ContainerImage.Pinniped/internal
Monis Khan c71ffdcd1e
leader election: use better duration defaults
OpenShift has good defaults for these duration fields that we can
use instead of coming up with them ourselves:

e14e06ba8d/pkg/config/leaderelection/leaderelection.go (L87-L109)

Copied here for easy future reference:

// We want to be able to tolerate 60s of kube-apiserver disruption without causing pod restarts.
// We want the graceful lease re-acquisition fairly quick to avoid waits on new deployments and other rollouts.
// We want a single set of guidance for nearly every lease in openshift.  If you're special, we'll let you know.
// 1. clock skew tolerance is leaseDuration-renewDeadline == 30s
// 2. kube-apiserver downtime tolerance is == 78s
//      lastRetry=floor(renewDeadline/retryPeriod)*retryPeriod == 104
//      downtimeTolerance = lastRetry-retryPeriod == 78s
// 3. worst non-graceful lease acquisition is leaseDuration+retryPeriod == 163s
// 4. worst graceful lease acquisition is retryPeriod == 26s
if ret.LeaseDuration.Duration == 0 {
	ret.LeaseDuration.Duration = 137 * time.Second
}

if ret.RenewDeadline.Duration == 0 {
	// this gives 107/26=4 retries and allows for 137-107=30 seconds of clock skew
	// if the kube-apiserver is unavailable for 60s starting just before t=26 (the first renew),
	// then we will retry on 26s intervals until t=104 (kube-apiserver came back up at 86), and there will
	// be 33 seconds of extra time before the lease is lost.
	ret.RenewDeadline.Duration = 107 * time.Second
}
if ret.RetryPeriod.Duration == 0 {
	ret.RetryPeriod.Duration = 26 * time.Second
}

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-24 16:21:53 -04:00
..
apiserviceref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
authenticators More LDAP WIP: started controller and LDAP server connection code 2021-04-09 18:49:43 -07:00
certauthority dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
clusterhost Introduce clusterhost package to determine whether a cluster has control plane nodes 2021-02-09 11:16:01 -08:00
concierge Add leader election middleware 2021-08-20 12:18:25 -04:00
config Remove references to impersonationConfigMap. 2021-05-26 15:24:59 -05:00
constable Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
controller Merge branch 'main' into oidc_password_grant 2021-08-24 12:23:52 -04:00
controllerlib Fix bad test package name 2021-06-22 11:23:19 -04:00
controllermanager Add leader election middleware 2021-08-20 12:18:25 -04:00
crud Supervisor storage garbage collection controller enabled in production 2020-12-11 15:21:34 -08:00
deploymentref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
downward internal/downward: add support for (optional) pod name 2020-12-11 11:49:27 -05:00
dynamiccert dynamiccert: prevent misuse of NewServingCert 2021-08-17 12:58:32 -04:00
endpointaddr Add endpointaddr pkg for parsing host+port inputs. 2021-05-25 16:17:26 -05:00
execcredcache Add CLI caching of cluster-specific credentials. 2021-04-08 14:12:34 -05:00
fositestorage Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
fositestoragei More adjustments based on PR feedback 2021-04-27 16:54:26 -07:00
groupsuffix Remove unparam linter 2021-08-19 10:20:24 -07:00
here Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
httputil Adjust our securityheader pkg to support form_post. 2021-07-09 12:08:43 -05:00
issuer dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
kubeclient Add leader election middleware 2021-08-20 12:18:25 -04:00
leaderelection leader election: use better duration defaults 2021-08-24 16:21:53 -04:00
localuserauthenticator Switch to a slimmer distroless base image. 2021-08-09 15:05:13 -04:00
mocks Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
oidc Log auth endpoint errors with stack traces 2021-08-20 14:41:02 -07:00
ownerref internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
plog WIP on new plog 2021-04-21 09:02:45 -07:00
registry credentialrequest: use safer approximation for ExpirationTimestamp 2021-06-23 11:07:00 -04:00
secret All controller unit tests should not cancel context until test is over 2021-03-04 17:26:01 -08:00
supervisor/server Add leader election middleware 2021-08-20 12:18:25 -04:00
testutil Merge branch 'main' into oidc_password_grant 2021-08-24 12:23:52 -04:00
upstreamldap In LDAP, do not log username until we know the user exists. 2021-05-28 16:57:48 -05:00
upstreamoidc remove one nolint:unparam comment 2021-08-19 10:57:00 -07:00
valuelesscontext valuelesscontext: make unit tests more clear 2021-04-30 10:43:29 -04:00