3535key_vault_name = os .getenv ("AZURE_KEY_VAULT_NAME" )
3636key_vault_uri = f"https://{ key_vault_name }
3737use_namespaces = os .getenv ("USE_NAMESPACES" , "false" ).lower () in ("true" , "1" , "yes" , "enabled" )
38- check_interval = int (os .getenv ("CHECK_INTERVAL" , 300 ))
38+ check_interval = int (os .getenv ("CHECK_INTERVAL" , " 300"
3939filter_annotation = os .getenv ("ANNOTATION" , "cert-manager.io/certificate-name" )
4040certificate_name_filter = os .getenv ("CERT_NAME_FILTER" , "*" )
4141
4242# GitHub version check variables
4343github_repository_owner = os .getenv ("GITHUB_REPO_OWNER" , "rdvansloten" )
4444github_repository_name = os .getenv ("GITHUB_REPO_NAME" , "cert-manager-key-vault-sync" )
4545version_check_interval = os .getenv ("VERSION_CHECK_INTERVAL" , "86400" )
46- current_version = "v1.2 .0"
46+ current_version = "v1.3 .0"
4747check_version = os .getenv ("CHECK_VERSION" , "true" ).lower ()
4848
4949# Leader election variables
5050lease_name = os .getenv ("LEADER_ELECTION_LEASE_NAME" , "cert-manager-key-vault-sync-leader" )
5151lease_namespace = os .getenv ("POD_NAMESPACE" , "cert-manager-key-vault-sync" )
52- lease_duration_seconds = int (os .getenv ("LEASE_DURATION_SECONDS" , 60 ))
53- renew_interval_seconds = int (os .getenv ("RENEW_INTERVAL_SECONDS" , 60 ))
52+ lease_duration_seconds = int (os .getenv ("LEASE_DURATION_SECONDS" , "60" ))
53+ renew_interval_seconds = int (os .getenv ("RENEW_INTERVAL_SECONDS" , "60" ))
5454pod_name = os .getenv ("POD_NAME" , "unknown" )
5555leader_active = True
5656
5959logging .info (f"Using Key Vault: { key_vault_uri } )
6060logging .info (f"Using Namespace separation: { str (use_namespaces ).lower ()} )
6161logging .info (f"Using certificate name filter: { certificate_name_filter } )
62- logging .info (f "Using annotation filter: { filter_annotation } "
62+ logging .info ("Using annotation filter: %s" , filter_annotation )
6363logging .info (f"Using version check interval: { version_check_interval } )
6464logging .info (f"Using GitHub version check: { check_version } )
6565
66- # Initialize Key Vault client
67- try :
68- credential = DefaultAzureCredential (exclude_interactive_browser_credential = False , additionally_allowed_tenants = "*" )
69- certificate_client = CertificateClient (vault_url = key_vault_uri , credential = credential )
66+ # Initialize Kubernetes client (in-cluster config)
67+ config .load_incluster_config ()
68+ k8s_client = client .CoreV1Api ()
7069
71- logging . info ( "Detected Key Vault Certificates:" )
72- for cert in certificate_client . list_properties_of_certificates ():
73- logging . info ( f"- { cert . name } " )
70+ # Azure credential and Key Vault client will be initialized after leadership is acquired
71+ credential = None
72+ certificate_client = None
7473
75- logging .info (f"Initialized Azure Key Vault client using Key Vault '{ key_vault_name } )
74+ def init_key_vault_client ():
75+ '''Initialize the Azure Key Vault client using DefaultAzureCredential.'''
76+ global credential , certificate_client
77+ # Lazy initialization if not already done
78+ if certificate_client is not None :
79+ return
7680
77- except ResourceNotFoundError as e :
78- logging .error (f"Failed to connect to Key Vault '{ key_vault_name } { str (e )} )
79- raise
81+ credential = DefaultAzureCredential (exclude_interactive_browser_credential = False , additionally_allowed_tenants = "*" )
82+ certificate_client = CertificateClient (vault_url = key_vault_uri , credential = credential )
8083
81- except ServiceRequestError as e :
82- logging .error (f"Failed to connect to Key Vault '{ key_vault_name } { str (e )} )
83- raise
84+ try :
85+ logging .info ("Detected Key Vault Certificates:" )
86+ for cert in certificate_client .list_properties_of_certificates ():
87+ logging .info (cert .name )
8488
85- except Exception as e :
86- logging .error (f"Failed to connect to Key Vault '{ key_vault_name } { str (e )} )
87- raise
89+ logging .info (f"Initialized Azure Key Vault client using Key Vault '{ key_vault_name } )
8890
89- # Initialize Kubernetes client (in-cluster config)
90- config . load_incluster_config ( )
91- k8s_client = client . CoreV1Api ()
91+ except ResourceNotFoundError as e :
92+ logging . error ( f"Failed to connect to Key Vault ' { key_vault_name } ': { str ( e ) } "
93+ raise
9294
95+ except ServiceRequestError as e :
96+ logging .error (f"Failed to connect to Key Vault '{ key_vault_name } { str (e )} )
97+ raise
98+
99+ except Exception as e :
100+ logging .error (f"Failed to connect to Key Vault '{ key_vault_name } { str (e )} )
101+ raise
93102
94103# Leader election functions
95104def get_lease (api ):
@@ -114,24 +123,23 @@ def create_lease(api):
114123 )
115124 try :
116125 created = api .create_namespaced_lease (lease_namespace , lease )
117- logging .info (f"[ { pod_name } ] Created lease; acquired leadership." )
126+ logging .info (f"Pod { pod_name } created lease; acquired leadership." )
118127 return created
119128 except client .exceptions .ApiException as e :
