Skip to content

Commit

Permalink
Configure max retries (#1633)
Browse files Browse the repository at this point in the history
<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.

Thank you for contributing! We will try to test and integrate the change
as soon as we can, but be aware we have many GitHub repositories to
manage and can't immediately respond to every request. There is no need
to bump or check in on a pull request (it will clutter the discussion of
the request).

Also don't be worried if the request is closed or not integrated
sometimes the priorities of Bitnami might not match the priorities of
the pull request. Don't fret, the open source community thrives on forks
and GitHub makes it easy to keep your changes in a forked repo.
 -->

**Description of the change**

Allow to configure max retries

**Applicable issues**

<!-- Enter any applicable Issues here (You can reference an issue using
#) -->
- fixes #1599

---------

Signed-off-by: Alvaro Neira Ayuso <[email protected]>
Signed-off-by: Alvaro Neira Ayuso <[email protected]>
Co-authored-by: Alfredo Garcia <[email protected]>
alvneiayu and agarcia-oss authored Nov 7, 2024

Partially verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
We cannot verify signatures from co-authors, and some of the co-authors attributed to this commit require their commits to be signed.
1 parent 2c6d400 commit e822b41
Showing 7 changed files with 92 additions and 74 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -60,6 +60,7 @@ original Secret from the SealedSecret.
- [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
- [How to verify the images?](#how-to-verify-the-images)
- [How to use one controller for a subset of namespaces](#How-to-use-one-controller-for-a-subset-of-namespaces)
- [Can I configure the controller unseal retries](#can-i-configure-the-controller-unseal-retries)

- [Community](#community)
- [Related projects](#related-projects)
@@ -826,6 +827,10 @@ cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secret

If you want to use one controller for more than one namespace, but not all namespaces, you can provide additional namespaces using the command line flag `--additional-namespaces=<namespace1>,<namespace2>,<...>`. Make sure you provide appropriate roles and rolebindings in the target namespaces, so the controller can manage the secrets in there.

### Can I configure the Controller unseal retries?

The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets.

## Community

- [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)
2 changes: 2 additions & 0 deletions cmd/controller/main.go
Original file line number Diff line number Diff line change
@@ -58,6 +58,8 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {

fs.DurationVar(&f.KeyRenewPeriod, "rotate-period", defaultKeyRenewPeriod, "")
_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")

fs.IntVar(&f.MaxRetries, "max-unseal-retries", 5, "Max unseal retries.")
}

func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagSet) {
141 changes: 71 additions & 70 deletions helm/sealed-secrets/README.md

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions helm/sealed-secrets/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -145,6 +145,10 @@ spec:
- --listen-metrics-addr
- {{ printf ":%s" (.Values.containerPorts.metrics | toString) }}
{{- end }}
{{- if .Values.maxRetries }}
- --max-unseal-retries
- {{ .Values.maxRetries | quote }}
{{- end }}
{{- end }}
image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
3 changes: 3 additions & 0 deletions helm/sealed-secrets/values.yaml
Original file line number Diff line number Diff line change
@@ -112,6 +112,9 @@ logLevel: ""
## @param logFormat Specifies log format (text,json)
##
logFormat: ""
## @param maxRetries Number of maximum retries
##
maxRetries: ""
## @param command Override default container command
##
command: []
8 changes: 5 additions & 3 deletions pkg/controller/controller.go
Original file line number Diff line number Diff line change
@@ -38,8 +38,6 @@ import (
)

const (
maxRetries = 5

// SuccessUnsealed is used as part of the Event 'reason' when
// a SealedSecret is unsealed successfully.
SuccessUnsealed = "Unsealed"
@@ -60,6 +58,8 @@ const (
var (
// ErrCast happens when a K8s any type cannot be casted to the expected type.
ErrCast = errors.New("cast error")

maxRetries = 5
)

// Controller implements the main sealed-secrets-controller loop.
@@ -77,7 +77,7 @@ type Controller struct {
}

// NewController returns the main sealed-secrets controller loop.
func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry) (*Controller, error) {
func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry, maxRetriesConfig int) (*Controller, error) {
queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())

utilruntime.Must(ssscheme.AddToScheme(scheme.Scheme))
@@ -102,6 +102,8 @@ func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Inter
}
}

maxRetries = maxRetriesConfig

return &Controller{
ssInformer: ssInformer,
sInformer: sInformer,
3 changes: 2 additions & 1 deletion pkg/controller/main.go
Original file line number Diff line number Diff line change
@@ -55,6 +55,7 @@ type Flags struct {
LogFormat string
PrivateKeyAnnotations string
PrivateKeyLabels string
MaxRetries int
}

func initKeyPrefix(keyPrefix string) (string, error) {
@@ -267,7 +268,7 @@ func Main(f *Flags, version string) error {
func prepareController(clientset kubernetes.Interface, namespace string, tweakopts func(*metav1.ListOptions), f *Flags, ssclientset versioned.Interface, keyRegistry *KeyRegistry) (*Controller, error) {
sinformer := initSecretInformerFactory(clientset, namespace, tweakopts, f.SkipRecreate)
ssinformer := ssinformers.NewFilteredSharedInformerFactory(ssclientset, 0, namespace, tweakopts)
controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry)
controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry, f.MaxRetries)
return controller, err
}

0 comments on commit e822b41

Please sign in to comment.