feat: implement health check logic

Signed-off-by: Matthew H. Irby <[email protected]>

Author: irby

CHANGELOG.md

@@ -1,3 +1,7 @@
+# v2.3.2
+## Features
+- Add a `healthCheckIntervalSeconds` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
+
 # v2.3.1
 ## Fixes
 - Add a manual dispatch of Helm chart release.

internal/controller/issuer_controller.go

@@ -25,6 +25,7 @@ import (
 
 	commandissuer "github.com/Keyfactor/command-cert-manager-issuer/api/v1alpha1"
 	"github.com/Keyfactor/command-cert-manager-issuer/internal/command"
+	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -86,8 +87,6 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 		return ctrl.Result{}, nil
 	}
 
-	log.Info(fmt.Sprintf("Starting %s reconciliation run", issuer.GetObjectKind().GroupVersionKind().Kind))
-
 	// Always attempt to update the Ready condition
 	defer func() {
 		if err != nil {
@@ -99,6 +98,17 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 		}
 	}()
 
+	healthCheckInterval, err := getHealthCheckInterval(log, issuer)
+	if err != nil {
+		log.Error(err, "en error occurred while getting the health check interval")
+		issuer.GetStatus().SetCondition(ctx, commandissuer.IssuerConditionReady, commandissuer.ConditionFalse, issuerReadyConditionReason, err.Error())
+		issuer.GetStatus().SetCondition(ctx, commandissuer.IssuerConditionSupportsMetadata, commandissuer.ConditionUnknown, "", "")
+		return ctrl.Result{}, nil
+	}
+
+	log.Info(fmt.Sprintf("Starting %s reconciliation run", issuer.GetObjectKind().GroupVersionKind().Kind))
+	log.Info(fmt.Sprintf("Issuer %s has been configured with a health check interval of %d seconds", issuer.GetObjectKind().GroupVersionKind().Kind, int(healthCheckInterval/time.Second)))
+
 	var secretNamespace string
 
 	switch {
@@ -142,7 +152,30 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 		issuer.GetStatus().SetCondition(ctx, commandissuer.IssuerConditionSupportsMetadata, commandissuer.ConditionFalse, "Metadata fields are not defined", "Connected Command platform doesn't have the Command Issuer metadata fields defined.")
 	}
 
-	return ctrl.Result{RequeueAfter: defaultHealthCheckInterval}, nil
+	return ctrl.Result{RequeueAfter: healthCheckInterval}, nil
+}
+
+func getHealthCheckInterval(log logr.Logger, issuer commandissuer.IssuerLike) (time.Duration, error) {
+	spec := issuer.GetSpec()
+
+	if spec.HealthCheckIntervalSeconds == nil {
+		log.Info(fmt.Sprintf("health check spec value is nil, using default: %d", int(defaultHealthCheckInterval/time.Second)))
+		return defaultHealthCheckInterval, nil
+	}
+
+	interval := *spec.HealthCheckIntervalSeconds
+
+	// Health check interval should not be negative
+	if interval < 0 {
+		return 0, fmt.Errorf("interval %d is invalid, must be greater than or equal to 0", interval)
+	}
+
+	// Issuer may be configured to ignore future health checks
+	if interval == 0 {
+		log.Info("health check interval is configured to be 0. this will disable future health checks for issuer.")
+	}
+
+	return time.Duration(interval) * time.Second, nil
 }
 
 func commandConfigFromIssuer(ctx context.Context, c client.Client, issuer commandissuer.IssuerLike, secretNamespace string) (*command.Config, error) {

internal/controller/issuer_controller_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2024 Keyfactor
+Copyright © 2025 Keyfactor
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,7 +20,9 @@ import (
 	"context"
 	"errors"
 	"testing"
+	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	commandissuerv1alpha1 "github.com/Keyfactor/command-cert-manager-issuer/api/v1alpha1"
 	"github.com/Keyfactor/command-cert-manager-issuer/internal/command"
 	logrtesting "github.com/go-logr/logr/testing"
@@ -52,19 +54,13 @@ func (f *fakeHealthChecker) CommandSupportsMetadata() (bool, error) {
 var newFakeHealthCheckerBuilder = func(builderErr error, checkerErr error, supportsMetadata bool) func(context.Context, *command.Config) (command.HealthChecker, error) {
 	return func(context.Context, *command.Config) (command.HealthChecker, error) {
 		return &fakeHealthChecker{
-			errCheck: checkerErr,
+			supportsMetadata: supportsMetadata,
+			errCheck:         checkerErr,
 		}, builderErr
 	}
 }
 
