-
Notifications
You must be signed in to change notification settings - Fork 361
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use an informer to watch and approve CSRs
Uses an Informer to watch and approve CSRs, instead of polling the API server and calling the `List` API every few seconds. Additionally, the existing `TestBasicCRSApprover` test was inaccurate in that it wasn't actually testing the condition that the certificate has been approved. The call to `approveCSR` was failing the validation in `ValidateKubeletServingCSR`, but since the error is only being logged and not returned, the test was still passing. The actual certificate status check [here](https://github.com/k0sproject/k0s/blob/7d9532a9c51039ba8a2b1ddd6351ee440d9a31bd/pkg/component/controller/csrapprover_test.go#L84) was never reached because `status.Conditions` was empty. This changelist also fixes the existing test by generating a certificate request that complies with the validation in `ValidateKubeletServingCSR`, and by mocking the fake `Clientset` to authorize all operations (by responding to creation of `SubjectAccessReviews` with `status.Allowed = true`). A new test is also added to cover the case where the CSRs already exist before `CSRApprover.Start()` is called. This may slightly increase the memory footprint as the CSRs will need to be held in the informer's cache, but it will be limited to CSRs with `spec.signerName` set to `kubernetes.io/kubelet-serving`. This is a minor trade-off compared to polling which is slower to respond to newly-issued CSRs, makes more requests to the API server and fetches a full list of kubelet-serving CSRs in each request. A TODO is also added for the future to share the informer factory with other components. Signed-off-by: cpu1 <[email protected]>
- Loading branch information
Showing
3 changed files
with
186 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters