set up logging and make certvalidity configurable

eatwithforks · eatwithforks · commit fab9827a1cb9 · 2021-01-20T14:05:46.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -347,3 +347,6 @@ __pycache__/
 
 # always include vendor directory
 !/vendor/**
+
+# ignore example cert-controller binary
+cert-controller
diff --git a/Dockerfile b/Dockerfile
@@ -11,7 +11,6 @@ COPY pkg pkg
 COPY main.go ./
 RUN go build -o cert-controller main.go
 
-
 FROM scratch
 WORKDIR /app
 
@@ -20,4 +19,4 @@ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 USER 1000:1000
 
-CMD ["/app/cert-controller"]
+ENTRYPOINT ["/app/cert-controller", "-cert-restart-on-secret-refresh"]
diff --git a/go.mod b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/onsi/gomega v1.10.1
 	github.com/pkg/errors v0.9.1
 	go.uber.org/atomic v1.4.0
+	go.uber.org/zap v1.10.0
 	k8s.io/api v0.18.6
 	k8s.io/apimachinery v0.18.6
 	k8s.io/client-go v0.18.6
diff --git a/main.go b/main.go
@@ -1,8 +1,8 @@
 package main
 
 import (
+	"go.uber.org/zap"
 	"flag"
-	"fmt"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
@@ -13,56 +13,59 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	ctrl "sigs.k8s.io/controller-runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"time"
 )
 
+// TODO: make all defaults "" and map loop to blow up when value is ""
+// TODO: call flag parse to maybe fix arguments
 var (
-	certDir        = flag.String("cert-dir", "/etc/tls-certs", "The directory where certs are stored, defaults to /certs")
-	caName         = flag.String("ca-name", "ca-name", "The name of the ca cert, defaults to ca-name")
-	secretName     = flag.String("secret-name", "secret-name", "The name of the secret, defaults to secret-name")
-	serviceName    = flag.String("service-name", "webhook-service-name", "The name of the service, defaults to webhook-service-name")
-	caOrganization = flag.String("caOrganization", "organization", "The name of the CA organization, defaults to organization")
-	nameSpace      = flag.String("namespace", "kube-system", "The namespace of your service, defaults to kube-system")
-	dnsName        = flag.String("dns-name", *serviceName + "." + *nameSpace + ".svc", "The dns name of your service <service name>.<namespace>.svc")
-	webhookName    = flag.String("webhook-name", "webhook-name", "Your webhook name, defaults to webhook-name")
+	certDir        = flag.String("cert-dir", "", "The directory where certs are stored")
+	caName         = flag.String("ca-name", "", "The name of the ca cert")
+	secretName     = flag.String("secret-name", "", "The name of the secret")
+	serviceName    = flag.String("service-name", "", "The name of the service")
+	caOrganization = flag.String("ca-organization", "", "The name of the CA organization")
+	nameSpace      = flag.String("namespace", "", "The namespace of your service")
+	dnsName        = flag.String("dns-name", "", "The dns name of your service <service name>.<namespace>.svc")
+	webhookName    = flag.String("webhook-name", "", "Your webhook name")
 )
 
+
 var webhooks = []rotator.WebhookInfo{
 	{
 		Name: *webhookName,
 		Type: rotator.Mutating, // Todo: allow selecting types
 	},
 }
 
-// TODO: print when it updates the secrets
-// TODO: add a nice logger
-// TODO: remove all the default values, PR to cert-controller say this is a POC to run as a standalone
-// TODO: put all the vpa values in there
 func main() {
-	fmt.Println("starting")
+	flag.Parse()
+
+	// configure logging.
+	logger, _ := zap.NewDevelopment()
+
+	logger.Info("sleeping to demonstrate restart behavior")
+	time.Sleep(5 * time.Second)
+
+	logger.Info("starting cert-controller")
 	config := ctrl.GetConfigOrDie()
 	scheme := runtime.NewScheme()
 
 	_ = clientgoscheme.AddToScheme(scheme)
 	_ = api.AddToScheme(scheme)
 
 	mgr, err := ctrl.NewManager(config, ctrl.Options{
-		Scheme:                 scheme, //TODO: try to remove
-		MetricsBindAddress:     "0", //TODO: try to remove
 		LeaderElection:         false,
-		Port:                   443, //TODO: try to remove
 		CertDir:                *certDir,
-		HealthProbeBindAddress: ":9090", //TODO: try to remove
 		MapperProvider: func(c *rest.Config) (meta.RESTMapper, error) {
 			return apiutil.NewDynamicRESTMapper(c)
 		},
 	})
 	if err != nil {
-		fmt.Println("unable to start manager:", err)
+		logger.Error("unable to start manager", zap.Error(err))
 		os.Exit(1)
 	}
 
