Erlang cluster on Kubernetes: Polling the CertificateRequest

23 Dec 2022 17:19 kubernetes cert-manager

In a previous post, I used sleep 5s to wait for cert-manager to complete the CertificateRequest. Instead, we should poll the status field.

That looks like this:

# Give it a chance to complete before we poll it the first time:
sleep 1s

for _ in 1 2 3 4 5; do
    res=$(curl -s \
        --header "Accept: application/json" \
        --header "Authorization: Bearer ${AUTH_TOKEN}" \
        --cacert "${CA_CERT_BUNDLE}" \
    ready_status=$(echo "$res" | jq -r '.status.conditions[] | select(.type == "Ready") | .status')
    if [ "$ready_status" = "True" ]; then break; fi

    sleep 5s

if [ "$ready_status" != "True" ]; then exit 1; fi

We start with a brief pause, to give cert-manager a chance, so that we don’t immediately poll the status and then sleep for 5s. Then, trying 5 times, we check to see if Ready becomes set to True. If it does, our certificate is issued and we can continue. If, after 5 attempts, it doesn’t, we’ve got a problem and we should fail.

This is fairly simplistic. After 5 attempts (~26 seconds), it gives up. If your cluster is taking longer than this to issue certificates, you might want to extend the sleep, or increase the number of retries. It might even be worth making them configurable.

It wasn’t worth it for me: my cluster issues certificates essentially immediately. There’s also an argument to be had about whether it’s better to fail to create a pod (by failing fairly quickly) or to leave the pod pending (by retrying for a long time).