Merge pull request #57 from JSpon/default-timeout

irby · web-flow · commit 8339bd1fc577 · 2025-11-03T09:30:56.000-05:00
Ability to specify the default issuer timeout across all issuers
diff --git a/cmd/main.go b/cmd/main.go
@@ -22,6 +22,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"time"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -64,6 +65,7 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
+	var healthCheckInterval string
 	var secureMetrics bool
 	var enableHTTP2 bool
 	var clusterResourceNamespace string
@@ -79,6 +81,8 @@ func main() {
 		"If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.StringVar(&healthCheckInterval, "default-health-check-interval", "60s",
+		"If set, it is the default health check interval for issuers.")
 	flag.StringVar(&clusterResourceNamespace, "cluster-resource-namespace", "", "The namespace for secrets in which cluster-scoped resources are found.")
 	flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false,
 		"Disables waiting for CertificateRequests to have an approved condition before signing.")
@@ -168,13 +172,25 @@ func main() {
 		os.Exit(1)
 	}
 
+	defaultHealthCheckInterval, err := time.ParseDuration(healthCheckInterval)
+	if err != nil {
+		setupLog.Error(err, "unable to parse default health check interval")
+		os.Exit(1)
+	}
+
+	if defaultHealthCheckInterval < time.Duration(30) * time.Second {
+		setupLog.Error(err, fmt.Sprintf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval))
+		os.Exit(1)
+	}
+
 	if err = (&controller.IssuerReconciler{
 		Client:                            mgr.GetClient(),
 		Kind:                              "Issuer",
 		ClusterResourceNamespace:          clusterResourceNamespace,
 		SecretAccessGrantedAtClusterLevel: secretAccessGrantedAtClusterLevel,
 		Scheme:                            mgr.GetScheme(),
 		HealthCheckerBuilder:              command.NewHealthChecker,
+		DefaultHealthCheckInterval:        defaultHealthCheckInterval,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Issuer")
 		os.Exit(1)
@@ -186,6 +202,7 @@ func main() {
 		ClusterResourceNamespace:          clusterResourceNamespace,
 		SecretAccessGrantedAtClusterLevel: secretAccessGrantedAtClusterLevel,
 		HealthCheckerBuilder:              command.NewHealthChecker,
+		DefaultHealthCheckInterval:        defaultHealthCheckInterval,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterIssuer")
 		os.Exit(1)
diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md
@@ -84,3 +84,4 @@ The following table lists the configurable parameters of the `command-cert-manag
 | `nodeSelector`                               | Node labels for pod assignment                                                                                                           | `{}`                                                  |
 | `tolerations`                                | Tolerations for pod assignment                                                                                                           | `[]`                                                  |
 | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |
+| `defaultHealthCheckInterval`                 | Specifies the default health check interval for issuers                                                        | `""` (uses the default in the code which is 60s)                                 |
diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
@@ -36,6 +36,9 @@ spec:
             {{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
             - --secret-access-granted-at-cluster-level
             {{- end}}
+            {{- if .Values.defaultHealthCheckInterval }}
+            - --default-health-check-interval={{ .Values.defaultHealthCheckInterval }}
+            {{- end }}
           command:
             - /manager
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml
@@ -70,3 +70,5 @@ resources: {}
 nodeSelector: {}
 
 tolerations: []
+
+defaultHealthCheckInterval: ""
diff --git a/internal/controller/issuer_controller.go b/internal/controller/issuer_controller.go
@@ -36,14 +36,14 @@ import (
 
 const (
 	issuerReadyConditionReason = "command-issuer.IssuerController.Reconcile"
-	defaultHealthCheckInterval = time.Minute
 )
 
 var (
 	errGetAuthSecret        = errors.New("failed to get Secret containing Issuer credentials")
 	errGetCaSecret          = errors.New("caSecretName specified a name, but failed to get Secret containing CA certificate")
 	errHealthCheckerBuilder = errors.New("failed to build the healthchecker")
 	errHealthCheckerCheck   = errors.New("healthcheck failed")
+	defaultHealthCheckInterval = time.Minute
 )
 
