Configure max retries (#1633)

<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.

Thank you for contributing! We will try to test and integrate the change
as soon as we can, but be aware we have many GitHub repositories to
manage and can't immediately respond to every request. There is no need
to bump or check in on a pull request (it will clutter the discussion of
the request).

Also don't be worried if the request is closed or not integrated
sometimes the priorities of Bitnami might not match the priorities of
the pull request. Don't fret, the open source community thrives on forks
and GitHub makes it easy to keep your changes in a forked repo.
 -->

**Description of the change**

Allow to configure max retries

**Applicable issues**

<!-- Enter any applicable Issues here (You can reference an issue using
#) -->
- fixes #1599

---------

Signed-off-by: Alvaro Neira Ayuso <[email protected]>
Signed-off-by: Alvaro Neira Ayuso <[email protected]>
Co-authored-by: Alfredo Garcia <[email protected]>

Author: alvneiayu

README.md

@@ -60,6 +60,7 @@ original Secret from the SealedSecret.
   - [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
   - [How to verify the images?](#how-to-verify-the-images)
   - [How to use one controller for a subset of namespaces](#How-to-use-one-controller-for-a-subset-of-namespaces)
+  - [Can I configure the controller unseal retries](#can-i-configure-the-controller-unseal-retries)
 
 - [Community](#community)
   - [Related projects](#related-projects)
@@ -826,6 +827,10 @@ cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secret
 
 If you want to use one controller for more than one namespace, but not all namespaces, you can provide additional namespaces using the command line flag `--additional-namespaces=<namespace1>,<namespace2>,<...>`. Make sure you provide appropriate roles and rolebindings in the target namespaces, so the controller can manage the secrets in there.
 
+### Can I configure the Controller unseal retries?
+
+The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets.
+
 ## Community
 
 - [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)

cmd/controller/main.go

@@ -58,6 +58,8 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {
 
 	fs.DurationVar(&f.KeyRenewPeriod, "rotate-period", defaultKeyRenewPeriod, "")
 	_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")
+
+	fs.IntVar(&f.MaxRetries, "max-unseal-retries", 5, "Max unseal retries.")
 }
 
 func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagSet) {

helm/sealed-secrets/README.md

@@ -145,6 +145,10 @@ spec:
             - --listen-metrics-addr
             - {{ printf ":%s" (.Values.containerPorts.metrics | toString) }}
             {{- end }}
+            {{- if .Values.maxRetries }}
+            - --max-unseal-retries
+            - {{ .Values.maxRetries | quote }}
+            {{- end }}
           {{- end }}
           image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}

helm/sealed-secrets/templates/deployment.yaml

@@ -112,6 +112,9 @@ logLevel: ""
 ## @param logFormat Specifies log format (text,json)
 ##
 logFormat: ""
+## @param maxRetries Number of maximum retries
+##
+maxRetries: ""
 ## @param command Override default container command
 ##
 command: []

helm/sealed-secrets/values.yaml

@@ -38,8 +38,6 @@ import (
 )
 
 const (
-	maxRetries = 5
-
 	// SuccessUnsealed is used as part of the Event 'reason' when
 	// a SealedSecret is unsealed successfully.
 	SuccessUnsealed = "Unsealed"
@@ -60,6 +58,8 @@ const (
 var (
 	// ErrCast happens when a K8s any type cannot be casted to the expected type.
 	ErrCast = errors.New("cast error")
+
+	maxRetries = 5
 )
 
 // Controller implements the main sealed-secrets-controller loop.
@@ -77,7 +77,7 @@ type Controller struct {
 }
 
 // NewController returns the main sealed-secrets controller loop.
-func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry) (*Controller, error) {
+func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry, maxRetriesConfig int) (*Controller, error) {
 	queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
 
 	utilruntime.Must(ssscheme.AddToScheme(scheme.Scheme))
@@ -102,6 +102,8 @@ func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Inter
 		}
 	}
 
+	maxRetries = maxRetriesConfig
+
 	return &Controller{
 		ssInformer:  ssInformer,
 		sInformer:   sInformer,

pkg/controller/controller.go

@@ -55,6 +55,7 @@ type Flags struct {
 	LogFormat             string
 	PrivateKeyAnnotations string
 	PrivateKeyLabels      string
+	MaxRetries            int
 }
 
 func initKeyPrefix(keyPrefix string) (string, error) {
@@ -267,7 +268,7 @@ func Main(f *Flags, version string) error {
 func prepareController(clientset kubernetes.Interface, namespace string, tweakopts func(*metav1.ListOptions), f *Flags, ssclientset versioned.Interface, keyRegistry *KeyRegistry) (*Controller, error) {
 	sinformer := initSecretInformerFactory(clientset, namespace, tweakopts, f.SkipRecreate)
 	ssinformer := ssinformers.NewFilteredSharedInformerFactory(ssclientset, 0, namespace, tweakopts)
-	controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry)
+	controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry, f.MaxRetries)
 	return controller, err
 }