Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for multiple replicas with auto-tls #198

Merged
merged 16 commits into from
Dec 17, 2020

Commits on Dec 3, 2020

  1. Working POC with the leader-elector container

    Uses a leader-elector sidecar to ensure only one injector replica
    generates the CA and cert+key. The other replicas pick up the cert+key
    from a k8s secret for use in their TLS listeners.
    
    The leader-elector sidecars coordinate using the annotations of a k8s
    Endpoint object, which is why those extra permissions were added to
    the role in the deployment yaml.
    
    Build a dev image: `make image VERSION=dev`
    Deploy: `kubectl apply -k deploy/ -n vault`
    tvoran committed Dec 3, 2020
    Configuration menu
    Copy the full SHA
    cefb94a View commit details
    Browse the repository at this point in the history

Commits on Dec 9, 2020

  1. Configuration menu
    Copy the full SHA
    636d1a8 View commit details
    Browse the repository at this point in the history

Commits on Dec 13, 2020

  1. flag to control leader elector usage and informer

    Added command-line and env option to control leader-elector
    usage. Using Secrets informer for followers to ensure retrieving
    timely cert updates without overloading the k8s api.
    tvoran committed Dec 13, 2020
    Configuration menu
    Copy the full SHA
    d6ffcec View commit details
    Browse the repository at this point in the history
  2. Updating deployment yaml

    Added ttl and health checks to leader-elector. Added
    AGENT_INJECT_USE_LEADER_ELECTOR env option to deployment.
    tvoran committed Dec 13, 2020
    Configuration menu
    Copy the full SHA
    e28d446 View commit details
    Browse the repository at this point in the history

Commits on Dec 14, 2020

  1. Configuration menu
    Copy the full SHA
    4d951ed View commit details
    Browse the repository at this point in the history

Commits on Dec 15, 2020

  1. leader/follower unit tests for source.Certificate()

    Slightly refactored the leader package so it's more testable
    tvoran committed Dec 15, 2020
    Configuration menu
    Copy the full SHA
    db55f57 View commit details
    Browse the repository at this point in the history
  2. cleanup

    tvoran committed Dec 15, 2020
    Configuration menu
    Copy the full SHA
    05dbd9d View commit details
    Browse the repository at this point in the history
  3. Update subcommand/injector/flags.go

    Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
    tvoran and tomhjp authored Dec 15, 2020
    Configuration menu
    Copy the full SHA
    449aaaa View commit details
    Browse the repository at this point in the history
  4. change namespace length check

    tvoran committed Dec 15, 2020
    Configuration menu
    Copy the full SHA
    501069e View commit details
    Browse the repository at this point in the history
  5. Merge remote-tracking branch 'origin/VAULT-84/leader-elector-containe…

    …r' into VAULT-84/leader-elector-container
    tvoran committed Dec 15, 2020
    Configuration menu
    Copy the full SHA
    0417dc8 View commit details
    Browse the repository at this point in the history

Commits on Dec 16, 2020

  1. updating deploy yaml

    Using the community gcr registry (k8s.gcr.io), election arg to match
    the endpoint deploy yaml, and updating the secret name to match the
    code.
    tvoran committed Dec 16, 2020
    Configuration menu
    Copy the full SHA
    5b7f9fb View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    cd5ba25 View commit details
    Browse the repository at this point in the history
  3. keep the same mutating webhook update frequency

    To ensure the behavior is unchanged for users not using the leader
    elector logic.
    tvoran committed Dec 16, 2020
    Configuration menu
    Copy the full SHA
    58a5b5f View commit details
    Browse the repository at this point in the history
  4. Always recreate CA and Cert on leader change

    Passing the CA around in the Secret seemed to prevent followers from
    recreating a CA if they're promoted to leader. Since the followers
    don't need the CA, removed it from the Secret.
    tvoran committed Dec 16, 2020
    Configuration menu
    Copy the full SHA
    9d8292e View commit details
    Browse the repository at this point in the history
  5. Added more logging

    Added a named logger to GenSource (auto-tls), mostly debug-level for
    telling which is the leader and which is the follower.
    tvoran committed Dec 16, 2020
    Configuration menu
    Copy the full SHA
    ac4b4f4 View commit details
    Browse the repository at this point in the history
  6. added goroutine to check for leadership change

    While the leader is waiting for the current certificate to expire, a
    leadership change could occur, and then the former leader's
    certificate would be out of sync with the new leader. Added a
    goroutine that signals a channel on a leadership change.
    tvoran committed Dec 16, 2020
    Configuration menu
    Copy the full SHA
    b914705 View commit details
    Browse the repository at this point in the history