From 89ab1c2690e3458fabf127db3ba2685cfa769847 Mon Sep 17 00:00:00 2001 From: AvivGuiser Date: Tue, 11 Feb 2025 19:57:33 +0200 Subject: [PATCH 1/5] add leaderElection flag to trust manager Signed-off-by: AvivGuiser --- cmd/trust-manager/app/app.go | 2 +- cmd/trust-manager/app/options/options.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cmd/trust-manager/app/app.go b/cmd/trust-manager/app/app.go index c153839c..17f136eb 100644 --- a/cmd/trust-manager/app/app.go +++ b/cmd/trust-manager/app/app.go @@ -78,7 +78,7 @@ func NewCommand() *cobra.Command { mgr, err := ctrl.NewManager(opts.RestConfig, ctrl.Options{ Scheme: trustapi.GlobalScheme, EventBroadcaster: eventBroadcaster, - LeaderElection: true, + LeaderElection: opts.LeaderElection, LeaderElectionID: "trust-manager-leader-election", LeaderElectionReleaseOnCancel: true, LeaseDuration: &opts.LeaseDuration, diff --git a/cmd/trust-manager/app/options/options.go b/cmd/trust-manager/app/options/options.go index 9e3ff779..bf5710bb 100644 --- a/cmd/trust-manager/app/options/options.go +++ b/cmd/trust-manager/app/options/options.go @@ -64,6 +64,9 @@ type Options struct { // Leader election lease duration LeaseDuration time.Duration + // Leader election if leader election is enabled + LeaderElection bool + // Leader election lease renew duration RenewDeadline time.Duration } @@ -200,6 +203,10 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) { fs.IntVar(&o.MetricsPort, "metrics-port", 9402, "Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'.") + + fs.BoolVar(&o.LeaderElection, + "leader-election", true, + "Enable leader election for trust manager.") } func (o *Options) addBundleFlags(fs *pflag.FlagSet) { From 243176b29e13754de565cb11b2d162abc3885d67 Mon Sep 17 00:00:00 2001 From: AvivGuiser Date: Wed, 12 Feb 2025 00:12:00 +0200 Subject: [PATCH 2/5] add LeaderElectionConfig struct and moved all config to it, plus helm changes Signed-off-by: AvivGuiser --- cmd/trust-manager/app/app.go | 6 +-- cmd/trust-manager/app/options/options.go | 41 ++++++++++++------- .../trust-manager/templates/deployment.yaml | 3 +- deploy/charts/trust-manager/values.yaml | 2 + 4 files changed, 33 insertions(+), 19 deletions(-) diff --git a/cmd/trust-manager/app/app.go b/cmd/trust-manager/app/app.go index 17f136eb..44e32b79 100644 --- a/cmd/trust-manager/app/app.go +++ b/cmd/trust-manager/app/app.go @@ -78,11 +78,11 @@ func NewCommand() *cobra.Command { mgr, err := ctrl.NewManager(opts.RestConfig, ctrl.Options{ Scheme: trustapi.GlobalScheme, EventBroadcaster: eventBroadcaster, - LeaderElection: opts.LeaderElection, + LeaderElection: opts.LeaderElectionConfig.Enabled, LeaderElectionID: "trust-manager-leader-election", LeaderElectionReleaseOnCancel: true, - LeaseDuration: &opts.LeaseDuration, - RenewDeadline: &opts.RenewDeadline, + LeaseDuration: &opts.LeaderElectionConfig.LeaseDuration, + RenewDeadline: &opts.LeaderElectionConfig.RenewDeadline, ReadinessEndpointName: opts.ReadyzPath, HealthProbeBindAddress: fmt.Sprintf("0.0.0.0:%d", opts.ReadyzPort), WebhookServer: ctrlwebhook.NewServer(ctrlwebhook.Options{ diff --git a/cmd/trust-manager/app/options/options.go b/cmd/trust-manager/app/options/options.go index bf5710bb..896bcd63 100644 --- a/cmd/trust-manager/app/options/options.go +++ b/cmd/trust-manager/app/options/options.go @@ -35,6 +35,24 @@ import ( _ "k8s.io/client-go/plugin/pkg/client/auth" ) +type LeaderElectionConfig struct { + // If true, cert-manager will perform leader election between instances to + // ensure no more than one instance of cert-manager operates at a time + Enabled bool + + // The duration that non-leader candidates will wait after observing a leadership + // renewal until attempting to acquire leadership of a led but unrenewed leader + // slot. This is effectively the maximum duration that a leader can be stopped + // before it is replaced by another candidate. This is only applicable if leader + // election is enabled. + LeaseDuration time.Duration + + // The interval between attempts by the acting master to renew a leadership slot + // before it stops leading. This must be less than or equal to the lease duration. + // This is only applicable if leader election is enabled. + RenewDeadline time.Duration +} + // Options is a struct to hold options for trust-manager type Options struct { kubeConfigFlags *genericclioptions.ConfigFlags @@ -61,14 +79,7 @@ type Options struct { // log are options controlling logging log logOptions - // Leader election lease duration - LeaseDuration time.Duration - - // Leader election if leader election is enabled - LeaderElection bool - - // Leader election lease renew duration - RenewDeadline time.Duration + LeaderElectionConfig LeaderElectionConfig } type logOptions struct { @@ -192,21 +203,21 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) { "readiness-probe-path", "/readyz", "HTTP path to expose the readiness probe server.") - fs.DurationVar(&o.LeaseDuration, + fs.BoolVar(&o.LeaderElectionConfig.Enabled, "leader-elect", true, ""+ + "If true, trust-manager will perform leader election between instances to