Skip to content

Commit 52443ce

Browse files
committed
chore: Convert to healthcheck block instead of healthCheckIntervalSeconds
Signed-off-by: Matthew H. Irby <[email protected]>
1 parent 2f9f9b9 commit 52443ce

File tree

11 files changed

+354
-55
lines changed

11 files changed

+354
-55
lines changed

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# v2.3.3
22
## Features
3-
- Add a `healthCheckIntervalSeconds` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
3+
- Add a `healthcheck` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
44

55
# v2.3.1
66
## Fixes

api/v1alpha1/issuer_types.go

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,10 @@ type IssuerSpec struct {
4646
// +kubebuilder:default:=KeyfactorAPI
4747
APIPath string `json:"apiPath,omitempty"`
4848

49-
// The number of seconds between successful health checks. 60 seconds (1 minute) by default. Setting to 0 will disable the health check.
50-
// +kubebuilder:default:=60
51-
HealthCheckIntervalSeconds *int `json:"healthCheckIntervalSeconds,omitempty"`
49+
// The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
50+
// a health check to determine issuer's connectivity to Command instance.
51+
// +kubebuilder:validation:Optional
52+
HealthCheck *HealthCheckConfig `json:"healthcheck,omitempty"`
5253

5354
// EnrollmentPatternId is the ID of the enrollment pattern to use. Supported in Keyfactor Command 25.1 and later.
5455
// If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
@@ -283,6 +284,15 @@ const (
283284
ConditionUnknown ConditionStatus = "Unknown"
284285
)
285286

287+
type HealthCheckConfig struct {
288+
// Determines whether to the health check when the issuer is healthy. Default: true
289+
Enabled bool `json:"enabled"`
290+
291+
// The interval at which to health check the issuer when healthy. Defaults to 1 minute. Must not be less than "30s".
292+
// +kubebuilder:validation:Optional
293+
Interval *metav1.Duration `json:"interval"`
294+
}
295+
286296
func init() {
287297
SchemeBuilder.Register(&Issuer{}, &IssuerList{})
288298
}

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 25 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -102,12 +102,22 @@ spec:
102102
Enrollment will fail if the specified template is not compatible with the enrollment pattern.
103103
Refer to the Keyfactor Command documentation for more information.
104104
type: string
105-
healthCheckIntervalSeconds:
106-
default: 60
107-
description: The number of seconds between successful health checks.
108-
60 seconds (1 minute) by default. Setting to 0 will disable the
109-
health check.
110-
type: integer
105+
healthcheck:
106+
description: |-
107+
The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
108+
a health check to determine issuer's connectivity to Command instance.
109+
properties:
110+
enabled:
111+
description: 'Determines whether to the health check when the
112+
issuer is healthy. Default: true'
113+
type: boolean
114+
interval:
115+
description: The interval at which to health check the issuer
116+
when healthy. Defaults to 1 minute. Must not be less than "30s".
117+
type: string
118+
required:
119+
- enabled
120+
type: object
111121
hostname:
112122
description: Hostname is the hostname of a Keyfactor Command instance.
113123
type: string

config/crd/bases/command-issuer.keyfactor.com_issuers.yaml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -102,12 +102,22 @@ spec:
102102
Enrollment will fail if the specified template is not compatible with the enrollment pattern.
103103
Refer to the Keyfactor Command documentation for more information.
104104
type: string
105-
healthCheckIntervalSeconds:
106-
default: 60
107-
description: The number of seconds between successful health checks.
108-
60 seconds (1 minute) by default. Setting to 0 will disable the
109-
health check.
110-
type: integer
105+
healthcheck:
106+
description: |-
107+
The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
108+
a health check to determine issuer's connectivity to Command instance.
109+
properties:
110+
enabled:
111+
description: 'Determines whether to the health check when the
112+
issuer is healthy. Default: true'
113+
type: boolean
114+
interval:
115+
description: The interval at which to health check the issuer
116+
when healthy. Defaults to 1 minute. Must not be less than "30s".
117+
type: string
118+
required:
119+
- enabled
120+
type: object
111121
hostname:
112122
description: Hostname is the hostname of a Keyfactor Command instance.
113123
type: string

deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -79,12 +79,22 @@ spec:
7979
Enrollment will fail if the specified template is not compatible with the enrollment pattern.
8080
Refer to the Keyfactor Command documentation for more information.
8181
type: string
82-
healthCheckIntervalSeconds:
83-
default: 60
84-
description: The number of seconds between successful health checks.
85-
60 seconds (1 minute) by default. Setting to 0 will disable the
86-
health check.
87-
type: integer
82+
healthcheck:
83+
description: |-
84+
The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
85+
a health check to determine issuer's connectivity to Command instance.
86+
properties:
87+
enabled:
88+
description: 'Determines whether to the health check when the
89+
issuer is healthy. Default: true'
90+
type: boolean
91+
interval:
92+
description: The interval at which to health check the issuer
93+
when healthy. Defaults to 1 minute.
94+
type: string
95+
required:
96+
- enabled
97+
type: object
8898
ownerRoleId:
8999
description: |-
90100
OwnerRoleId is the ID of the security role assigned as the certificate owner.

deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -79,12 +79,22 @@ spec:
7979
Enrollment will fail if the specified template is not compatible with the enrollment pattern.
8080
Refer to the Keyfactor Command documentation for more information.
8181
type: string
82-
healthCheckIntervalSeconds:
83-
default: 60
84-
description: The number of seconds between successful health checks.
85-
60 seconds (1 minute) by default. Setting to 0 will disable the
86-
health check.
87-
type: integer
82+
healthcheck:
83+
description: |-
84+
The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
85+
a health check to determine issuer's connectivity to Command instance.
86+
properties:
87+
enabled:
88+
description: 'Determines whether to the health check when the
89+
issuer is healthy. Default: true'
90+
type: boolean
91+
interval:
92+
description: The interval at which to health check the issuer
93+
when healthy. Defaults to 1 minute.
94+
type: string
95+
required:
96+
- enabled
97+
type: object
8898
ownerRoleId:
8999
description: |-
90100
OwnerRoleId is the ID of the security role assigned as the certificate owner.

docsource/content.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -219,7 +219,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
219219
| ownerRoleName | The name of the security role assigned as the certificate owner. The security role must be assigned to the identity context of the issuer. If `ownerRoleId` and `ownerRoleName` are both specified, `ownerRoleId` will take precedence. This field is **required** if the enrollment pattern, certificate template, or system-wide setting requires it. |
220220
| scopes | (Optional) Required if using ambient credentials with Azure AKS. If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable. |
221221
| audience | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`. |
222-
| healthCheckIntervalSeconds | (Optional) Defines the health check interval, in seconds, for a healthy issuer. If ommitted, defaults to 60 seconds. If set to 0, it will disable the health check. If there is a failure when running the health check, it will retry in 10 seconds with an exponential backoff strategy. Value must not be negative. |
222+
| healthcheck | (Optional) Defines the health check configuration for the issuer. If ommitted, health checks will be enabled and default to 60 seconds. If left disabled, the issuer will not perform a health check when the issuer is healthy and may cause CertificateRequest resources to silently fail. |
223+
| healthcheck.enabled | (Required if health check block provided) Boolean to enable / disable health checks. By default, health checks are enabled. |
224+
| healthcheck.interval | (Optional) Defines the interval between health checks. Example values: `30s`, `1m`, `5.5m`. To prevent overloading the Command instance, this interval must not be less than `30s`. Default value: `60s`. |
223225
224226
> If a different combination of hostname/certificate authority/certificate template is required, a new Issuer or ClusterIssuer resource must be created. Each resource instantiation represents a single configuration.
225227
@@ -251,7 +253,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
251253
# ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
252254
# scopes: "openid email https://example.com/.default" # Uncomment if required
253255
# audience: "https://your-command-url.com" # Uncomment if desired
254-
# healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
256+
# healthcheck: # Optional health check configuration
257+
# enabled: true
258+
# interval: 30s
255259
EOF
256260
257261
kubectl -n default apply -f issuer.yaml
@@ -282,7 +286,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
282286
# ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
283287
# scopes: "openid email https://example.com/.default" # Uncomment if required
284288
# audience: "https://your-command-url.com" # Uncomment if desired
285-
# healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
289+
# healthcheck: # Optional health check configuration
290+
# enabled: true
291+
# interval: 30s
286292
EOF
287293
288294
kubectl apply -f clusterissuer.yaml

