github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use higher QPS for secrets reencryption (#10571) 

* Use higher QPS for secrets reencryption

Signed-off-by: Derek Nola <derek.nola@suse.com>
pull/10704/head
Derek Nola 2024-07-26 12:07:26 -07:00
parent e495c42164
commit 1f238a0155
2 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/daemons/control/server.go
View File

@ -68,8 +68,7 @@ func Server(ctx context.Context, cfg *config.Control) error {
if err := secretsencrypt.Register(ctx, if err := secretsencrypt.Register(ctx,
controllerName, controllerName,
cfg, cfg,
cfg.Runtime.Core.Core().V1().Node(), cfg.Runtime.Core.Core().V1().Node()); err != nil {
cfg.Runtime.Core.Core().V1().Secret()); err != nil {
logrus.Errorf("Failed to register %s controller: %v", controllerName, err) logrus.Errorf("Failed to register %s controller: %v", controllerName, err)
} }
} }

14
pkg/secretsencrypt/controller.go
View File

@ -38,7 +38,7 @@ type handler struct {
ctx context.Context ctx context.Context
controlConfig *config.Control controlConfig *config.Control
nodes coreclient.NodeController nodes coreclient.NodeController
secrets coreclient.SecretController k8s *kubernetes.Clientset
recorder record.EventRecorder recorder record.EventRecorder
} }
@ -47,12 +47,14 @@ func Register(
controllerName string, controllerName string,
controlConfig *config.Control, controlConfig *config.Control,
nodes coreclient.NodeController, nodes coreclient.NodeController,
secrets coreclient.SecretController,
) error { ) error {
restConfig, err := clientcmd.BuildConfigFromFlags("", controlConfig.Runtime.KubeConfigSupervisor) restConfig, err := clientcmd.BuildConfigFromFlags("", controlConfig.Runtime.KubeConfigSupervisor)
if err != nil { if err != nil {
return err return err
} }
// For secrets we need a much higher QPS than what wrangler provides, so we create a new clientset
restConfig.QPS = 200
restConfig.Burst = 200
k8s, err := kubernetes.NewForConfig(restConfig) k8s, err := kubernetes.NewForConfig(restConfig)
if err != nil { if err != nil {
return err return err
@ -62,7 +64,7 @@ func Register(
ctx: ctx, ctx: ctx,
controlConfig: controlConfig, controlConfig: controlConfig,
nodes: nodes, nodes: nodes,
secrets: secrets, k8s: k8s,
recorder: util.BuildControllerEventRecorder(k8s, controllerAgentName, metav1.NamespaceDefault), recorder: util.BuildControllerEventRecorder(k8s, controllerAgentName, metav1.NamespaceDefault),
} }
@ -217,7 +219,7 @@ func (h *handler) validateReencryptStage(node *corev1.Node, annotation string) (
func (h *handler) updateSecrets(nodeRef *corev1.ObjectReference) error { func (h *handler) updateSecrets(nodeRef *corev1.ObjectReference) error {
secretPager := pager.New(pager.SimplePageFunc(func(opts metav1.ListOptions) (runtime.Object, error) { secretPager := pager.New(pager.SimplePageFunc(func(opts metav1.ListOptions) (runtime.Object, error) {
return h.secrets.List(metav1.NamespaceAll, opts) return h.k8s.CoreV1().Secrets(metav1.NamespaceAll).List(h.ctx, opts)
})) }))
secretPager.PageSize = secretListPageSize secretPager.PageSize = secretListPageSize
@ -227,10 +229,10 @@ func (h *handler) updateSecrets(nodeRef *corev1.ObjectReference) error {
if !ok { if !ok {
return errors.New("failed to convert object to Secret") return errors.New("failed to convert object to Secret")
} }
if _, err := h.secrets.Update(secret); err != nil && !apierrors.IsConflict(err) { if _, err := h.k8s.CoreV1().Secrets(secret.Namespace).Update(h.ctx, secret, metav1.UpdateOptions{}); err != nil && !apierrors.IsConflict(err) {
return fmt.Errorf("failed to update secret: %v", err) return fmt.Errorf("failed to update secret: %v", err)
} }
if i != 0 && i%10 == 0 { if i != 0 && i%50 == 0 {
h.recorder.Eventf(nodeRef, corev1.EventTypeNormal, secretsProgressEvent, "reencrypted %d secrets", i) h.recorder.Eventf(nodeRef, corev1.EventTypeNormal, secretsProgressEvent, "reencrypted %d secrets", i)
} }
i++ i++