feat(ha): Add leader election to prevent duplicate ACM imports#48
Open
starlightromero wants to merge 5 commits intorobertlestak:mainfrom
Open
feat(ha): Add leader election to prevent duplicate ACM imports#48starlightromero wants to merge 5 commits intorobertlestak:mainfrom
starlightromero wants to merge 5 commits intorobertlestak:mainfrom
Conversation
Implement leader election using client-go LeaseLock so only one replica performs certificate syncs at a time. Other replicas remain as hot standbys for failover. - Extract informer logic into runController as OnStartedLeading callback - Add Role/RoleBinding for coordination.k8s.io Lease access - Expose KubeConfig from state package for leader election client - Configurable via LEADER_ELECTION_ENABLED, LEADER_ELECTION_NAMESPACE, and LEADER_ELECTION_LOCK_NAME env vars - Enabled by default; set LEADER_ELECTION_ENABLED=false to disable
Update vulnerable dependencies: - go-jose/v4: 4.1.3 -> 4.1.4 (CVE-2026-34986, HIGH) - grpc: 1.79.1 -> 1.79.3 (CVE-2026-33186, CRITICAL) Add tests for leader election configuration and KubeConfig export from state package.
- Write TLS private keys with 0600 instead of 0644 (G306) - Add read/write/idle timeouts to metrics HTTP server (G114) - Annotate intentional 0644 on public cert/CA files
- G115: Integer overflow guarded by retries < 31 bounds check - G703: Standard k8s KUBECONFIG path resolution pattern - G117: Secret marshaling required by Imperva/ThreatX APIs - G104: Handle AddEventHandler return value Reduces gosec findings from 5 to 0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add leader election so only one replica performs certificate syncs at a time, preventing duplicate ACM imports that burn through the 5,000 import quota.
Problem
With multiple replicas, each independently watches secrets and imports certificates to ACM. This causes:
ImportCertificateAPI calls counting against the rolling 365-day quotaChanges
client-goLeaseLockinmain.gorunControlleras theOnStartedLeadingcallbackRole/RoleBindingforcoordination.k8s.ioLease accessKubeConfigfrom state package for leader election clientLEADER_ELECTION_ENABLED=falseto disableConfiguration
LEADER_ELECTION_ENABLEDtrueLEADER_ELECTION_NAMESPACELEADER_ELECTION_LOCK_NAMEcert-manager-sync-leaderHelm values