avoid using the node informer

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

@@ -56,14 +56,15 @@ type nodeCertConfigs struct {
 }
 
 type EtcdCertSignerController struct {
-	eventRecorder  events.Recorder
-	kubeClient     kubernetes.Interface
-	operatorClient v1helpers.StaticPodOperatorClient
-	nodeLister     corev1listers.NodeLister
-	secretInformer corev1informers.SecretInformer
-	secretLister   corev1listers.SecretLister
-	secretClient   corev1client.SecretsGetter
-	quorumChecker  ceohelpers.QuorumChecker
+	eventRecorder      events.Recorder
+	kubeClient         kubernetes.Interface
+	operatorClient     v1helpers.StaticPodOperatorClient
+	masterNodeLister   corev1listers.NodeLister
+	masterNodeSelector labels.Selector
+	secretInformer     corev1informers.SecretInformer
+	secretLister       corev1listers.SecretLister
+	secretClient       corev1client.SecretsGetter
+	quorumChecker      ceohelpers.QuorumChecker
 
 	certConfig *certConfig
 }
@@ -77,14 +78,11 @@ func NewEtcdCertSignerController(
 	kubeClient kubernetes.Interface,
 	operatorClient v1helpers.StaticPodOperatorClient,
 	kubeInformers v1helpers.KubeInformersForNamespaces,
+	masterNodeLister corev1listers.NodeLister,
+	masterNodeSelector labels.Selector,
 	eventRecorder events.Recorder,
 	quorumChecker ceohelpers.QuorumChecker,
 ) factory.Controller {
-
-	// we're only interested in changes to control plane nodes
-	/*controlPlaneNodeInformer := corev1informers.NewFilteredNodeInformer(kubeClient, 1*time.Hour, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, func(listOptions *metav1.ListOptions) {
-		listOptions.LabelSelector = "node-role.kubernetes.io/master"
-	})*/
 	eventRecorder = eventRecorder.WithComponentSuffix("etcd-cert-signer-controller")
 	cmInformer := kubeInformers.InformersFor(operatorclient.TargetNamespace).Core().V1().ConfigMaps()
 	cmLister := cmInformer.Lister()
@@ -124,27 +122,28 @@ func NewEtcdCertSignerController(
 	}
 
 	c := &EtcdCertSignerController{
-		eventRecorder:  eventRecorder,
-		kubeClient:     kubeClient,
-		operatorClient: operatorClient,
-		nodeLister:     kubeInformers.InformersFor("").Core().V1().Nodes().Lister(),
-		secretInformer: secretInformer,
-		secretLister:   secretLister,
-		secretClient:   secretClient,
-		quorumChecker:  quorumChecker,
-		certConfig:     certCfg,
+		eventRecorder:      eventRecorder,
+		kubeClient:         kubeClient,
+		operatorClient:     operatorClient,
+		masterNodeLister:   masterNodeLister,
+		masterNodeSelector: masterNodeSelector,
+		secretInformer:     secretInformer,
+		secretLister:       secretLister,
+		secretClient:       secretClient,
+		quorumChecker:      quorumChecker,
+		certConfig:         certCfg,
 	}
 
 	syncer := health.NewDefaultCheckingSyncWrapper(c.sync)
 	livenessChecker.Add("EtcdCertSignerController", syncer)
 
-	return factory.New().ResyncEvery(time.Minute).WithInformers(
-		// controlPlaneNodeInformer,
-		kubeInformers.InformersFor("").Core().V1().Nodes().Informer(),
+	return factory.New().ResyncEvery(2*time.Minute).WithInformers(
+		// we are deliberately leaving out the master node informer here:
+		// node updates are on the order of the kubelet heartbeat intervals (2-5s), which makes calling this controller
+		// prohibitively expensive CPU-wise. We thus rely mostly on the re-sync interval of two minutes.
 		kubeInformers.InformersFor(operatorclient.GlobalUserSpecifiedConfigNamespace).Core().V1().Secrets().Informer(),
-		cmInformer.Informer(),
 		secretInformer.Informer(),
-		operatorClient.Informer(),
+		cmInformer.Informer(),
 	).WithSync(syncer.Sync).ToController("EtcdCertSignerController", c.eventRecorder)
 }
 
@@ -294,7 +293,7 @@ func (c *EtcdCertSignerController) syncAllMasterCertificates(ctx context.Context
 // This works, because initialization is cheap and all state is kept in secrets, configmaps and their annotations.
 func (c *EtcdCertSignerController) createNodeCertConfigs() ([]*nodeCertConfigs, error) {
 	var cfgs []*nodeCertConfigs
-	nodes, err := c.nodeLister.List(labels.Set{"node-role.kubernetes.io/master": ""}.AsSelector())
+	nodes, err := c.masterNodeLister.List(c.masterNodeSelector)
 	if err != nil {
 		return cfgs, err
 	}

pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go

@@ -16,6 +16,7 @@ import (
 	"go.etcd.io/etcd/api/v3/etcdserverpb"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
 	corev1listers "k8s.io/client-go/listers/core/v1"
@@ -290,6 +291,9 @@ func setupControllerWithEtcd(t *testing.T, objects []runtime.Object, etcdMembers
 		nil,
 	)
 
+	nodeSelector, err := labels.Parse("node-role.kubernetes.io/master")
+	require.NoError(t, err)
+
 	fakeEtcdClient, err := etcdcli.NewFakeEtcdClient(etcdMembers)
 	require.NoError(t, err)
 
@@ -310,6 +314,8 @@ func setupControllerWithEtcd(t *testing.T, objects []runtime.Object, etcdMembers
 		fakeKubeClient,
 		fakeOperatorClient,
 		kubeInformerForNamespace,
+		kubeInformerForNamespace.InformersFor("").Core().V1().Nodes().Lister(),
+		nodeSelector,
 		recorder,
 		quorumChecker)
 

pkg/operator/starter.go

@@ -351,6 +351,8 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		coreClient,
 		operatorClient,
 		kubeInformersForNamespaces,
+		masterNodeLister,
+		masterMachineLabelSelector,
 		controllerContext.EventRecorder,
 		quorumChecker,
 	)