fix the bad-certificate issue when using tls-auto

Author: gitlabbin

helper/cert/notify.go

@@ -5,12 +5,15 @@ package cert
 
 import (
 	"context"
+	"errors"
 	"sync"
 	"time"
 
 	"github.com/hashicorp/go-hclog"
 )
 
+var CertificateValidErr = errors.New("cert still valid, continue to next round")
+
 func NewNotify(ctx context.Context, newBundle chan<- Bundle, notifyOnce chan<- bool, source Source, logger hclog.Logger) *Notify {
 	return &Notify{
 		ctx:        ctx,
@@ -62,7 +65,13 @@ func (n *Notify) Run() {
 
 		next, err := n.source.Certificate(n.ctx, last)
 		if err != nil {
-			n.logger.Warn("error loading next cert", "error", err.Error())
+			switch err {
+			case CertificateValidErr:
+				n.logger.Info("valid cert", "info", err.Error())
+			default:
+				n.logger.Warn("error loading next cert", "error", err.Error())
+			}
+
 			continue
 		}
 

helper/cert/source_gen.go

@@ -130,6 +130,7 @@ func (s *GenSource) Certificate(ctx context.Context, last *Bundle) (Bundle, erro
 
 	// If we have a prior cert, we wait for getting near to the expiry
 	// (within 30 minutes arbitrarily chosen).
+	var certValid = false
 	if last != nil {
 		// We have a prior certificate, let's parse it to get the expiry
 		cert, err := parseCert(last.Cert)
@@ -142,22 +143,28 @@ func (s *GenSource) Certificate(ctx context.Context, last *Bundle) (Bundle, erro
 			waitTime = 1 * time.Millisecond
 		}
 
-		timer := time.NewTimer(waitTime)
-		defer timer.Stop()
+		if waitTime > 5*time.Minute {
+			certValid = true
+			waitTime = 5 * time.Minute
+		}
 
 		select {
 		case <-leaderCh:
 			s.Log.Debug("got a leadership change, returning")
 			return result, fmt.Errorf("lost leadership")
 
-		case <-timer.C:
+		case <-time.After(waitTime):
 			// Fall through, generate cert
 
 		case <-ctx.Done():
 			return result, ctx.Err()
 		}
 	}
 
+	if certValid {
+		return result, CertificateValidErr
+	}
+
 	// Generate cert, set it on the result, and return
 	cert, key, err := s.generateCert()
 	if err != nil {

subcommand/injector/command.go

@@ -363,8 +363,8 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client
 	}
 
 	defaultLoopTime := 1 * time.Hour // update after this amount of time even if nothing has happened
-	timer := time.NewTimer(defaultLoopTime)
 	expBackoff := backoff.NewExponentialBackOff()
+	interval := defaultLoopTime
 
 	for {
 		select {
@@ -380,26 +380,17 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client
 			// Quit
 			return
 
-		case <-timer.C:
+		case <-time.After(interval):
 			// we are told to retry or periodically update
 		}
 
-		// clear the timer
-		if !timer.Stop() {
-			// non-blocking drain
-			select {
-			case <-timer.C:
-			default:
-			}
-		}
-
 		err := c.updateCertificate(ctx, clientset, bundle, webhooksCache, leaderElector, log)
 		if err != nil {
 			// retry after a delay
-			timer.Reset(expBackoff.NextBackOff())
+			interval = expBackoff.NextBackOff()
 		} else {
 			expBackoff.Reset()
-			timer.Reset(defaultLoopTime)
+			interval = defaultLoopTime
 		}
 	}
 }