 func TestIssuerReconcile(t *testing.T) {
-	// caCert, rootKey := issueTestCertificate(t, "Root-CA", nil, nil)
-	// caCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
-
-	// serverCert, _ := issueTestCertificate(t, "Server", caCert, rootKey)
-	// serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw})
-	// caChain := append(serverCertPem, caCertPem...)
-
 	type testCase struct {
 		kind                                     string
 		name                                     types.NamespacedName
@@ -572,6 +568,123 @@ func TestIssuerReconcile(t *testing.T) {
 			expectedReadyConditionStatus:             commandissuerv1alpha1.ConditionFalse,
 			expectedMetadataSupportedConditionStatus: commandissuerv1alpha1.ConditionFalse,
 		},
+		"success-custom-healthcheck-interval-issuer": {
+			kind: "Issuer",
+			name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"},
+			objects: []client.Object{
+				&commandissuerv1alpha1.Issuer{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "issuer1",
+						Namespace: "ns1",
+					},
+					Spec: commandissuerv1alpha1.IssuerSpec{
+						SecretName:                 "issuer1-credentials",
+						HealthCheckIntervalSeconds: to.Ptr(30),
+					},
+					Status: commandissuerv1alpha1.IssuerStatus{
+						Conditions: []commandissuerv1alpha1.IssuerCondition{
+							{
+								Type:   commandissuerv1alpha1.IssuerConditionReady,
+								Status: commandissuerv1alpha1.ConditionUnknown,
+							},
+						},
+					},
+				},
+				&corev1.Secret{
+					Type: corev1.SecretTypeBasicAuth,
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "issuer1-credentials",
+						Namespace: "ns1",
+					},
+					Data: map[string][]byte{
+						corev1.BasicAuthUsernameKey: []byte("username"),
+						corev1.BasicAuthPasswordKey: []byte("password"),
+					},
+				},
+			},
+			healthCheckerBuilder:                     newFakeHealthCheckerBuilder(nil, nil, true),
+			expectedReadyConditionStatus:             commandissuerv1alpha1.ConditionTrue,
+			expectedMetadataSupportedConditionStatus: commandissuerv1alpha1.ConditionTrue,
+			expectedResult:                           ctrl.Result{RequeueAfter: time.Duration(30) * time.Second},
+		},
+		"success-custom-healthcheck-interval-clusterissuer": {
+			kind: "ClusterIssuer",
+			name: types.NamespacedName{Name: "clusterissuer1"},
+			objects: []client.Object{
+				&commandissuerv1alpha1.ClusterIssuer{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "clusterissuer1",
+					},
+					Spec: commandissuerv1alpha1.IssuerSpec{
+						SecretName:                 "clusterissuer1-credentials",
+						HealthCheckIntervalSeconds: to.Ptr(30),
+					},
+					Status: commandissuerv1alpha1.IssuerStatus{
+						Conditions: []commandissuerv1alpha1.IssuerCondition{
+							{
+								Type:   commandissuerv1alpha1.IssuerConditionReady,
+								Status: commandissuerv1alpha1.ConditionUnknown,
+							},
+						},
+					},
+				},
+				&corev1.Secret{
+					Type: corev1.SecretTypeBasicAuth,
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "clusterissuer1-credentials",
+						Namespace: "kube-system",
+					},
+					Data: map[string][]byte{
+						corev1.BasicAuthUsernameKey: []byte("username"),
+						corev1.BasicAuthPasswordKey: []byte("password"),
+					},
+				},
+			},
+			healthCheckerBuilder:                     newFakeHealthCheckerBuilder(nil, nil, true),
+			clusterResourceNamespace:                 "kube-system",
+			expectedReadyConditionStatus:             commandissuerv1alpha1.ConditionTrue,
+			expectedMetadataSupportedConditionStatus: commandissuerv1alpha1.ConditionTrue,
+			expectedResult:                           ctrl.Result{RequeueAfter: time.Duration(30) * time.Second},
+		},
+		"error-healthcheck-negative-value": {
+			kind: "Issuer",
+			name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"},
+			objects: []client.Object{
+				&commandissuerv1alpha1.Issuer{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "issuer1",
+						Namespace: "ns1",
+					},
+					Spec: commandissuerv1alpha1.IssuerSpec{
+						SecretName:                 "issuer1-credentials",
+						HealthCheckIntervalSeconds: to.Ptr(-30),
+					},
+					Status: commandissuerv1alpha1.IssuerStatus{
+						Conditions: []commandissuerv1alpha1.IssuerCondition{
+							{
+								Type:   commandissuerv1alpha1.IssuerConditionReady,
+								Status: commandissuerv1alpha1.ConditionUnknown,
+							},
+						},
+					},
+				},
+				&corev1.Secret{
+					Type: corev1.SecretTypeBasicAuth,
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "issuer1-credentials",
+						Namespace: "ns1",
+					},
+					Data: map[string][]byte{
+						corev1.BasicAuthUsernameKey: []byte("username"),
+						corev1.BasicAuthPasswordKey: []byte("password"),
+					},
+				},
+			},
+			healthCheckerBuilder:                     newFakeHealthCheckerBuilder(nil, nil, false),
+			expectedReadyConditionStatus:             commandissuerv1alpha1.ConditionFalse,
+			expectedMetadataSupportedConditionStatus: commandissuerv1alpha1.ConditionUnknown,
+			expectedResult:                           ctrl.Result{},
+		},
 	}
 
 	scheme := runtime.NewScheme()