feat(charts): add liveness probes to cert-controller and webhook (#6147)

Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

deploy/charts/external-secrets/README.md

@@ -53,6 +53,13 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | certController.image.tag | string | `""` |  |
 | certController.imagePullSecrets | list | `[]` |  |
+| certController.livenessProbe.enabled | bool | `false` |  |
+| certController.livenessProbe.failureThreshold | int | `5` |  |
+| certController.livenessProbe.initialDelaySeconds | int | `10` |  |
+| certController.livenessProbe.periodSeconds | int | `10` |  |
+| certController.livenessProbe.port | int | `8081` | Set this value to 'live' (for named port) or an integer for liveness probes. @schema type: [string, integer] |
+| certController.livenessProbe.successThreshold | int | `1` |  |
+| certController.livenessProbe.timeoutSeconds | int | `5` |  |
 | certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Certificate Controller |
 | certController.metrics.listen.port | int | `8080` |  |
 | certController.metrics.service.annotations | object | `{}` | Additional service annotations |
@@ -65,8 +72,14 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.podSecurityContext.enabled | bool | `true` |  |
 | certController.priorityClassName | string | `""` | Pod priority class name. |
 | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
-| certController.readinessProbe.address | string | `""` | Address for readiness probe |
-| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| certController.readinessProbe.address | string | `""` |  |
+| certController.readinessProbe.enabled | bool | `true` |  |
+| certController.readinessProbe.failureThreshold | int | `3` |  |
+| certController.readinessProbe.initialDelaySeconds | int | `20` |  |
+| certController.readinessProbe.periodSeconds | int | `5` |  |
+| certController.readinessProbe.port | int | `8081` | Set this value to 'ready' (for named port) or an integer for readiness probes. @schema type: [string, integer] |
+| certController.readinessProbe.successThreshold | int | `1` |  |
+| certController.readinessProbe.timeoutSeconds | int | `5` |  |
 | certController.replicaCount | int | `1` |  |
 | certController.requeueInterval | string | `"5m"` |  |
 | certController.resources | object | `{}` |  |
@@ -260,6 +273,13 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
 | webhook.imagePullSecrets | list | `[]` |  |
+| webhook.livenessProbe.enabled | bool | `false` |  |
+| webhook.livenessProbe.failureThreshold | int | `5` |  |
+| webhook.livenessProbe.initialDelaySeconds | int | `10` |  |
+| webhook.livenessProbe.periodSeconds | int | `10` |  |
+| webhook.livenessProbe.port | int | `8081` | Set this value to 'live' (for named port) or an integer for liveness probes. @schema type: [string, integer] |
+| webhook.livenessProbe.successThreshold | int | `1` |  |
+| webhook.livenessProbe.timeoutSeconds | int | `5` |  |
 | webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Webhook |
 | webhook.lookaheadInterval | string | `""` | Specifies the lookaheadInterval for certificate validity |
 | webhook.metrics.listen.port | int | `8080` |  |
@@ -273,8 +293,14 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.podSecurityContext.enabled | bool | `true` |  |
 | webhook.port | int | `10250` | The port the webhook will listen to |
 | webhook.priorityClassName | string | `""` | Pod priority class name. |
-| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
-| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| webhook.readinessProbe.address | string | `""` |  |
+| webhook.readinessProbe.enabled | bool | `true` |  |
+| webhook.readinessProbe.failureThreshold | int | `3` |  |
+| webhook.readinessProbe.initialDelaySeconds | int | `20` |  |
+| webhook.readinessProbe.periodSeconds | int | `5` |  |
+| webhook.readinessProbe.port | int | `8081` | Set this value to 'ready' (for named port) or an integer for readiness probes. @schema type: [string, integer] |
+| webhook.readinessProbe.successThreshold | int | `1` |  |
+| webhook.readinessProbe.timeoutSeconds | int | `5` |  |
 | webhook.replicaCount | int | `1` |  |
 | webhook.resources | object | `{}` |  |
 | webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -111,12 +111,28 @@ spec:
               protocol: TCP
               name: startup
             {{- end }}
+          {{- if .Values.certController.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              port: {{ .Values.certController.livenessProbe.port }}
+              path: /healthz
+            initialDelaySeconds: {{ .Values.certController.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.certController.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.certController.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.certController.livenessProbe.failureThreshold }}
+            successThreshold: {{ .Values.certController.livenessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.certController.readinessProbe.enabled }}
           readinessProbe:
             httpGet:
               port: ready
               path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
+            initialDelaySeconds: {{ .Values.certController.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.certController.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.certController.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.certController.readinessProbe.failureThreshold }}
+            successThreshold: {{ .Values.certController.readinessProbe.successThreshold }}
+          {{- end }}
           {{- if .Values.certController.startupProbe.enabled }}
           startupProbe:
             httpGet:

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -101,12 +101,28 @@ spec:
             - containerPort: {{ .Values.webhook.readinessProbe.port }}
               protocol: TCP
               name: ready
+          {{- if .Values.webhook.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              port: {{ .Values.webhook.livenessProbe.port }} 
+              path: /healthz
+            initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
+            successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.webhook.readinessProbe.enabled }}
           readinessProbe:
             httpGet:
               port: ready
               path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
+            initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
+            successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
+          {{- end }}
           {{- with .Values.webhook.extraEnv }}
           env:
             {{- toYaml . | nindent 12 }}

deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap

@@ -49,14 +49,17 @@ should match snapshot of default values:
                   name: metrics
                   protocol: TCP
                 - containerPort: 8081
-                  protocol: TCP
                   name: ready
+                  protocol: TCP
               readinessProbe:
+                failureThreshold: 3
                 httpGet:
                   path: /readyz
                   port: ready
                 initialDelaySeconds: 20
                 periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
               securityContext:
                 allowPrivilegeEscalation: false
                 capabilities:

deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap

@@ -50,14 +50,17 @@ should match snapshot of default values:
                   name: webhook
                   protocol: TCP
                 - containerPort: 8081
-                  protocol: TCP
                   name: ready
+                  protocol: TCP
               readinessProbe:
+                failureThreshold: 3
                 httpGet:
                   path: /readyz
                   port: ready
                 initialDelaySeconds: 20
                 periodSeconds: 5
+                successThreshold: 1
+                timeoutSeconds: 5
               securityContext:
                 allowPrivilegeEscalation: false
                 capabilities:

deploy/charts/external-secrets/values.schema.json

@@ -75,6 +75,35 @@
                 "imagePullSecrets": {
                     "type": "array"
                 },
+                "livenessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
+                        "port": {
+                            "type": [
+                                "string",
+                                "integer"
+                            ]
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                 "log": {
                     "type": "object",
                     "properties": {
@@ -164,7 +193,28 @@
                         "address": {
                             "type": "string"
                         },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
                         "port": {
+                            "type": [
+                                "string",
+                                "integer"
+                            ]
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
                             "type": "integer"
                         }
                     }
@@ -971,6 +1021,35 @@
                 "imagePullSecrets": {
                     "type": "array"
                 },
+                "livenessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
+                        "port": {
+                            "type": [
+                                "string",
+                                "integer"
+                            ]
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
                 "log": {
                     "type": "object",
                     "properties": {
@@ -1058,7 +1137,28 @@
                         "address": {
                             "type": "string"
                         },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "failureThreshold": {
+                            "type": "integer"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        },
                         "port": {
+                            "type": [
+                                "string",
+                                "integer"
+                            ]
+                        },
+                        "successThreshold": {
+                            "type": "integer"
+                        },
+                        "timeoutSeconds": {
                             "type": "integer"
                         }
                     }

deploy/charts/external-secrets/values.yaml

@@ -563,11 +563,28 @@ webhook:
       annotations: {}
 
 
+  livenessProbe:
+    enabled: false
+    # -- Set this value to 'live' (for named port) or an integer for liveness probes.
+    # @schema type: [string, integer]
+    port: 8081
+    timeoutSeconds: 5
+    failureThreshold: 5
+    periodSeconds: 10
+    successThreshold: 1
+    initialDelaySeconds: 10
+
   readinessProbe:
-    # -- Address for readiness probe
+    enabled: true
     address: ""
-    # -- ReadinessProbe port for kubelet
+    # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
+    # @schema type: [string, integer]
     port: 8081
+    timeoutSeconds: 5
+    failureThreshold: 3
+    periodSeconds: 5
+    successThreshold: 1
+    initialDelaySeconds: 20
 
 
     ## -- Extra environment variables to add to container.
@@ -709,11 +726,28 @@ certController:
       # -- Additional service annotations
       annotations: {}
 
+  livenessProbe:
+    enabled: false
+    # -- Set this value to 'live' (for named port) or an integer for liveness probes.
+    # @schema type: [string, integer]
+    port: 8081
+    timeoutSeconds: 5
+    failureThreshold: 5
+    periodSeconds: 10
+    successThreshold: 1
+    initialDelaySeconds: 10
+
   readinessProbe:
-    # -- Address for readiness probe
+    enabled: true
     address: ""
-    # -- ReadinessProbe port for kubelet
+    # -- Set this value to 'ready' (for named port) or an integer for readiness probes.
+    # @schema type: [string, integer]
     port: 8081
+    timeoutSeconds: 5
+    failureThreshold: 3
+    periodSeconds: 5
+    successThreshold: 1
+    initialDelaySeconds: 20
 
   startupProbe:
     # -- Enabled determines if the startup probe should be used or not. By default it's enabled