use zap for logging, previous log never outputted to kubectl logs

Author: eatwithforks

go.mod

@@ -3,7 +3,9 @@ module github.com/open-policy-agent/cert-controller
 go 1.14
 
 require (
+ 	github.com/go-logr/zapr v0.1.0
 	github.com/onsi/gomega v1.10.2
+    github.com/open-policy-agent/cert-controller v0.1.0
 	github.com/pkg/errors v0.9.1
 	go.uber.org/atomic v1.6.0
     go.uber.org/zap v1.10.0

main.go

@@ -12,6 +12,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd/api"
 	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"github.com/go-logr/zapr"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"time"
 )
@@ -27,6 +29,21 @@ var (
 	webhookName    = flag.String("webhook-name", "", "Your webhook name")
 )
 
+func buildLogger() (*zap.Logger, error) {
+	// build a logger:
+	// - without timestamps because docker already logs with timestamps
+	// - use "message" instead of "msg" for consistency with other services / datadog parsing
+	// - remove caller since it points to shared methods most of the time anyway
+	loggerConfig := zap.NewProductionConfig()
+	loggerConfig.EncoderConfig.TimeKey = ""
+	loggerConfig.EncoderConfig.MessageKey = "message"
+	loggerConfig.DisableCaller = true
+	if os.Getenv("DEBUG") == "1" {
+		loggerConfig.Level.SetLevel(zap.DebugLevel)
+	}
+	return loggerConfig.Build()
+}
+
 func main() {
 	flag.Parse()
 
@@ -38,7 +55,9 @@ func main() {
 	}
 
 	// configure logging.
-	logger, _ := zap.NewDevelopment()
+	logger, _ := buildLogger()
+	defer logger.Sync() // flush buffer
+	logf.SetLogger(zapr.NewLogger(logger)) // Set logger for cert-controller or it sends to /dev/null
 
 	logger.Info("sleeping to demonstrate restart behavior")
 	time.Sleep(5 * time.Second)
@@ -63,6 +82,7 @@ func main() {
 	}
 
 	// Make sure certs are generated and valid if cert rotation is enabled.
+	setupFinished := make(chan struct{})
 	if err := rotator.AddRotator(mgr, &rotator.CertRotator{
 		SecretKey: types.NamespacedName{
 			Namespace: *nameSpace,
@@ -72,10 +92,10 @@ func main() {
 		CAName:         *caName,
 		CAOrganization: *caOrganization,
 		DNSName:        *dnsName,
+		IsReady:        setupFinished,
 		Webhooks:       webhooks,
 	}); err != nil {
 		logger.Error("unable to set up cert rotation", zap.Error(err))
-
 		os.Exit(1)
 	}
 

pkg/rotator/rotator.go

@@ -41,6 +41,7 @@ const (
 	caCertName             = "ca.crt"
 	caKeyName              = "ca.key"
 	rotationCheckFrequency = 12 * time.Hour
+	certValidityDuration   = 10 * 365 * 24 * time.Hour
 	lookaheadInterval      = 90 * 24 * time.Hour
 )
 
@@ -62,9 +63,6 @@ var _ manager.Runnable = &CertRotator{}
 
 var restartOnSecretRefresh = false
 
-var certValidityDuration = flag.Duration("cert-validity-duration", 10 * 365 * 24 * time.Hour, "Sets how long the cert is valid for, defaults to 10 years")
-
-
 //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates
 type WebhookInfo struct {
 	//Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook
@@ -73,7 +71,7 @@ type WebhookInfo struct {
 }
 
 func init() {
-	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", true, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
+	flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)")
 }
 
 func (w WebhookInfo) gvk() schema.GroupVersionKind {
@@ -264,7 +262,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error
 	var caArtifacts *KeyPairArtifacts
 	now := time.Now()
 	begin := now.Add(-1 * time.Hour)
-	end := now.Add(*certValidityDuration)
+	end := now.Add(certValidityDuration)
 	if refreshCA {
 		var err error
 		caArtifacts, err = cr.CreateCACert(begin, end)
@@ -627,11 +625,9 @@ func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request)
 		}
 
 		// Ensure certs on webhooks
-		fmt.Println("Starting cert injection")
 		if err := r.ensureCerts(artifacts.CertPEM); err != nil {
 			return reconcile.Result{}, err
 		}
-		fmt.Println("Finished cert injection")
 