120- logging .error (f"[ { pod_name } ] Error creating lease: { e } )
129+ logging .error (f"Pod { pod_name } could not create a lease: { e } )
121130 return None
122131
123-
124132def try_acquire_leadership (api ):
125133 now = datetime .datetime .now (datetime .timezone .utc )
134+ # Fetch current Lease (or None if it doesn’t exist)
126135 lease = get_lease (api )
127136 if lease is None :
137+ # Try to create it (first comers win)
128138 lease = create_lease (api )
129- if lease is not None :
130- return True
131- else :
132- return False
139+ return True if lease is not None else False
133140
134141 spec = lease .spec
142+ # Determine if the existing lease has expired
135143 if spec .renew_time is None :
136144 expired = True
137145 else :
@@ -140,23 +148,32 @@ def try_acquire_leadership(api):
140148 last_renew = datetime .datetime .fromisoformat (last_renew .replace ("Z" , "+00:00" ))
141149 expired = (now - last_renew ).total_seconds () > spec .lease_duration_seconds
142150
151+ # If we already hold it or it’s expired, try to take it
143152 if spec .holder_identity == pod_name or expired :
144153 lease .spec .holder_identity = pod_name
145154 lease .spec .acquire_time = now
146155 lease .spec .renew_time = now
147156 lease .spec .lease_duration_seconds = lease_duration_seconds
157+
148158 try :
149159 api .replace_namespaced_lease (lease_name , lease_namespace , lease )
150- logging .info (f"[ { pod_name } ] Acquired /renewed leadership." )
160+ logging .info (f"Pod { pod_name } acquired /renewed leadership." )
151161 return True
162+
152163 except client .exceptions .ApiException as e :
153- logging .error (f"[{ pod_name } { e } )
154- return False
164+ if e .status == 409 :
165+ # Another pod updated the lease first—just back off
166+ logging .debug (f"Pod { pod_name } )
167+ return False
168+ else :
169+ logging .error (f"Pod { pod_name } { e } )
170+ return False
171+
155172 else :
156- logging .debug (f"[{ pod_name } { spec .holder_identity } )
173+ # Someone else still holds a valid lease
174+ logging .debug (f"Leadership held by { spec .holder_identity } )
157175 return False
158176
159-
160177def renew_leadership (api ):
161178 global leader_active
162179 while leader_active :
@@ -165,18 +182,18 @@ def renew_leadership(api):
165182 try :
166183 lease = get_lease (api )
167184 if lease is None :
168- logging .error (f"[ { pod_name } ] Lease not found." )
185+ logging .error (f"Lease not found for Pod { pod_name } )
169186 leader_active = False
170187 break
171188 if lease .spec .holder_identity != pod_name :
172- logging .error (f"[ { pod_name } ] Leadership lost (current leader: { lease .spec .holder_identity } )
189+ logging .error (f"Pod { pod_name } has lost leadership. (current leader: { lease .spec .holder_identity } )
173190 leader_active = False
174191 break
175192 lease .spec .renew_time = now
176193 api .replace_namespaced_lease (lease_name , lease_namespace , lease )
177- logging .info (f"[ { pod_name } ] Renewed leadership at { now .isoformat ()} )
194+ logging .info (f"Pod { pod_name } has renewed leadership at { now .isoformat ()} )
178195 except client .exceptions .ApiException as e :
179- logging .error (f"[ { pod_name } ] Error renewing lease: { e } )
196+ logging .error (f"Pod { pod_name } had an error renewing lease: { e } )
180197 leader_active = False
181198 break
182199
@@ -372,28 +389,29 @@ def periodic_check():
372389def main ():
373390 global leader_active
374391 logging .info ("Starting cert-manager-key-vault-sync process." )
375- schedule_version_check ()
376- load_initial_state ()
377-
378- # Start Prometheus metrics server on port 8000
379- start_http_server (8000 )
380- logging .info ("Prometheus metrics server started on port 8000" )
381392
382393 coordination_api = client .CoordinationV1Api ()
383394 while True :
384395 if try_acquire_leadership (coordination_api ):
385396 threading .Thread (target = renew_leadership , args = (coordination_api ,), daemon = True ).start ()
386- logging .info (f"Acquired leadership as { pod_name } )
397+ logging .info (f"Pod { pod_name } )
398+ init_key_vault_client ()
399+ start_http_server (8000 )
400+ logging .info ("Prometheus metrics server started on port 8000" )
387401 break
388402 else :
389- logging .debug (f"Not the leader, retrying in { renew_interval_seconds } )
403+ logging .debug (f"This Pod ( { pod_name } ) is not the leader, retrying in { renew_interval_seconds } )
390404 time .sleep (renew_interval_seconds )
391405
392406 # Only run the following if this replica is the leader.
393407 while leader_active :
394408 sync_total .inc ()
395409 sync_start = time .time ()
396410 try :
411+ schedule_version_check ()
412+ load_initial_state ()
413+
414+ # Start Prometheus metrics server on port 8000
397415 sync_k8s_secrets_to_key_vault ()
398416 sync_success_total .inc ()
399417 except Exception as e :
@@ -409,6 +427,5 @@ def main():
409427 logging .error ("Leadership lost, exiting process." )
410428 exit (1 )
411429
412-
413430if __name__ == "__main__" :
414431 main ()
0 commit comments