From 14106155541971de290754e36092d067b2f1d9db Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Mon, 21 Feb 2022 13:08:31 +0200 Subject: [PATCH] Set QPS and Burst when impersonating service account Signed-off-by: Stefan Prodan --- api/go.mod | 2 +- api/go.sum | 5 +++-- controllers/helmrelease_controller.go | 2 +- go.mod | 2 +- go.sum | 5 ++--- internal/kube/client.go | 14 +++++++++----- 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/api/go.mod b/api/go.mod index 4eed76a1a..b56c921cc 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,7 +5,7 @@ go 1.17 require ( github.com/fluxcd/pkg/apis/kustomize v0.3.1 github.com/fluxcd/pkg/apis/meta v0.10.2 - github.com/fluxcd/pkg/runtime v0.12.3 + github.com/fluxcd/pkg/runtime v0.12.5 k8s.io/apiextensions-apiserver v0.23.1 k8s.io/apimachinery v0.23.1 sigs.k8s.io/controller-runtime v0.11.0 diff --git a/api/go.sum b/api/go.sum index 4e9d8fa29..807e85530 100644 --- a/api/go.sum +++ b/api/go.sum @@ -121,12 +121,13 @@ github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMi github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU= github.com/fluxcd/pkg/apis/kustomize v0.3.1 h1:wmb5D9e1+Rr3/5O3235ERuj+h2VKUArVfYYk68QKP+w= github.com/fluxcd/pkg/apis/kustomize v0.3.1/go.mod h1:k2HSRd68UwgNmOYBPOd6WbX6a2MH2X/Jeh7e3s3PFPc= github.com/fluxcd/pkg/apis/meta v0.10.2 h1:pnDBBEvfs4HaKiVAYgz+e/AQ8dLvcgmVfSeBroZ/KKI= github.com/fluxcd/pkg/apis/meta v0.10.2/go.mod h1:KQ2er9xa6koy7uoPMZjIjNudB5p4tXs+w0GO6fRcy7I= -github.com/fluxcd/pkg/runtime v0.12.3 h1:h21AZ3YG5MAP7DxFF9hfKrP+vFzys2L7CkUbPFjbP/0= -github.com/fluxcd/pkg/runtime v0.12.3/go.mod h1:imJ2xYy/d4PbSinX2IefmZk+iS2c1P5fY0js8mCE4SM= +github.com/fluxcd/pkg/runtime v0.12.5 h1:/8+0UBnSHbO9DVG9IFTjc37lwofsixGbs5WpHso8n5s= +github.com/fluxcd/pkg/runtime v0.12.5/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= diff --git a/controllers/helmrelease_controller.go b/controllers/helmrelease_controller.go index 0f2c595f4..32b91f0ab 100644 --- a/controllers/helmrelease_controller.go +++ b/controllers/helmrelease_controller.go @@ -495,7 +495,7 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H if len(kubeConfig) == 0 { return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key", secretName) } - return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount), nil + return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst), nil } if r.DefaultServiceAccount != "" || hr.Spec.ServiceAccountName != "" { diff --git a/go.mod b/go.mod index ca01ceaa8..d3f063656 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/fluxcd/pkg/apis/acl v0.0.3 github.com/fluxcd/pkg/apis/kustomize v0.3.1 github.com/fluxcd/pkg/apis/meta v0.10.2 - github.com/fluxcd/pkg/runtime v0.12.4 + github.com/fluxcd/pkg/runtime v0.12.5 github.com/fluxcd/source-controller/api v0.21.1 github.com/go-logr/logr v1.2.2 github.com/hashicorp/go-retryablehttp v0.6.8 diff --git a/go.sum b/go.sum index 01412d6e4..e55d29d48 100644 --- a/go.sum +++ b/go.sum @@ -319,9 +319,8 @@ github.com/fluxcd/pkg/apis/kustomize v0.3.1 h1:wmb5D9e1+Rr3/5O3235ERuj+h2VKUArVf github.com/fluxcd/pkg/apis/kustomize v0.3.1/go.mod h1:k2HSRd68UwgNmOYBPOd6WbX6a2MH2X/Jeh7e3s3PFPc= github.com/fluxcd/pkg/apis/meta v0.10.2 h1:pnDBBEvfs4HaKiVAYgz+e/AQ8dLvcgmVfSeBroZ/KKI= github.com/fluxcd/pkg/apis/meta v0.10.2/go.mod h1:KQ2er9xa6koy7uoPMZjIjNudB5p4tXs+w0GO6fRcy7I= -github.com/fluxcd/pkg/runtime v0.12.3/go.mod h1:imJ2xYy/d4PbSinX2IefmZk+iS2c1P5fY0js8mCE4SM= -github.com/fluxcd/pkg/runtime v0.12.4 h1:gA27RG/+adN2/7Qe03PB46Iwmye/MusPCpuS4zQ2fW0= -github.com/fluxcd/pkg/runtime v0.12.4/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc= +github.com/fluxcd/pkg/runtime v0.12.5 h1:/8+0UBnSHbO9DVG9IFTjc37lwofsixGbs5WpHso8n5s= +github.com/fluxcd/pkg/runtime v0.12.5/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc= github.com/fluxcd/source-controller/api v0.21.1 h1:7X39YQHmB1vmIBrHxU+YAqxwtdC9Zh+tdtMKREW3xiQ= github.com/fluxcd/source-controller/api v0.21.1/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= diff --git a/internal/kube/client.go b/internal/kube/client.go index cf853b2c5..39a9a3494 100644 --- a/internal/kube/client.go +++ b/internal/kube/client.go @@ -32,6 +32,8 @@ func NewInClusterRESTClientGetter(cfg *rest.Config, namespace string) genericcli flags.BearerToken = &cfg.BearerToken flags.CAFile = &cfg.CAFile flags.Namespace = &namespace + flags.WithDiscoveryBurst(cfg.Burst) + flags.WithDiscoveryQPS(cfg.QPS) if sa := cfg.Impersonate.UserName; sa != "" { flags.Impersonate = &sa } @@ -45,13 +47,17 @@ type MemoryRESTClientGetter struct { kubeConfig []byte namespace string impersonateAccount string + qps float32 + burst int } -func NewMemoryRESTClientGetter(kubeConfig []byte, namespace string, impersonateAccount string) genericclioptions.RESTClientGetter { +func NewMemoryRESTClientGetter(kubeConfig []byte, namespace string, impersonateAccount string, qps float32, burst int) genericclioptions.RESTClientGetter { return &MemoryRESTClientGetter{ kubeConfig: kubeConfig, namespace: namespace, impersonateAccount: impersonateAccount, + qps: qps, + burst: burst, } } @@ -76,10 +82,8 @@ func (c *MemoryRESTClientGetter) ToDiscoveryClient() (discovery.CachedDiscoveryI config.Impersonate = rest.ImpersonationConfig{UserName: c.impersonateAccount} } - // The more groups you have, the more discovery requests you need to make. - // given 25 groups (our groups + a few custom resources) with one-ish version each, discovery needs to make 50 requests - // double it just so we don't end up here again for a while. This config is only used for discovery. - config.Burst = 100 + config.QPS = c.qps + config.Burst = c.burst discoveryClient, _ := discovery.NewDiscoveryClientForConfig(config) return memory.NewMemCacheClient(discoveryClient), nil