bitnami-labs · alvneiayu · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024
@@ -60,6 +60,7 @@ original Secret from the SealedSecret.
   - [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
   - [How to verify the images?](#how-to-verify-the-images)
   - [How to use one controller for a subset of namespaces](#How-to-use-one-controller-for-a-subset-of-namespaces)
+  - [Can I configure the controller unseal retries](#can-i-configure-the-controller-unseal-retries)
 
 - [Community](#community)
   - [Related projects](#related-projects)
@@ -826,6 +827,10 @@ cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secret
 
 If you want to use one controller for more than one namespace, but not all namespaces, you can provide additional namespaces using the command line flag `--additional-namespaces=<namespace1>,<namespace2>,<...>`. Make sure you provide appropriate roles and rolebindings in the target namespaces, so the controller can manage the secrets in there.
 
+### Can I configure the Controller unseal retries?
+
+The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets.
+
 ## Community
 
 - [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)

@@ -58,6 +58,8 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {
 
 	fs.DurationVar(&f.KeyRenewPeriod, "rotate-period", defaultKeyRenewPeriod, "")
 	_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")
+
+	fs.IntVar(&f.MaxRetries, "max-unseal-retries", 5, "Max unseal retries.")
 }
 
 func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagSet) {

@@ -145,6 +145,10 @@ spec:
             - --listen-metrics-addr
             - {{ printf ":%s" (.Values.containerPorts.metrics | toString) }}
             {{- end }}
+            {{- if .Values.maxRetries }}
+            - --max-unseal-retries
+            - {{ .Values.maxRetries | quote }}
+            {{- end }}
           {{- end }}
           image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}

@@ -112,6 +112,9 @@ logLevel: ""
 ## @param logFormat Specifies log format (text,json)
 ##
 logFormat: ""
+## @param maxRetries Number of maximum retries
+##
+maxRetries: ""
 ## @param command Override default container command
 ##
 command: []

@@ -38,8 +38,6 @@ import (
 )
 
 const (
-	maxRetries = 5
-
 	// SuccessUnsealed is used as part of the Event 'reason' when
 	// a SealedSecret is unsealed successfully.
 	SuccessUnsealed = "Unsealed"
@@ -60,6 +58,8 @@ const (
 var (
 	// ErrCast happens when a K8s any type cannot be casted to the expected type.
 	ErrCast = errors.New("cast error")
+
+	maxRetries = 5
 )
 
 // Controller implements the main sealed-secrets-controller loop.
@@ -77,7 +77,7 @@ type Controller struct {
 }
 
 // NewController returns the main sealed-secrets controller loop.
-func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry) (*Controller, error) {
+func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry, maxRetriesConfig int) (*Controller, error) {
 	queue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
 
 	utilruntime.Must(ssscheme.AddToScheme(scheme.Scheme))
@@ -102,6 +102,8 @@ func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Inter
 		}
 	}
 
+	maxRetries = maxRetriesConfig
+
 	return &Controller{
 		ssInformer:  ssInformer,
 		sInformer:   sInformer,

@@ -55,6 +55,7 @@ type Flags struct {
 	LogFormat             string
 	PrivateKeyAnnotations string
 	PrivateKeyLabels      string
+	MaxRetries            int
 }
 
 func initKeyPrefix(keyPrefix string) (string, error) {
@@ -267,7 +268,7 @@ func Main(f *Flags, version string) error {
 func prepareController(clientset kubernetes.Interface, namespace string, tweakopts func(*metav1.ListOptions), f *Flags, ssclientset versioned.Interface, keyRegistry *KeyRegistry) (*Controller, error) {
 	sinformer := initSecretInformerFactory(clientset, namespace, tweakopts, f.SkipRecreate)
 	ssinformer := ssinformers.NewFilteredSharedInformerFactory(ssclientset, 0, namespace, tweakopts)
-	controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry)
+	controller, err := NewController(clientset, ssclientset, ssinformer, sinformer, keyRegistry, f.MaxRetries)
 	return controller, err
 }