0d6bf9db3e
This change updates the kube cert agent to a middle ground behavior that balances leader election gating with how quickly we load the signer. If the agent labels have not changed, we will attempt to load the signer even if we cannot roll out the latest version of the kube cert agent deployment. This gives us the best behavior - we do not have controllers fighting over the state of the deployment and we still get the signer loaded quickly. We will have a minute of downtime when the kube cert agent deployment changes because the new pods will have to wait to become a leader and for the new deployment to rollout the new pods. We would need to have a per pod deployment if we want to avoid that downtime (but this would come at the cost of startup time and would require coordination with the kubelet in regards to pod readiness). Signed-off-by: Monis Khan <mok@vmware.com> |
||
|---|---|---|
| .. | ||
| apicerts | ||
| authenticator | ||
| conditionsutil | ||
| impersonatorconfig | ||
| issuerconfig | ||
| kubecertagent | ||
| supervisorconfig | ||
| supervisorstorage | ||
| controller_test.go | ||
| utils.go | ||