ensure no more "+ + "than one instance of trust-manager operates at a time") + + fs.DurationVar(&o.LeaderElectionConfig.LeaseDuration, "leader-election-lease-duration", time.Second*15, "Lease duration for leader election") - fs.DurationVar(&o.RenewDeadline, + fs.DurationVar(&o.LeaderElectionConfig.RenewDeadline, "leader-election-renew-deadline", time.Second*10, - "Lease renew deadline for leader election") + "Lease renew deadline for leader election.") fs.IntVar(&o.MetricsPort, "metrics-port", 9402, "Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'.") - - fs.BoolVar(&o.LeaderElection, - "leader-election", true, - "Enable leader election for trust manager.") } func (o *Options) addBundleFlags(fs *pflag.FlagSet) { diff --git a/deploy/charts/trust-manager/templates/deployment.yaml b/deploy/charts/trust-manager/templates/deployment.yaml index a246b75a..12964f54 100644 --- a/deploy/charts/trust-manager/templates/deployment.yaml +++ b/deploy/charts/trust-manager/templates/deployment.yaml @@ -83,6 +83,7 @@ spec: - "--metrics-port={{.Values.app.metrics.port}}" - "--readiness-probe-port={{.Values.app.readinessProbe.port}}" - "--readiness-probe-path={{.Values.app.readinessProbe.path}}" + - "--leader-elect={{.Values.app.leaderElection.enabled}}" - "--leader-election-lease-duration={{.Values.app.leaderElection.leaseDuration}}" - "--leader-election-renew-deadline={{.Values.app.leaderElection.renewDeadline}}" # trust @@ -156,4 +157,4 @@ spec: {{- if .Values.app.webhook.hostNetwork }} hostNetwork: true dnsPolicy: ClusterFirstWithHostNet - {{- end }} \ No newline at end of file + {{- end }} diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 10316d78..338cf24c 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -206,6 +206,8 @@ app: logLevel: 1 leaderElection: + # Whether to enable leader election for trust-manager. + enabled: true # The duration that non-leader candidates will wait to force acquire leadership. # The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded. leaseDuration: 15s From 1514f500927fecee9614ba50ea7d1b129c4b1d71 Mon Sep 17 00:00:00 2001 From: AvivGuiser Date: Wed, 12 Feb 2025 00:16:10 +0200 Subject: [PATCH 3/5] fix typos Signed-off-by: AvivGuiser --- cmd/trust-manager/app/options/options.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/trust-manager/app/options/options.go b/cmd/trust-manager/app/options/options.go index 896bcd63..fadbada0 100644 --- a/cmd/trust-manager/app/options/options.go +++ b/cmd/trust-manager/app/options/options.go @@ -36,8 +36,8 @@ import ( ) type LeaderElectionConfig struct { - // If true, cert-manager will perform leader election between instances to - // ensure no more than one instance of cert-manager operates at a time + // If true, trust-manager will perform leader election between instances to + // ensure no more than one instance of trust-manager operates at a time Enabled bool // The duration that non-leader candidates will wait after observing a leadership From a7f50813a1c50a85bb3b107ee342abd2f6232fbc Mon Sep 17 00:00:00 2001 From: AvivGuiser Date: Wed, 12 Feb 2025 00:49:18 +0200 Subject: [PATCH 4/5] update readme of helm chart Signed-off-by: AvivGuiser --- deploy/charts/trust-manager/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/deploy/charts/trust-manager/README.md b/deploy/charts/trust-manager/README.md index 44dc4ef9..bf427f61 100644 --- a/deploy/charts/trust-manager/README.md +++ b/deploy/charts/trust-manager/README.md @@ -352,6 +352,13 @@ The format of trust-manager logging. Accepted values are text or json. > ``` The verbosity of trust-manager logging. This takes a value from 1-5, with the higher value being more verbose. +#### **app.leaderElection.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Whether to enable leader election for trust-manager. #### **app.leaderElection.leaseDuration** ~ `string` > Default value: > ```yaml From 45ba1297c79aad97ba479de72b79144c5a2c0c80 Mon Sep 17 00:00:00 2001 From: AvivGuiser Date: Wed, 12 Feb 2025 00:55:21 +0200 Subject: [PATCH 5/5] update values.schema.json Signed-off-by: AvivGuiser --- deploy/charts/trust-manager/values.schema.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/charts/trust-manager/values.schema.json b/deploy/charts/trust-manager/values.schema.json index 508c39fe..e58eba3c 100644 --- a/deploy/charts/trust-manager/values.schema.json +++ b/deploy/charts/trust-manager/values.schema.json @@ -122,6 +122,9 @@ "helm-values.app.leaderElection": { "additionalProperties": false, "properties": { + "enabled": { + "$ref": "#/$defs/helm-values.app.leaderElection.enabled" + }, "leaseDuration": { "$ref": "#/$defs/helm-values.app.leaderElection.leaseDuration" }, @@ -131,6 +134,11 @@ }, "type": "object" }, + "helm-values.app.leaderElection.enabled": { + "default": true, + "description": "Whether to enable leader election for trust-manager.", + "type": "boolean" + }, "helm-values.app.leaderElection.leaseDuration": { "default": "15s", "description": "The duration that non-leader candidates will wait to force acquire leadership. The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded.",