chore: Convert to healthcheck block instead of healthCheckIntervalSeconds

irby · irby · commit 52443ce249f0 · 2025-10-27T12:16:14.000-04:00
Signed-off-by: Matthew H. Irby &lt;matt.irby@outlook.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # v2.3.3
 ## Features
-- Add a `healthCheckIntervalSeconds` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
+- Add a `healthcheck` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
 
 # v2.3.1
 ## Fixes
diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go
@@ -46,9 +46,10 @@ type IssuerSpec struct {
 	// +kubebuilder:default:=KeyfactorAPI
 	APIPath string `json:"apiPath,omitempty"`
 
-	// The number of seconds between successful health checks. 60 seconds (1 minute) by default. Setting to 0 will disable the health check.
-	// +kubebuilder:default:=60
-	HealthCheckIntervalSeconds *int `json:"healthCheckIntervalSeconds,omitempty"`
+	// The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+	// a health check to determine issuer's connectivity to Command instance.
+	// +kubebuilder:validation:Optional
+	HealthCheck *HealthCheckConfig `json:"healthcheck,omitempty"`
 
 	// EnrollmentPatternId is the ID of the enrollment pattern to use. Supported in Keyfactor Command 25.1 and later.
 	// If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
@@ -283,6 +284,15 @@ const (
 	ConditionUnknown ConditionStatus = "Unknown"
 )
 
+type HealthCheckConfig struct {
+	// Determines whether to the health check when the issuer is healthy. Default: true
+	Enabled bool `json:"enabled"`
+
+	// The interval at which to health check the issuer when healthy. Defaults to 1 minute. Must not be less than "30s".
+	// +kubebuilder:validation:Optional
+	Interval *metav1.Duration `json:"interval"`
+}
+
 func init() {
 	SchemeBuilder.Register(&Issuer{}, &IssuerList{})
 }
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml
@@ -102,12 +102,22 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
-              healthCheckIntervalSeconds:
-                default: 60
-                description: The number of seconds between successful health checks.
-                  60 seconds (1 minute) by default. Setting to 0 will disable the
-                  health check.
-                type: integer
+              healthcheck:
+                description: |-
+                  The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+                  a health check to determine issuer's connectivity to Command instance.
+                properties:
+                  enabled:
+                    description: 'Determines whether to the health check when the
+                      issuer is healthy. Default: true'
+                    type: boolean
+                  interval:
+                    description: The interval at which to health check the issuer
+                      when healthy. Defaults to 1 minute. Must not be less than "30s".
+                    type: string
+                required:
+                - enabled
+                type: object
               hostname:
                 description: Hostname is the hostname of a Keyfactor Command instance.
                 type: string
diff --git a/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml
@@ -102,12 +102,22 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
-              healthCheckIntervalSeconds:
-                default: 60
-                description: The number of seconds between successful health checks.
-                  60 seconds (1 minute) by default. Setting to 0 will disable the
-                  health check.
-                type: integer
+              healthcheck:
+                description: |-
+                  The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+                  a health check to determine issuer's connectivity to Command instance.
+                properties:
+                  enabled:
+                    description: 'Determines whether to the health check when the
+                      issuer is healthy. Default: true'
+                    type: boolean
+                  interval:
+                    description: The interval at which to health check the issuer
+                      when healthy. Defaults to 1 minute. Must not be less than "30s".
+                    type: string
+                required:
+                - enabled
+                type: object
               hostname:
                 description: Hostname is the hostname of a Keyfactor Command instance.
                 type: string
diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml
@@ -79,12 +79,22 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
-              healthCheckIntervalSeconds:
-                default: 60
-                description: The number of seconds between successful health checks.
-                  60 seconds (1 minute) by default. Setting to 0 will disable the
-                  health check.
-                type: integer
+              healthcheck:
+                description: |-
+                  The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+                  a health check to determine issuer's connectivity to Command instance.
+                properties:
+                  enabled:
+                    description: 'Determines whether to the health check when the
+                      issuer is healthy. Default: true'
+                    type: boolean
+                  interval:
+                    description: The interval at which to health check the issuer
+                      when healthy. Defaults to 1 minute.
+                    type: string
+                required:
+                - enabled
+                type: object
               ownerRoleId:
                 description: |-
                   OwnerRoleId is the ID of the security role assigned as the certificate owner.
diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml
@@ -79,12 +79,22 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
-              healthCheckIntervalSeconds:
-                default: 60
-                description: The number of seconds between successful health checks.
-                  60 seconds (1 minute) by default. Setting to 0 will disable the
-                  health check.
-                type: integer
+              healthcheck:
+                description: |-
+                  The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+                  a health check to determine issuer's connectivity to Command instance.
+                properties:
+                  enabled:
+                    description: 'Determines whether to the health check when the
+                      issuer is healthy. Default: true'
+                    type: boolean
+                  interval:
+                    description: The interval at which to health check the issuer
+                      when healthy. Defaults to 1 minute.
+                    type: string
+                required:
+                - enabled
+                type: object
               ownerRoleId:
                 description: |-
                   OwnerRoleId is the ID of the security role assigned as the certificate owner.
diff --git a/docsource/content.md b/docsource/content.md
@@ -219,7 +219,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     | ownerRoleName     | The name of the security role assigned as the certificate owner. The security role must be assigned to the identity context of the issuer. If `ownerRoleId` and `ownerRoleName` are both specified, `ownerRoleId` will take precedence. This field is **required** if the enrollment pattern, certificate template, or system-wide setting requires it. |
     | scopes     | (Optional) Required if using ambient credentials with Azure AKS. If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable.   |
      | audience     | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`.  |
-     | healthCheckIntervalSeconds | (Optional) Defines the health check interval, in seconds, for a healthy issuer. If ommitted, defaults to 60 seconds. If set to 0, it will disable the health check. If there is a failure when running the health check, it will retry in 10 seconds with an exponential backoff strategy. Value must not be negative. |
+     | healthcheck | (Optional) Defines the health check configuration for the issuer. If ommitted, health checks will be enabled and default to 60 seconds. If left disabled, the issuer will not perform a health check when the issuer is healthy and may cause CertificateRequest resources to silently fail. |
+     | healthcheck.enabled | (Required if health check block provided) Boolean to enable / disable health checks. By default, health checks are enabled. |
+     | healthcheck.interval | (Optional) Defines the interval between health checks. Example values: `30s`, `1m`, `5.5m`. To prevent overloading the Command instance, this interval must not be less than `30s`. Default value: `60s`. |
 
