Specifies whether a webhook deployment be created.
|
||||
create: true
|
||||
# -- Specifices the time to check if the cert is valid
|
||||
certCheckInterval: "5m"
|
||||
# -- Specifices the lookaheadInterval for certificate validity
|
||||
lookaheadInterval: ""
|
||||
replicaCount: 1
|
||||
certDir: /tmp/certs
|
||||
# -- specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
|
||||
|
|
Loading…
Reference in a new issue