 	// Make sure certs are generated and valid if cert rotation is enabled.
-	fmt.Println("setting up cert rotation")
 	if err := rotator.AddRotator(mgr, &rotator.CertRotator{
 		SecretKey: types.NamespacedName{
 			Namespace: *nameSpace,
@@ -74,25 +77,20 @@ func main() {
 		DNSName:        *dnsName,
 		Webhooks:       webhooks,
 	}); err != nil {
-		fmt.Println("unable to set up cert rotation:", err)
+		logger.Error("unable to set up cert rotation", zap.Error(err))
+
 		os.Exit(1)
 	}
 
-	fmt.Println("starting manager")
+	logger.Info("starting manager")
 	hadError := false
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		fmt.Println("problem running manager:", err)
+		logger.Error("problem running manager", zap.Error(err))
 		hadError = true
 	}
 
-	// Manager stops controllers asynchronously.
-	// Instead, we use ControllerSwitch to synchronously prevent them from doing more work.
-	// This can be removed when finalizer and status teardown is removed.
-	fmt.Println("disabling controllers...")
-	// sw.Stop() TODO: see if this is safely deleted
-
 	if hadError {
-		fmt.Println("had error:", err)
+		logger.Error("Error running manager", zap.Error(err))
 		os.Exit(1)
 	}
 }
diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go
@@ -41,7 +41,6 @@ const (
 	caCertName             = "ca.crt"
 	caKeyName              = "ca.key"
 	rotationCheckFrequency = 12 * time.Hour
-	certValidityDuration   = 10 * time.Minute
 	lookaheadInterval      = 90 * 24 * time.Hour
 )
 
@@ -63,6 +62,9 @@ var _ manager.Runnable = &CertRotator{}
 
 var restartOnSecretRefresh = false
 
+var certValidityDuration = flag.Duration("cert-validity-duration", 10 * 365 * 24 * time.Hour, "Sets how long the cert is valid for, defaults to 10 years")
+
+
 //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates
 type WebhookInfo struct {
 	//Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook
@@ -71,7 +73,7 @@ type WebhookInfo struct {
 }
 
 func init() {
-	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
+	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", true, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
 }
 
 func (w WebhookInfo) gvk() schema.GroupVersionKind {
@@ -262,7 +264,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error
 	var caArtifacts *KeyPairArtifacts
 	now := time.Now()
 	begin := now.Add(-1 * time.Hour)
-	end := now.Add(certValidityDuration)
+	end := now.Add(*certValidityDuration)
 	if refreshCA {
 		var err error
 		caArtifacts, err = cr.CreateCACert(begin, end)
diff --git a/test.yaml b/test.yaml
@@ -0,0 +1,85 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vpa-admission-controller
+  namespace: default
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+        foo: bar4
+    spec:
+      containers:
+      - name: busybox
+        image: busybox
+        command: ["sh", "-c", "watch ls /certs"]
+        volumeMounts:
+        - name: certs
+          mountPath: "/certs"
+          readOnly: true
+      - name: cert-controller
+        args:
+          - cert-dir=/certs
+          - ca-name=foocaname
+          - secret-name=vpa-admission-controller-secret
+          - service-name=fooservice
+          - ca-organization=fooorg
+          - namespace=default
+          - dns-name=foo.bar.svc
+          - webhook-name=vpa-webhook-config
+        imagePullPolicy: Never
+        image: cert-controller
+      volumes:
+      - name: certs
+        secret:
+          secretName: vpa-admission-controller-secret
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: vpa-webhook-config
+  labels:
+    product: foundation
+    team: compute
+    project: vertical-pod-autoscaler
+    role: admission-controller
+  annotations:
+    samson/server_side_apply: 'true'
+webhooks:
+- name: vpa.k8s.io
+  failurePolicy: Ignore
+  admissionReviewVersions: ["v1beta1"]
+  rules:
+  - apiGroups:   [""]
+    apiVersions: ["v1"]
+    operations:  ["CREATE"]
+    resources:   ["pods"]
+  clientConfig:
+    service:
+      namespace: default
+      name: vpa-webhook
+  sideEffects: None
+  timeoutSeconds: 30
+
+# We need to create a bogus secret for the updater to fill
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    project: foo
+    team: compute
+    role: bar
+    product: foundation
+  name: vpa-admission-controller-secret
+  namespace: default
+  annotations:
+    samson/server_side_apply: 'true'