 		// Set CAInjected if the reconciler has not exited early.
 		r.wasCAInjected.Store(true)
@@ -660,32 +656,25 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error {
 		updatedResource.SetGroupVersionKind(gvk)
 		if err := r.cache.Get(r.ctx, types.NamespacedName{Name: webhook.Name}, updatedResource); err != nil {
 			if k8sErrors.IsNotFound(err) {
-				fmt.Println("Webhook not found. Unable to update certificate.", err)
 				log.Error(err, "Webhook not found. Unable to update certificate.")
 				continue
 			}
 			anyError = err
 			log.Error(err, "Error getting webhook for certificate update.")
-			fmt.Println("Error getting webhook for certificate update.", err)
-
 			continue
 		}
 		if !updatedResource.GetDeletionTimestamp().IsZero() {
-			fmt.Println("Webhook is being deleted. Unable to update certificate")
 			log.Info("Webhook is being deleted. Unable to update certificate")
 			continue
 		}
 
 		log.Info("Ensuring CA cert", "name", webhook.Name, "gvk", gvk)
 		if err := injectCert(updatedResource, certPem, webhook.Type); err != nil {
-			fmt.Println("Unable to inject cert to webhook.:", err)
 			log.Error(err, "Unable to inject cert to webhook.")
 			anyError = err
 			continue
 		}
 		if err := r.writer.Update(r.ctx, updatedResource); err != nil {
-			fmt.Println("Error updating webhook with certificate:", err)
-
 			log.Error(err, "Error updating webhook with certificate")
 			anyError = err
 			continue
@@ -736,4 +725,4 @@ func (cr *CertRotator) ensureReady() {
 	}
 	crLog.Info("CA certs are injected to webhooks")
 	close(cr.IsReady)
-}
+}

test.yaml

@@ -18,29 +18,40 @@ spec:
         foo: bar4
     spec:
       containers:
-      - name: busybox
-        image: busybox
-        command: ["sh", "-c", "watch ls /certs"]
-        volumeMounts:
-        - name: certs
-          mountPath: "/certs"
-          readOnly: true
-      - name: cert-controller
-        args:
-          - -cert-dir=/certs
-          - -ca-name=foocaname
-          - -secret-name=vpa-admission-controller-secret
-          - -service-name=fooservice
-          - -ca-organization=fooorg
-          - -namespace=default
-          - -dns-name=foo.bar.svc
-          - -webhook-name=vpa-webhook-config
-        imagePullPolicy: Never
-        image: cert-controller
+        - name: busybox
+          image: busybox
+          command: ["sh", "-c", "watch ls /certs"]
+          volumeMounts:
+            - name: certs
+              mountPath: "/certs"
+              readOnly: true
+        - name: cert-controller
+          args:
+            - -cert-dir=/certs
+            - -ca-name=foocaname
+            - -secret-name=vpa-admission-controller-secret
+            - -service-name=fooservice
+            - -ca-organization=fooorg
+            - -namespace=default
+            - -dns-name=foo.bar.svc
+            - -webhook-name=vpa-webhook-config
+          imagePullPolicy: Never
+          image: cert-controller
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 50m
+              memory: 200Mi
+          volumeMounts:
+            - name: certs
+              mountPath: "/certs"
+              readOnly: true
       volumes:
-      - name: certs
-        secret:
-          secretName: vpa-admission-controller-secret
+        - name: certs
+          secret:
+            secretName: vpa-admission-controller-secret
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -54,21 +65,21 @@ metadata:
   annotations:
     samson/server_side_apply: 'true'
 webhooks:
-- name: vpa.k8s.io
-  failurePolicy: Ignore
-  admissionReviewVersions: ["v1beta1"]
-  rules:
-  - apiGroups:   [""]
-    apiVersions: ["v1"]
-    operations:  ["CREATE"]
-    resources:   ["pods"]
-  clientConfig:
-    caBundle: Cg==
-    service:
-      namespace: default
-      name: vpa-webhook
-  sideEffects: None
-  timeoutSeconds: 30
+  - name: vpa.k8s.io
+    failurePolicy: Ignore
+    admissionReviewVersions: ["v1beta1"]
+    rules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["CREATE"]
+        resources:   ["pods"]
+    clientConfig:
+      caBundle: Cg==
+      service:
+        namespace: default
+        name: vpa-webhook
+    sideEffects: None
+    timeoutSeconds: 30
 
 # We need to create a bogus secret for the updater to fill
 ---