     > If a different combination of hostname/certificate authority/certificate template is required, a new Issuer or ClusterIssuer resource must be created. Each resource instantiation represents a single configuration.
 
@@ -251,7 +253,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
-          # healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
+          # healthcheck: # Optional health check configuration
+          #   enabled: true
+          #   interval: 30s
         EOF
 
         kubectl -n default apply -f issuer.yaml
@@ -282,7 +286,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
-          # healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
+          # healthcheck: # Optional health check configuration
+          #   enabled: true
+          #   interval: 30s
         EOF
 
         kubectl apply -f clusterissuer.yaml
diff --git a/e2e/run_tests.sh b/e2e/run_tests.sh
@@ -43,7 +43,7 @@ IMAGE_TAG="local" # Uncomment if you want to build the image locally
 FULL_IMAGE_NAME="${IMAGE_REPO}/${IMAGE_NAME}:${IMAGE_TAG}"
 
 HELM_CHART_NAME="command-cert-manager-issuer"
-#H ELM_CHART_VERSION="2.1.0" # Uncomment if you want to use a specific version from the Helm repository
+# HELM_CHART_VERSION="2.1.0" # Uncomment if you want to use a specific version from the Helm repository
 HELM_CHART_VERSION="local" # Uncomment if you want to use the local Helm chart
 
 IS_LOCAL_DEPLOYMENT=$([ "$IMAGE_TAG" = "local" ] && echo "true" || echo "false")
@@ -205,7 +205,7 @@ install_cert_manager_issuer() {
 
         CHART_PATH="command-issuer/command-cert-manager-issuer"
         echo "Using Helm chart from repository for version ${HELM_CHART_VERSION}: $CHART_PATH..."
-        VERSION_PARAM="--version ${HELM_CHART_VERSION}"
+        VERSION_PARAM="--version ${HELM_CHART_VERSION} --devel"
     fi
 
     # Only set the image repository parameter if we are deploying locally
diff --git a/internal/controller/issuer_controller.go b/internal/controller/issuer_controller.go
@@ -158,24 +158,31 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 func getHealthCheckInterval(log logr.Logger, issuer commandissuer.IssuerLike) (time.Duration, error) {
 	spec := issuer.GetSpec()
 
-	if spec.HealthCheckIntervalSeconds == nil {
-		log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", int(defaultHealthCheckInterval/time.Second)))
+	defaultInterval := int(defaultHealthCheckInterval / time.Second)
+
+	if spec.HealthCheck == nil {
+		log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", defaultInterval))
 		return defaultHealthCheckInterval, nil
 	}
 
-	interval := *spec.HealthCheckIntervalSeconds
+	if !spec.HealthCheck.Enabled {
+		log.Info("health check has been disabled")
+		return 0, nil
+	}
 
-	// Health check interval should not be negative
-	if interval < 0 {
-		return 0, fmt.Errorf("interval %d is invalid, must be greater than or equal to 0", interval)
+	if spec.HealthCheck.Interval == nil {
+		log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", defaultInterval))
+		return defaultHealthCheckInterval, nil
 	}
 
-	// Issuer may be configured to ignore future health checks
-	if interval == 0 {
-		log.Info("health check interval is configured to be 0. this will disable future health checks for issuer.")
+	healthCheckInterval := *spec.HealthCheck.Interval
+
+	// To prevent from overloading the server, health check interval should not be less than 30 seconds
+	if healthCheckInterval.Duration < time.Duration(30)*time.Second {
+		return 0, fmt.Errorf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval)
 	}
 
-	return time.Duration(interval) * time.Second, nil
+	return healthCheckInterval.Duration, nil
 }
 
 func commandConfigFromIssuer(ctx context.Context, c client.Client, issuer commandissuer.IssuerLike, secretNamespace string) (*command.Config, error) {
diff --git a/internal/controller/issuer_controller_test.go b/internal/controller/issuer_controller_test.go