e2e/run_tests.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ IMAGE_TAG="local" # Uncomment if you want to build the image locally
4343
FULL_IMAGE_NAME="${IMAGE_REPO}/${IMAGE_NAME}:${IMAGE_TAG}"
4444

4545
HELM_CHART_NAME="command-cert-manager-issuer"
46-
#H ELM_CHART_VERSION="2.1.0" # Uncomment if you want to use a specific version from the Helm repository
46+
# HELM_CHART_VERSION="2.1.0" # Uncomment if you want to use a specific version from the Helm repository
4747
HELM_CHART_VERSION="local" # Uncomment if you want to use the local Helm chart
4848

4949
IS_LOCAL_DEPLOYMENT=$([ "$IMAGE_TAG" = "local" ] && echo "true" || echo "false")
@@ -205,7 +205,7 @@ install_cert_manager_issuer() {
205205

206206
CHART_PATH="command-issuer/command-cert-manager-issuer"
207207
echo "Using Helm chart from repository for version ${HELM_CHART_VERSION}: $CHART_PATH..."
208-
VERSION_PARAM="--version ${HELM_CHART_VERSION}"
208+
VERSION_PARAM="--version ${HELM_CHART_VERSION} --devel"
209209
fi
210210

211211
# Only set the image repository parameter if we are deploying locally

internal/controller/issuer_controller.go

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -158,24 +158,31 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
158158
func getHealthCheckInterval(log logr.Logger, issuer commandissuer.IssuerLike) (time.Duration, error) {
159159
spec := issuer.GetSpec()
160160

161-
if spec.HealthCheckIntervalSeconds == nil {
162-
log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", int(defaultHealthCheckInterval/time.Second)))
161+
defaultInterval := int(defaultHealthCheckInterval / time.Second)
162+
163+
if spec.HealthCheck == nil {
164+
log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", defaultInterval))
163165
return defaultHealthCheckInterval, nil
164166
}
165167

166-
interval := *spec.HealthCheckIntervalSeconds
168+
if !spec.HealthCheck.Enabled {
169+
log.Info("health check has been disabled")
170+
return 0, nil
171+
}
167172

168-
// Health check interval should not be negative
169-
if interval < 0 {
170-
return 0, fmt.Errorf("interval %d is invalid, must be greater than or equal to 0", interval)
173+
if spec.HealthCheck.Interval == nil {
174+
log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", defaultInterval))
175+
return defaultHealthCheckInterval, nil
171176
}
172177

173-
// Issuer may be configured to ignore future health checks
174-
if interval == 0 {
175-
log.Info("health check interval is configured to be 0. this will disable future health checks for issuer.")
178+
healthCheckInterval := *spec.HealthCheck.Interval
179+
180+
// To prevent from overloading the server, health check interval should not be less than 30 seconds
181+
if healthCheckInterval.Duration < time.Duration(30)*time.Second {
182+
return 0, fmt.Errorf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval)
176183
}
177184

178-
return time.Duration(interval) * time.Second, nil
185+
return healthCheckInterval.Duration, nil
179186
}
180187

181188
func commandConfigFromIssuer(ctx context.Context, c client.Client, issuer commandissuer.IssuerLike, secretNamespace string) (*command.Config, error) {

0 commit comments

Comments
 (0)