From 933494ab8d78dcf6ffa820e9795761af8937f558 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Thu, 8 Dec 2022 08:57:45 -0500 Subject: [PATCH] Check for initial kubelet certificates more frequently --- pkg/kubelet/certificate/transport.go | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/pkg/kubelet/certificate/transport.go b/pkg/kubelet/certificate/transport.go index ddb007555aa..7591a4884f0 100644 --- a/pkg/kubelet/certificate/transport.go +++ b/pkg/kubelet/certificate/transport.go @@ -22,6 +22,8 @@ import ( "net" "net/http" "os" + "sync" + "sync/atomic" "time" "k8s.io/klog/v2" @@ -97,7 +99,16 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig lastCertAvailable := time.Now() lastCert := clientCertificateManager.Current() - go wait.Until(func() { + + var hasCert atomic.Bool + hasCert.Store(lastCert != nil) + + checkLock := &sync.Mutex{} + checkNewCertificateAndRotate := func() { + // don't run concurrently + checkLock.Lock() + defer checkLock.Unlock() + curr := clientCertificateManager.Current() if exitAfter > 0 { @@ -131,6 +142,7 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig return } lastCert = curr + hasCert.Store(lastCert != nil) klog.InfoS("Certificate rotation detected, shutting down client connections to start using new credentials") // The cert has been rotated. Close all existing connections to force the client @@ -138,7 +150,18 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig // // See: https://github.com/kubernetes-incubator/bootkube/pull/663#issuecomment-318506493 d.CloseAll() - }, period, stopCh) + } + + // start long-term check + go wait.Until(checkNewCertificateAndRotate, period, stopCh) + + if !hasCert.Load() { + // start a faster check until we get the initial certificate + go wait.PollUntil(time.Second, func() (bool, error) { + checkNewCertificateAndRotate() + return hasCert.Load(), nil + }, stopCh) + } clientConfig.Transport = utilnet.SetTransportDefaults(&http.Transport{ Proxy: http.ProxyFromEnvironment,