diff --git a/main.go b/main.go index 2d9efd4b9..fa3624a1a 100644 --- a/main.go +++ b/main.go @@ -54,6 +54,8 @@ func main() { var machineNamespace string var workloadKubeConfigPath string var disableStatusController bool + var maxConcurrentReconciles int + var leaderElect bool var leaderElectLeaseDuration time.Duration var leaderElectRenewDeadline time.Duration @@ -75,6 +77,7 @@ func main() { flagSet.StringVar(&machineNamespace, "machine-namespace", "", "restrict machine operations to a specific namespace, if not set, all machines will be observed in approval decisions") flagSet.StringVar(&workloadKubeConfigPath, "workload-cluster-kubeconfig", "", "workload kubeconfig path") flagSet.BoolVar(&disableStatusController, "disable-status-controller", false, "disable status controller that will update the machine-approver clusteroperator status") + flagSet.IntVar(&maxConcurrentReconciles, "max-concurrent-reconciles", 1, "maximum number concurrent reconciles for the CSR approving controller") flagSet.BoolVar(&leaderElect, "leader-elect", true, "use leader election when starting the manager.") flagSet.DurationVar(&leaderElectLeaseDuration, "leader-elect-lease-duration", 137*time.Second, "the duration that non-leader candidates will wait to force acquire leadership.") @@ -208,7 +211,9 @@ func main() { NodeRestCfg: workloadConfig, Config: controller.LoadConfig(cliConfig), APIGroupVersions: parsedAPIGroupVersions, - }).SetupWithManager(mgr, ctrl.Options{}); err != nil { + }).SetupWithManager(mgr, ctrl.Options{ + MaxConcurrentReconciles: maxConcurrentReconciles, + }); err != nil { klog.Fatalf("unable to create CSR controller: %v", err) } diff --git a/manifests/04-deployment-capi.yaml b/manifests/04-deployment-capi.yaml index cb1942cbf..5dce6d7a4 100644 --- a/manifests/04-deployment-capi.yaml +++ b/manifests/04-deployment-capi.yaml @@ -71,6 +71,7 @@ spec: - "--leader-elect-resource-name=capi-cluster-machine-approver-leader" - "--api-group-version=cluster.x-k8s.io/v1beta1" - "--disable-status-controller=true" + - "--max-concurrent-reconciles=10" resources: requests: memory: 50Mi diff --git a/manifests/04-deployment.yaml b/manifests/04-deployment.yaml index df71a63f7..6bbe6828e 100644 --- a/manifests/04-deployment.yaml +++ b/manifests/04-deployment.yaml @@ -70,6 +70,7 @@ spec: - "--leader-elect-retry-period=26s" - "--leader-elect-resource-namespace=openshift-cluster-machine-approver" - "--api-group-version=machine.openshift.io/v1beta1" + - "--max-concurrent-reconciles=10" resources: requests: memory: 50Mi diff --git a/pkg/controller/csr_check.go b/pkg/controller/csr_check.go index 3ac273561..4d007cbad 100644 --- a/pkg/controller/csr_check.go +++ b/pkg/controller/csr_check.go @@ -510,7 +510,7 @@ func recentlyPendingNodeCSRs(csrs []certificatesv1.CertificateSigningRequest) in continue } - if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr)) && !isApproved(csr) { + if (isReqFromNodeBootstrapper(&csr) || isRequestFromNodeUser(csr) && !isRequestFromMultus(csr)) && !isApproved(csr) { pending++ } } @@ -522,6 +522,16 @@ func isRequestFromNodeUser(csr certificatesv1.CertificateSigningRequest) bool { return strings.HasPrefix(csr.Spec.Username, nodeUserPrefix) } +func isRequestFromMultus(csr certificatesv1.CertificateSigningRequest) bool { + parsedCSR, err := parseCSR(&csr) + if err != nil { + klog.Errorf("%v: Failed to parse csr: %v", csr.Name, err) + return false + } + + return strings.HasPrefix(parsedCSR.Subject.CommonName, "system:multus:") +} + // getServingCert fetches the node by the given name and attempts to connect to // its kubelet on the first advertised address. // diff --git a/pkg/controller/csr_check_test.go b/pkg/controller/csr_check_test.go index ba93baa04..27d3b4b68 100644 --- a/pkg/controller/csr_check_test.go +++ b/pkg/controller/csr_check_test.go @@ -37,7 +37,7 @@ import ( var serverCertGood, serverKeyGood, rootCertGood string // Generated CRs, are populating within the init func -var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR string +var goodCSR, goodCSRECDSA, extraAddr, otherName, noNamePrefix, noGroup, clientGood, clientExtraO, clientWithDNS, clientWrongCN, clientEmptyName, emptyCSR, multusCSRPEM string var presetTimeCorrect, presetTimeExpired time.Time @@ -116,6 +116,7 @@ func init() { clientWrongCN = createCSR("system:notnode:zebra", defaultOrgs, []net.IP{}, []string{}) clientEmptyName = createCSR("system:node:", defaultOrgs, []net.IP{}, []string{}) emptyCSR = "-----BEGIN??\n" + multusCSRPEM = createCSR("system:multus:", defaultOrgs, []net.IP{}, []string{}) } func generateCertKeyPair(duration time.Duration, parentCertPEM, parentKeyPEM []byte, commonName string, otherNames ...string) ([]byte, []byte, error) { @@ -1948,6 +1949,13 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) { }, } pendingCSR := certificatesv1.CertificateSigningRequest{} + multusCSR := certificatesv1.CertificateSigningRequest{ + Spec: certificatesv1.CertificateSigningRequestSpec{ + Username: nodeUserPrefix + "clustername-abcde-master-us-west-1a-0", + Request: []byte(multusCSRPEM), + }, + } + pendingTime := baseTime.Add(time.Second) pastApprovalTime := baseTime.Add(-maxPendingDelta) preApprovalTime := baseTime.Add(10 * time.Second) @@ -1992,6 +2000,11 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) { csrs: []certificatesv1.CertificateSigningRequest{createdAt(preApprovalTime, pendingNodeBootstrapperCSR)}, expectPending: 0, }, + { + name: "multus node CSR", + csrs: []certificatesv1.CertificateSigningRequest{createdAt(pendingTime, multusCSR)}, + expectPending: 0, + }, { name: "multiple different csrs", csrs: []certificatesv1.CertificateSigningRequest{ @@ -2001,6 +2014,7 @@ func TestRecentlyPendingNodeBootstrapperCSRs(t *testing.T) { createdAt(pendingTime, pendingCSR), createdAt(pendingTime, approvedNodeBootstrapperCSR), + createdAt(pendingTime, multusCSR), createdAt(preApprovalTime, approvedNodeBootstrapperCSR), createdAt(pastApprovalTime, approvedNodeBootstrapperCSR), createdAt(preApprovalTime, pendingNodeBootstrapperCSR),