-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for multiple replicas with auto-tls #198
Commits on Dec 3, 2020
-
Working POC with the leader-elector container
Uses a leader-elector sidecar to ensure only one injector replica generates the CA and cert+key. The other replicas pick up the cert+key from a k8s secret for use in their TLS listeners. The leader-elector sidecars coordinate using the annotations of a k8s Endpoint object, which is why those extra permissions were added to the role in the deployment yaml. Build a dev image: `make image VERSION=dev` Deploy: `kubectl apply -k deploy/ -n vault`
Configuration menu - View commit details
-
Copy full SHA for cefb94a - Browse repository at this point
Copy the full SHA cefb94aView commit details
Commits on Dec 9, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 636d1a8 - Browse repository at this point
Copy the full SHA 636d1a8View commit details
Commits on Dec 13, 2020
-
flag to control leader elector usage and informer
Added command-line and env option to control leader-elector usage. Using Secrets informer for followers to ensure retrieving timely cert updates without overloading the k8s api.
Configuration menu - View commit details
-
Copy full SHA for d6ffcec - Browse repository at this point
Copy the full SHA d6ffcecView commit details -
Added ttl and health checks to leader-elector. Added AGENT_INJECT_USE_LEADER_ELECTOR env option to deployment.
Configuration menu - View commit details
-
Copy full SHA for e28d446 - Browse repository at this point
Copy the full SHA e28d446View commit details
Commits on Dec 14, 2020
-
Configuration menu - View commit details
-
Copy full SHA for 4d951ed - Browse repository at this point
Copy the full SHA 4d951edView commit details
Commits on Dec 15, 2020
-
leader/follower unit tests for source.Certificate()
Slightly refactored the leader package so it's more testable
Configuration menu - View commit details
-
Copy full SHA for db55f57 - Browse repository at this point
Copy the full SHA db55f57View commit details -
Configuration menu - View commit details
-
Copy full SHA for 05dbd9d - Browse repository at this point
Copy the full SHA 05dbd9dView commit details -
Update subcommand/injector/flags.go
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 449aaaa - Browse repository at this point
Copy the full SHA 449aaaaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 501069e - Browse repository at this point
Copy the full SHA 501069eView commit details -
Merge remote-tracking branch 'origin/VAULT-84/leader-elector-containe…
…r' into VAULT-84/leader-elector-container
Configuration menu - View commit details
-
Copy full SHA for 0417dc8 - Browse repository at this point
Copy the full SHA 0417dc8View commit details
Commits on Dec 16, 2020
-
Using the community gcr registry (k8s.gcr.io), election arg to match the endpoint deploy yaml, and updating the secret name to match the code.
Configuration menu - View commit details
-
Copy full SHA for 5b7f9fb - Browse repository at this point
Copy the full SHA 5b7f9fbView commit details -
Configuration menu - View commit details
-
Copy full SHA for cd5ba25 - Browse repository at this point
Copy the full SHA cd5ba25View commit details -
keep the same mutating webhook update frequency
To ensure the behavior is unchanged for users not using the leader elector logic.
Configuration menu - View commit details
-
Copy full SHA for 58a5b5f - Browse repository at this point
Copy the full SHA 58a5b5fView commit details -
Always recreate CA and Cert on leader change
Passing the CA around in the Secret seemed to prevent followers from recreating a CA if they're promoted to leader. Since the followers don't need the CA, removed it from the Secret.
Configuration menu - View commit details
-
Copy full SHA for 9d8292e - Browse repository at this point
Copy the full SHA 9d8292eView commit details -
Added a named logger to GenSource (auto-tls), mostly debug-level for telling which is the leader and which is the follower.
Configuration menu - View commit details
-
Copy full SHA for ac4b4f4 - Browse repository at this point
Copy the full SHA ac4b4f4View commit details -
added goroutine to check for leadership change
While the leader is waiting for the current certificate to expire, a leadership change could occur, and then the former leader's certificate would be out of sync with the new leader. Added a goroutine that signals a channel on a leadership change.
Configuration menu - View commit details
-
Copy full SHA for b914705 - Browse repository at this point
Copy the full SHA b914705View commit details