From 7b1933d9b48683cd6074a5a7c5237488cbc860d1 Mon Sep 17 00:00:00 2001 From: Stijn De Haes Date: Thu, 21 Jan 2021 09:12:30 +0100 Subject: [PATCH] Made restartOnSecretRefresh option part of certrorator Instead of relying on people to use the flag parsing mechanism from go. They can pass the option to the CertRotator struct to restart of secret refresh. Signed-off-by: Stijn De Haes --- pkg/rotator/rotator.go | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go index cf6b0ab..d20092f 100644 --- a/pkg/rotator/rotator.go +++ b/pkg/rotator/rotator.go @@ -10,7 +10,6 @@ import ( "crypto/x509/pkix" "encoding/base64" "encoding/pem" - "flag" "fmt" "math/big" "os" @@ -61,8 +60,6 @@ const ( var _ manager.Runnable = &CertRotator{} -var restartOnSecretRefresh = false - //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates type WebhookInfo struct { //Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook @@ -70,10 +67,6 @@ type WebhookInfo struct { Type WebhookType } -func init() { - flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)") -} - func (w WebhookInfo) gvk() schema.GroupVersionKind { t2g := map[WebhookType]schema.GroupVersionKind{ Validating: schema.GroupVersionKind{Group: "admissionregistration.k8s.io", Version: "v1beta1", Kind: "ValidatingWebhookConfiguration"}, @@ -151,19 +144,20 @@ type SyncingReader interface { // CertRotator contains cert artifacts and a channel to close when the certs are ready. type CertRotator struct { - reader SyncingReader - writer client.Writer - SecretKey types.NamespacedName - CertDir string - CAName string - CAOrganization string - DNSName string - IsReady chan struct{} - Webhooks []WebhookInfo - certsMounted chan struct{} - certsNotMounted chan struct{} - wasCAInjected *atomic.Bool - caNotInjected chan struct{} + reader SyncingReader + writer client.Writer + SecretKey types.NamespacedName + CertDir string + CAName string + CAOrganization string + DNSName string + IsReady chan struct{} + Webhooks []WebhookInfo + RestartOnSecretRefresh bool + certsMounted chan struct{} + certsNotMounted chan struct{} + wasCAInjected *atomic.Bool + caNotInjected chan struct{} } // Start starts the CertRotator runnable to rotate certs and ensure the certs are ready. @@ -224,7 +218,7 @@ func (cr *CertRotator) refreshCertIfNeeded() error { return false, nil } crLog.Info("server certs refreshed") - if restartOnSecretRefresh { + if cr.RestartOnSecretRefresh { crLog.Info("Secrets have been updated; exiting so pod can be restarted (omit --cert-restart-on-secret-refresh to wait instead of restarting") os.Exit(0) } @@ -238,7 +232,7 @@ func (cr *CertRotator) refreshCertIfNeeded() error { return false, nil } crLog.Info("server certs refreshed") - if restartOnSecretRefresh { + if cr.RestartOnSecretRefresh { crLog.Info("Secrets have been updated; exiting so pod can be restarted (omit --cert-restart-on-secret-refresh to wait instead of restarting") os.Exit(0) }