jetstack-bot
commented
6 years ago Hi @ElvinEfendi. Thanks for your PR.
I'm waiting for a jetstack member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/devel/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
ElvinEfendi
The PR changes the update logic completely and makes it namespace specific. Before an update to an ingress would trigger a check on all ingresses but now it will trigger only for the ingresses in the updated ingress's namespace.
The periodic checks(by default every 8h) will still be applied to all ingresses under configured namespace(if non configured then it is all namespace, which is what we have in production). So nothing changes for it.
This saves a lot of unnecessary runs particularly in bigger clusters with many apps. It also makes kube-lego less vulnerable to domains that fails reachability/acme auth test. Because kube-lego goes through all the domains sequentially, if a domain is failing in the current run the newly added domain that will be processed by kube-lego will have to wait
5m(default exponential backoff time) + 5 more minutes if in the next run if the failing domain comes before the new domain, in total 10 minutes to get a certificate because of a single failing domain. The PR improves this situation drastically.