From 5a46e374e9e8f3e4f7b51dc03825ac95983e406b Mon Sep 17 00:00:00 2001 From: Marko Mikulicic Date: Mon, 28 Oct 2019 17:52:07 +0100 Subject: [PATCH] Implement cutoff time --- cmd/controller/main.go | 20 ++++++++++++++++---- cmd/controller/main_test.go | 10 +++++----- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/cmd/controller/main.go b/cmd/controller/main.go index 98d24f407..060b30662 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -44,6 +44,7 @@ var ( printVersion = flag.Bool("version", false, "Print version information and exit") keyRenewPeriod = flag.Duration("key-renew-period", defaultKeyRenewPeriod, "New key generation period (automatic rotation disabled if 0)") acceptV1Data = flag.Bool("accept-deprecated-v1-data", false, "Accept deprecated V1 data field") + keyCutoffTime = flag.String("key-cutoff-time", "", "Create a new key if latest one is older than this cutoff time. RFC1123 format with numeric timezone expected.") oldGCBehavior = flag.Bool("old-gc-behaviour", false, "Revert to old GC behavior where the controller deletes secrets instead of delegating that to k8s itself.") @@ -136,13 +137,15 @@ func myNamespace() string { // Initialises the first key and starts the rotation job. returns an early trigger function. // A period of 0 disables automatic rotation, but manual rotation (e.g. triggered by SIGUSR1) // is still honoured. -func initKeyRenewal(registry *KeyRegistry, period time.Duration) (func(), error) { - // Create a new key only if it's the first key. - if len(registry.keys) == 0 { +func initKeyRenewal(registry *KeyRegistry, period time.Duration, cutoffTime time.Time) (func(), error) { + // Create a new key if it's the first key, + // or if it's older than cutoff time. + if len(registry.keys) == 0 || registry.mostRecentKey.creationTime.Before(cutoffTime) { if _, err := registry.generateKey(); err != nil { return nil, err } } + // wrapper function to log error thrown by generateKey function keyGenFunc := func() { if _, err := registry.generateKey(); err != nil { @@ -202,7 +205,16 @@ func main2() error { return err } - trigger, err := initKeyRenewal(keyRegistry, *keyRenewPeriod) + var ct time.Time + if *keyCutoffTime != "" { + var err error + ct, err = time.Parse(time.RFC1123Z, *keyCutoffTime) + if err != nil { + return err + } + } + + trigger, err := initKeyRenewal(keyRegistry, *keyRenewPeriod, ct) if err != nil { return err } diff --git a/cmd/controller/main_test.go b/cmd/controller/main_test.go index fa0d0ec69..7b3ffe7ea 100644 --- a/cmd/controller/main_test.go +++ b/cmd/controller/main_test.go @@ -64,7 +64,7 @@ func TestInitKeyRotation(t *testing.T) { t.Fatalf("initKeyRegistry() returned err: %v", err) } - keyGenTrigger, err := initKeyRenewal(registry, 0) + keyGenTrigger, err := initKeyRenewal(registry, 0, time.Time{}) if err != nil { t.Fatalf("initKeyRenewal() returned err: %v", err) } @@ -100,7 +100,7 @@ func TestInitKeyRotationTick(t *testing.T) { t.Fatalf("initKeyRegistry() returned err: %v", err) } - _, err = initKeyRenewal(registry, 100*time.Millisecond) + _, err = initKeyRenewal(registry, 100*time.Millisecond, time.Time{}) if err != nil { t.Fatalf("initKeyRenewal() returned err: %v", err) } @@ -150,7 +150,7 @@ func TestReuseKey(t *testing.T) { t.Fatalf("initKeyRegistry() returned err: %v", err) } - _, err = initKeyRenewal(registry, 0) + _, err = initKeyRenewal(registry, 0, time.Time{}) if err != nil { t.Fatalf("initKeyRenewal() returned err: %v", err) } @@ -191,7 +191,7 @@ func TestRenewStaleKey(t *testing.T) { t.Fatalf("initKeyRegistry() returned err: %v", err) } - _, err = initKeyRenewal(registry, period) + _, err = initKeyRenewal(registry, period, time.Time{}) if err != nil { t.Fatalf("initKeyRenewal() returned err: %v", err) } @@ -263,7 +263,7 @@ func TestLegacySecret(t *testing.T) { t.Fatalf("initKeyRegistry() returned err: %v", err) } - _, err = initKeyRenewal(registry, 0) + _, err = initKeyRenewal(registry, 0, time.Time{}) if err != nil { t.Fatalf("initKeyRenewal() returned err: %v", err) }