Skip to content

Commit

Permalink
Configure max retries (#1633)
Browse files Browse the repository at this point in the history
<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.

Thank you for contributing! We will try to test and integrate the change
as soon as we can, but be aware we have many GitHub repositories to
manage and can't immediately respond to every request. There is no need
to bump or check in on a pull request (it will clutter the discussion of
the request).

Also don't be worried if the request is closed or not integrated
sometimes the priorities of Bitnami might not match the priorities of
the pull request. Don't fret, the open source community thrives on forks
and GitHub makes it easy to keep your changes in a forked repo.
 -->

**Description of the change**

Allow to configure max retries

**Applicable issues**

<!-- Enter any applicable Issues here (You can reference an issue using
#) -->
- fixes #1599

---------

Signed-off-by: Alvaro Neira Ayuso <alvaro.neira@broadcom.com>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Co-authored-by: Alfredo Garcia <alfredo-ag.garcia@broadcom.com>
  • Loading branch information
alvneiayu and agarcia-oss authored Nov 7, 2024
1 parent 2c6d400 commit e822b41
Show file tree
Hide file tree
Showing 7 changed files with 92 additions and 74 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ original Secret from the SealedSecret.
- [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
- [How to verify the images?](#how-to-verify-the-images)
- [How to use one controller for a subset of namespaces](#How-to-use-one-controller-for-a-subset-of-namespaces)
- [Can I configure the controller unseal retries](#can-i-configure-the-controller-unseal-retries)

- [Community](#community)
- [Related projects](#related-projects)
Expand Down Expand Up @@ -826,6 +827,10 @@ cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secret

If you want to use one controller for more than one namespace, but not all namespaces, you can provide additional namespaces using the command line flag `--additional-namespaces=<namespace1>,<namespace2>,<...>`. Make sure you provide appropriate roles and rolebindings in the target namespaces, so the controller can manage the secrets in there.

### Can I configure the Controller unseal retries?

The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets.

## Community

- [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)
Expand Down
2 changes: 2 additions & 0 deletions cmd/controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {

fs.DurationVar(&f.KeyRenewPeriod, "rotate-period", defaultKeyRenewPeriod, "")
_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")

fs.IntVar(&f.MaxRetries, "max-unseal-retries", 5, "Max unseal retries.")
}

func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagSet) {
Expand Down
141 changes: 71 additions & 70 deletions helm/sealed-secrets/README.md

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions helm/sealed-secrets/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@ spec:
- --listen-metrics-addr
- {{ printf ":%s" (.Values.containerPorts.metrics | toString) }}
{{- end }}
{{- if .Values.maxRetries }}
- --max-unseal-retries
- {{ .Values.maxRetries | quote }}
{{- end }}
{{- end }}
image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
Expand Down
3 changes: 3 additions & 0 deletions helm/sealed-secrets/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,9 @@ logLevel: ""
## @param logFormat Specifies log format (text,json)
##
logFormat: ""
## @param maxRetries Number of maximum retries
##
maxRetries: ""
## @param command Override default container command
##
command: []
Expand Down
8 changes: 5 additions & 3 deletions pkg/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@ import (
)

const (
maxRetries = 5

// SuccessUnsealed is used as part of the Event 'reason' when
// a SealedSecret is unsealed successfully.
SuccessUnsealed = "Unsealed"
Expand All @@ -60,6 +58,8 @@ const (
var (
// ErrCast happens when a K8s any type cannot be casted to the expected type.
ErrCast = errors.New("cast error")

maxRetries = 5
)

// Controller implements the main sealed-secrets-controller loop.
Expand All @@ -77,7 +77,7 @@ type Controller struct {
}

// NewController returns the main sealed-secrets controller loop.
func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry) (*Controller, error) {
func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry, maxRetriesConfig int) (*Controller, error) {
queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())

utilruntime.Must(ssscheme.AddToScheme(scheme.Scheme))
Expand All @@ -102,6 +102,8 @@ func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Inter
}
}

maxRetries = maxRetriesConfig

return &Controller{
ssInformer: ssInformer,
sInformer: sInformer,
Expand Down
3 changes: 2 additions & 1 deletion pkg/controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ type Flags struct {
LogFormat string
PrivateKeyAnnotations string
PrivateKeyLabels string
MaxRetries int
}

func initKeyPrefix(keyPrefix string) (string, error) {
Expand Down Expand Up @@ -267,7 +268,7 @@ func Main(f *Flags, version string) error {
func prepareController(clientset kubernetes.Interface, namespace string, tweakopts func(*metav1.ListOptions), f *Flags, ssclientset versioned.Interface, keyRegistry *KeyRegistry) (*Controller, error) {
sinformer := initSecretInformerFactory(clientset, namespace, tweakopts, f.SkipRecreate)
ssinformer := ssinformers.NewFilteredSharedInformerFactory(ssclientset, 0, namespace, tweakopts)
controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry)
controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry, f.MaxRetries)
return controller, err
}

Expand Down

0 comments on commit e822b41

Please sign in to comment.