readiness probes are being executed independently from the
leader election status. The current implementation depends on
leader election (client cache etc.) to run properly.
This commit fixes that by short-circuiting the readiness probes
when the mgr is not the leader.
This bug surfaces when `leader-election=true` and cert-controller `replicas>=2`.
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Add an exit message when the certificate check triggers a fatal exit
(via cancel()). When cancel() is called, this cancels the main
context which causes the webhook to shutdown.
A return is also added to ensure the message "valid" comes out right
after "invalid" like so:
"certs are not valid at..."
"certs are valid"
Signed-off-by: Eric Stokes <fernferret@gmail.com>
* chore: update dependencies
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* chore: get rid of argo dependency to be independent of their k8s
versioning
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---------
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
* Added support for standard K8s labels in metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
* Added feature-flag for label metrics
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
---------
Signed-off-by: KA <110458464+kallymsft@users.noreply.github.com>
Objective of this commit is to allow logs to be more readable.
Default log ts encoding in the logger employed (zap) is unix time.
This leads to logs not much human-readable. This change introduces the
possibility to customize the ts with a set of preconfigured encodings:
one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'
Default value does not change
Signed-off-by: RiccardoColella <colella.git@outlook.com>
Signed-off-by: RiccardoColella <colella.git@outlook.com>
* added new crd-names flag to reconcile only installed CRDs in cert controller
Signed-off-by: Steven Bressey <sbressey@bressey.me>
* add guide to disable cluster features
Signed-off-by: Steven Bressey <sbressey@bressey.me>
* fix fmt
Signed-off-by: Steven Bressey <sbressey@bressey.me>
Co-authored-by: Steven Bressey <sbressey@bressey.me>
The new functionality is controlled using the newly-introduced
--experimental-enable-vault-token-cache and
--experimental-vault-token-cache-size command-line flags.
Signed-off-by: NicEggert <nicholas.eggert@target.com>
During our internal security scan, the webhook for external-secrets was
flagged because it supports protocol vulnerable to Sweet32
(https://sweet32.info/). In order to avoid the webhook from being
flagged, we need to restrict the TLS ciphers on controller runtime.
To do this I needed to update the dependency to 0.12.3 and some other
conflicting dependencies.
Signed-off-by: Joao Pedro Silva <jp.silva15@gmail.com>
* hostNetwork for webhook pod
* FailurePolicy for validatingwebhook definition
* Changed webhook port to a configurable value
* Defined default value as 9443
Fixes#944
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
