github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-09-19 01:12:53 +00:00
Code Issues Projects Releases Wiki Activity

Switch WaitForCertificate to informers to avoid broken watches

Browse Source 
Kubernetes-commit: a7588723f7e9b88c2e8b9d601a2391e0f6b19a17
This commit is contained in:
Tomas Nozicka
2019-01-17 18:32:36 +01:00
committed by Kubernetes Publisher
parent 5846423975
commit 0dbe75c417
3 changed files with 26 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
util/certificate/certificate_manager.go
View File

@@ -40,9 +40,9 @@ import (
"k8s.io/client-go/util/certificate/csr"
)
// certificateWaitBackoff controls the amount and timing of retries when the
// watch for certificate approval is interrupted.
var certificateWaitBackoff = wait.Backoff{Duration: 30 * time.Second, Steps: 4, Factor: 1.5, Jitter: 0.1}
// certificateWaitTimeout controls the amount of time we wait for certificate
// approval in one iteration.
var certificateWaitTimeout = 15 * time.Minute
// Manager maintains and updates the certificates in use by this certificate
// manager. In the background it communicates with the API server to get new
@@ -388,29 +388,10 @@ func (m *manager) rotateCerts() (bool, error) {
// Once we've successfully submitted a CSR for this template, record that we did so
m.setLastRequest(template)
// Wait for the certificate to be signed. Instead of one long watch, we retry with slightly longer
// intervals each time in order to tolerate failures from the server AND to preserve the liveliness
// of the cert manager loop. This creates slightly more traffic against the API server in return
// for bounding the amount of time we wait when a certificate expires.
var crtPEM []byte
watchDuration := time.Minute
if err := wait.ExponentialBackoff(certificateWaitBackoff, func() (bool, error) {
data, err := csr.WaitForCertificate(client, req, watchDuration)
switch {
case err == nil:
crtPEM = data
return true, nil
case err == wait.ErrWaitTimeout:
watchDuration += time.Minute
if watchDuration > 5*time.Minute {
watchDuration = 5 * time.Minute
}
return false, nil
default:
utilruntime.HandleError(fmt.Errorf("Unable to check certificate signing status: %v", err))
return false, m.updateServerError(err)
}
}); err != nil {
// Wait for the certificate to be signed. This interface and internal timout
// is a remainder after the old design using raw watch wrapped with backoff.
crtPEM, err := csr.WaitForCertificate(client, req, certificateWaitTimeout)
if err != nil {
utilruntime.HandleError(fmt.Errorf("Certificate request was not signed: %v", err))
return false, nil
}