Made restartOnSecretRefresh option part of certrorator

Instead of relying on people to use the flag parsing mechanism from go. They can pass the option to the CertRotator struct to restart of secret refresh. Signed-off-by: Stijn De Haes <stijndehaes@gmail.com>
open-policy-agent · Jan 21, 2021 · 7b1933d · 7b1933d
1 parent 69850e5
commit 7b1933d
Showing 1 changed file with 16 additions and 22 deletions.
diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go
@@ -10,7 +10,6 @@ import (
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
-	"flag"
 	"fmt"
 	"math/big"
 	"os"
@@ -61,19 +60,13 @@ const (
 
 var _ manager.Runnable = &CertRotator{}
 
-var restartOnSecretRefresh = false
-
 //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates
 type WebhookInfo struct {
 	//Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook
 	Name string
 	Type WebhookType
 }
 
-func init() {
-	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
-}
-
 func (w WebhookInfo) gvk() schema.GroupVersionKind {
 	t2g := map[WebhookType]schema.GroupVersionKind{
 		Validating:    schema.GroupVersionKind{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingWebhookConfiguration"},
@@ -151,19 +144,20 @@ type SyncingReader interface {
 
 // CertRotator contains cert artifacts and a channel to close when the certs are ready.
 type CertRotator struct {
-	reader          SyncingReader
-	writer          client.Writer
-	SecretKey       types.NamespacedName
-	CertDir         string
-	CAName          string
-	CAOrganization  string
-	DNSName         string
-	IsReady         chan struct{}
-	Webhooks        []WebhookInfo
-	certsMounted    chan struct{}
-	certsNotMounted chan struct{}
-	wasCAInjected   *atomic.Bool
-	caNotInjected   chan struct{}
+	reader                 SyncingReader
+	writer                 client.Writer
+	SecretKey              types.NamespacedName
+	CertDir                string
+	CAName                 string
+	CAOrganization         string
+	DNSName                string
+	IsReady                chan struct{}
+	Webhooks               []WebhookInfo
+	RestartOnSecretRefresh bool
+	certsMounted           chan struct{}
+	certsNotMounted        chan struct{}
+	wasCAInjected          *atomic.Bool
+	caNotInjected          chan struct{}
 }
 
 // Start starts the CertRotator runnable to rotate certs and ensure the certs are ready.
@@ -224,7 +218,7 @@ func (cr *CertRotator) refreshCertIfNeeded() error {
 				return false, nil
 			}
 			crLog.Info("server certs refreshed")
-			if restartOnSecretRefresh {
+			if cr.RestartOnSecretRefresh {
 				crLog.Info("Secrets have been updated; exiting so pod can be restarted (omit --cert-restart-on-secret-refresh to wait instead of restarting")
 				os.Exit(0)
 			}
@@ -238,7 +232,7 @@ func (cr *CertRotator) refreshCertIfNeeded() error {
 				return false, nil
 			}
 			crLog.Info("server certs refreshed")
-			if restartOnSecretRefresh {
+			if cr.RestartOnSecretRefresh {
 				crLog.Info("Secrets have been updated; exiting so pod can be restarted (omit --cert-restart-on-secret-refresh to wait instead of restarting")
 				os.Exit(0)
 			}