 // IssuerReconciler reconciles a Issuer object
@@ -54,6 +54,7 @@ type IssuerReconciler struct {
 	SecretAccessGrantedAtClusterLevel bool
 	Scheme                            *runtime.Scheme
 	HealthCheckerBuilder              command.HealthCheckerBuilder
+	DefaultHealthCheckInterval        time.Duration
 }
 
 //+kubebuilder:rbac:groups=command-issuer.keyfactor.com,resources=issuers;clusterissuers,verbs=get;list;watch
@@ -67,6 +68,7 @@ func (r *IssuerReconciler) newIssuer() (commandissuer.IssuerLike, error) {
 	if err != nil {
 		return nil, err
 	}
+	defaultHealthCheckInterval = r.DefaultHealthCheckInterval
 	return ro.(commandissuer.IssuerLike), nil
 }
 
diff --git a/internal/controller/issuer_controller_test.go b/internal/controller/issuer_controller_test.go
@@ -923,6 +923,7 @@ func TestIssuerReconcile(t *testing.T) {
 				HealthCheckerBuilder:              tc.healthCheckerBuilder,
 				ClusterResourceNamespace:          tc.clusterResourceNamespace,
 				SecretAccessGrantedAtClusterLevel: true,
+				DefaultHealthCheckInterval:        time.Minute,
 			}
 			result, err := controller.Reconcile(
 				ctrl.LoggerInto(context.TODO(), logrtesting.NewTestLogger(t)),

Original file line number	Diff line number	Diff line change
`@@ -36,14 +36,14 @@ import (`
`36`	`36`
`37`	`37`	`const (`
`38`	`38`	`issuerReadyConditionReason = "command-issuer.IssuerController.Reconcile"`
`39`		`- defaultHealthCheckInterval = time.Minute`
`40`	`39`	`)`
`41`	`40`
`42`	`41`	`var (`
`43`	`42`	`errGetAuthSecret = errors.New("failed to get Secret containing Issuer credentials")`
`44`	`43`	`errGetCaSecret = errors.New("caSecretName specified a name, but failed to get Secret containing CA certificate")`
`45`	`44`	`errHealthCheckerBuilder = errors.New("failed to build the healthchecker")`
`46`	`45`	`errHealthCheckerCheck = errors.New("healthcheck failed")`
	`46`	`+ defaultHealthCheckInterval = time.Minute`
`47`	`47`	`)`
`48`	`48`
`49`	`49`	`// IssuerReconciler reconciles a Issuer object`
`@@ -54,6 +54,7 @@ type IssuerReconciler struct {`
`54`	`54`	`SecretAccessGrantedAtClusterLevel bool`
`55`	`55`	`Scheme *runtime.Scheme`
`56`	`56`	`HealthCheckerBuilder command.HealthCheckerBuilder`
	`57`	`+ DefaultHealthCheckInterval time.Duration`
`57`	`58`	`}`
`58`	`59`
`59`	`60`	`//+kubebuilder:rbac:groups=command-issuer.keyfactor.com,resources=issuers;clusterissuers,verbs=get;list;watch`
`@@ -67,6 +68,7 @@ func (r *IssuerReconciler) newIssuer() (commandissuer.IssuerLike, error) {`
`67`	`68`	`if err != nil {`
`68`	`69`	`return nil, err`
`69`	`70`	`}`
	`71`	`+ defaultHealthCheckInterval = r.DefaultHealthCheckInterval`
`70`	`72`	`return ro.(commandissuer.IssuerLike), nil`
`71`	`73`	`}`
`72`	`74`
Original file line number	Diff line number	Diff line change
`@@ -923,6 +923,7 @@ func TestIssuerReconcile(t *testing.T) {`
`923`	`923`	`HealthCheckerBuilder: tc.healthCheckerBuilder,`
`924`	`924`	`ClusterResourceNamespace: tc.clusterResourceNamespace,`
`925`	`925`	`SecretAccessGrantedAtClusterLevel: true,`
	`926`	`+ DefaultHealthCheckInterval: time.Minute,`
`926`	`927`	`}`
`927`	`928`	`result, err := controller.Reconcile(`
`928`	`929`	`ctrl.LoggerInto(context.TODO(), logrtesting.NewTestLogger(t)),`