Bug 1785023: Increase pull secrets controller QPS to 100

Increase the k8s client QPS limit to 100, 200 burst for the service account pull secrets controller. This ensures that pull secrets for the registry are created as quickly as the tokens are generated.
openshift · Apr 1, 2020 · 197704d · 197704d
1 parent 536bbb0
commit 197704d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/pkg/cmd/controller/interfaces.go b/pkg/cmd/controller/interfaces.go
@@ -94,6 +94,16 @@ func NewControllerContext(
 		return nil, err
 	}
 
+	// Create a new clientConfig for high rate limit workloads.
+	// Increase kube QPS to at least 100 QPS, burst to at least 200 QPS.
+	highRateLimitClientConfig := rest.CopyConfig(inClientConfig)
+	if highRateLimitClientConfig.QPS < 100 {
+		highRateLimitClientConfig.QPS = 100
+	}
+	if highRateLimitClientConfig.Burst < 200 {
+		highRateLimitClientConfig.Burst = 200
+	}
+
 	openshiftControllerContext := &ControllerContext{
 		OpenshiftControllerConfig: config,
 
@@ -105,6 +115,14 @@ func NewControllerContext(
 				Namespace:            defaultOpenShiftInfraNamespace,
 			},
 		},
+		HighRateLimitClientBuilder: OpenshiftControllerClientBuilder{
+			ControllerClientBuilder: controller.SAControllerClientBuilder{
+				ClientConfig:         rest.AnonymousClientConfig(highRateLimitClientConfig),
+				CoreClient:           kubeClient.CoreV1(),
+				AuthenticationClient: kubeClient.AuthenticationV1(),
+				Namespace:            defaultOpenShiftInfraNamespace,
+			},
+		},
 		KubernetesInformers:                informers.NewSharedInformerFactory(kubeClient, defaultInformerResyncPeriod),
 		OpenshiftConfigKubernetesInformers: informers.NewSharedInformerFactoryWithOptions(kubeClient, defaultInformerResyncPeriod, informers.WithNamespace("openshift-config")),
 		ControllerManagerKubeInformers:     informers.NewSharedInformerFactoryWithOptions(kubeClient, defaultInformerResyncPeriod, informers.WithNamespace("openshift-controller-manager")),
@@ -154,6 +172,9 @@ type ControllerContext struct {
 
 	// ClientBuilder will provide a client for this controller to use
 	ClientBuilder ControllerClientBuilder
+	// HighRateLimitClientBuilder will provide a client for this controller utilizing a higher rate limit.
+	// This will have a rate limit of at least 100 QPS, with a burst up to 200 QPS.
+	HighRateLimitClientBuilder ControllerClientBuilder
 
 	KubernetesInformers                informers.SharedInformerFactory
 	OpenshiftConfigKubernetesInformers informers.SharedInformerFactory

diff --git a/pkg/cmd/controller/serviceaccount.go b/pkg/cmd/controller/serviceaccount.go
@@ -43,7 +43,10 @@ func RunServiceAccountController(ctx *ControllerContext) (bool, error) {
 }
 
 func RunServiceAccountPullSecretsController(ctx *ControllerContext) (bool, error) {
-	kc := ctx.ClientBuilder.ClientOrDie(iInfraServiceAccountPullSecretsControllerServiceAccountName)
+	// Bug 1785023: Increase the rate limit for the SA Pull Secrets controller.
+	// The pull secrets controller needs to create new dockercfg secrets at the same rate as the
+	// upstream token secret controller.
+	kc := ctx.HighRateLimitClientBuilder.ClientOrDie(iInfraServiceAccountPullSecretsControllerServiceAccountName)
 
 	go serviceaccountcontrollers.NewDockercfgDeletedController(
 		ctx.KubernetesInformers.Core().V1().Secrets(),