Merge pull request #228 from openshift-cherrypick-robot/cherry-pick-2…

…26-to-release-4.14

[release-4.14] OCPBUGS-28745: Increase concurrent reconciles to 10

main.go

@@ -54,6 +54,8 @@ func main() {
 	var machineNamespace string
 	var workloadKubeConfigPath string
 	var disableStatusController bool
+	var maxConcurrentReconciles int
+
 	var leaderElect bool
 	var leaderElectLeaseDuration time.Duration
 	var leaderElectRenewDeadline time.Duration
@@ -75,6 +77,7 @@ func main() {
 	flagSet.StringVar(&machineNamespace, "machine-namespace", "", "restrict machine operations to a specific namespace, if not set, all machines will be observed in approval decisions")
 	flagSet.StringVar(&workloadKubeConfigPath, "workload-cluster-kubeconfig", "", "workload kubeconfig path")
 	flagSet.BoolVar(&disableStatusController, "disable-status-controller", false, "disable status controller that will update the machine-approver clusteroperator status")
+	flagSet.IntVar(&maxConcurrentReconciles, "max-concurrent-reconciles", 1, "maximum number concurrent reconciles for the CSR approving controller")
 
 	flagSet.BoolVar(&leaderElect, "leader-elect", true, "use leader election when starting the manager.")
 	flagSet.DurationVar(&leaderElectLeaseDuration, "leader-elect-lease-duration", 137*time.Second, "the duration that non-leader candidates will wait to force acquire leadership.")
@@ -208,7 +211,9 @@ func main() {
 		NodeRestCfg:      workloadConfig,
 		Config:           controller.LoadConfig(cliConfig),
 		APIGroupVersions: parsedAPIGroupVersions,
-	}).SetupWithManager(mgr, ctrl.Options{}); err != nil {
+	}).SetupWithManager(mgr, ctrl.Options{
+		MaxConcurrentReconciles: maxConcurrentReconciles,
+	}); err != nil {
 		klog.Fatalf("unable to create CSR controller: %v", err)
 	}
 

manifests/04-deployment-capi.yaml

@@ -71,6 +71,7 @@ spec:
         - "--leader-elect-resource-name=capi-cluster-machine-approver-leader"
         - "--api-group-version=cluster.x-k8s.io/v1beta1"
         - "--disable-status-controller=true"
+        - "--max-concurrent-reconciles=10"
         resources:
           requests:
             memory: 50Mi

manifests/04-deployment.yaml

@@ -70,6 +70,7 @@ spec:
         - "--leader-elect-retry-period=26s"
         - "--leader-elect-resource-namespace=openshift-cluster-machine-approver"
         - "--api-group-version=machine.openshift.io/v1beta1"
+        - "--max-concurrent-reconciles=10"
         resources:
           requests:
             memory: 50Mi

pkg/controller/csr_check.go

@@ -510,7 +510,7 @@ func recentlyPendingNodeCSRs(csrs []certificatesv1.CertificateSigningRequest) in
 			continue
 		}
 
-		if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr)) && !isApproved(csr) {
+		if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr) && !isRequestFromMultus(csr)) && !isApproved(csr) {
 			pending++
 		}
 	}
@@ -522,6 +522,16 @@ func isRequestFromNodeUser(csr certificatesv1.CertificateSigningRequest) bool {
 	return strings.HasPrefix(csr.Spec.Username, nodeUserPrefix)
 }
 
+func isRequestFromMultus(csr certificatesv1.CertificateSigningRequest) bool {
+	parsedCSR, err := parseCSR(&csr)
+	if err != nil {
+		klog.Errorf("%v: Failed to parse csr: %v", csr.Name, err)
+		return false
+	}
+
+	return strings.HasPrefix(parsedCSR.Subject.CommonName, "system:multus:")
+}
+
 // getServingCert fetches the node by the given name and attempts to connect to
 // its kubelet on the first advertised address.
 //

pkg/controller/csr_check_test.go

@@ -37,7 +37,7 @@ import (
 var serverCertGood, serverKeyGood, rootCertGood string
 
 // Generated CRs, are populating within the init func
-var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR string
+var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR, multusCSRPEM string
 
 var presetTimeCorrect, presetTimeExpired time.Time
 
@@ -116,6 +116,7 @@ func init() {
 	clientWrongCN = createCSR("system:notnode:zebra", defaultOrgs, []net.IP{}, []string{})
 	clientEmptyName = createCSR("system:node:", defaultOrgs, []net.IP{}, []string{})
 	emptyCSR = "-----BEGIN??\n"
+	multusCSRPEM = createCSR("system:multus:", defaultOrgs, []net.IP{}, []string{})
 }
 
 func generateCertKeyPair(duration time.Duration, parentCertPEM, parentKeyPEM []byte, commonName string, otherNames ...string) ([]byte, []byte, error) {
@@ -1948,6 +1949,13 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 		},
 	}
 	pendingCSR := certificatesv1.CertificateSigningRequest{}
+	multusCSR := certificatesv1.CertificateSigningRequest{
+		Spec: certificatesv1.CertificateSigningRequestSpec{
+			Username: nodeUserPrefix + "clustername-abcde-master-us-west-1a-0",
+			Request:  []byte(multusCSRPEM),
+		},
+	}
+
 	pendingTime := baseTime.Add(time.Second)
 	pastApprovalTime := baseTime.Add(-maxPendingDelta)
 	preApprovalTime := baseTime.Add(10 * time.Second)
@@ -1992,6 +2000,11 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 			csrs:          []certificatesv1.CertificateSigningRequest{createdAt(preApprovalTime, pendingNodeBootstrapperCSR)},
 			expectPending: 0,
 		},
+		{
+			name:          "multus node CSR",
+			csrs:          []certificatesv1.CertificateSigningRequest{createdAt(pendingTime, multusCSR)},
+			expectPending: 0,
+		},
 		{
 			name: "multiple different csrs",
 			csrs: []certificatesv1.CertificateSigningRequest{
@@ -2001,6 +2014,7 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) {
 
 				createdAt(pendingTime, pendingCSR),
 				createdAt(pendingTime, approvedNodeBootstrapperCSR),
+				createdAt(pendingTime, multusCSR),
 				createdAt(preApprovalTime, approvedNodeBootstrapperCSR),
 				createdAt(pastApprovalTime, approvedNodeBootstrapperCSR),
 				createdAt(preApprovalTime, pendingNodeBootstrapperCSR),