Merge branch 'main' into rbac_least_priviligates

kyma-project · Nov 26, 2024 · c05e888 · c05e888
2 parents fa2cc6b + 119c367
commit c05e888
Show file tree

Hide file tree

Showing 24 changed files with 485 additions and 217 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,5 +9,18 @@ updates:
     directories: 
       - "/" # Location of package manifests
       - "/hack/runtime-migrator"
+    groups:
+      k8s:
+        patterns:
+        - "k8s.io*"
+        update-types:
+        - "minor"
+        - "patch"
+      gardener:
+        patterns:
+        - "github.com/gardener/*"
+        update-types:
+        - "minor"
+        - "patch"
     schedule:
       interval: "weekly"
diff --git a/cmd/main.go b/cmd/main.go
@@ -46,6 +46,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/util/flowcontrol"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -66,11 +67,20 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
-const defaultMinimalRotationTimeRatio = 0.6
-const defaultExpirationTime = 24 * time.Hour
-const defaultGardenerRequestTimeout = 60 * time.Second
-const defaultControlPlaneRequeueDuration = 10 * time.Second
-const defaultGardenerRequeueDuration = 15 * time.Second
+// Default values for the Runtime controller configuration
+const (
+	defaultControlPlaneRequeueDuration   = 10 * time.Second
+	defaultGardenerRequestTimeout        = 3 * time.Second
+	defaultGardenerRateLimiterQPS        = 5
+	defaultGardenerRateLimiterBurst      = 5
+	defaultMinimalRotationTimeRatio      = 0.6
+	defaultExpirationTime                = 24 * time.Hour
+	defaultGardenerReconciliationTimeout = 60 * time.Second
+	defaultGardenerRequeueDuration       = 15 * time.Second
+	defaultShootCreateRequeueDuration    = 60 * time.Second
+	defaultShootDeleteRequeueDuration    = 90 * time.Second
+	defaultShootReconcileRequeueDuration = 30 * time.Second
+)
 
 func main() {
 	var metricsAddr string
@@ -80,7 +90,10 @@ func main() {
 	var gardenerProjectName string
 	var minimalRotationTimeRatio float64
 	var expirationTime time.Duration
-	var gardenerRequestTimeout time.Duration
+	var gardenerCtrlReconciliationTimeout time.Duration
+	var runtimeCtrlGardenerRequestTimeout time.Duration
+	var runtimeCtrlGardenerRateLimiterQPS int
+	var runtimeCtrlGardenerRateLimiterBurst int
 	var converterConfigFilepath string
 	var shootSpecDumpEnabled bool
 	var auditLogMandatory bool
@@ -94,7 +107,10 @@ func main() {
 	flag.StringVar(&gardenerProjectName, "gardener-project-name", "gardener-project", "Name of the Gardener project")
 	flag.Float64Var(&minimalRotationTimeRatio, "minimal-rotation-time", defaultMinimalRotationTimeRatio, "The ratio determines what is the minimal time that needs to pass to rotate certificate.")
 	flag.DurationVar(&expirationTime, "kubeconfig-expiration-time", defaultExpirationTime, "Dynamic kubeconfig expiration time")
-	flag.DurationVar(&gardenerRequestTimeout, "gardener-request-timeout", defaultGardenerRequestTimeout, "Timeout duration for requests to Gardener")
+	flag.DurationVar(&gardenerCtrlReconciliationTimeout, "gardener-ctrl-reconcilation-timeout", defaultGardenerReconciliationTimeout, "Timeout duration for reconlication for Gardener Cluster Controller")
+	flag.DurationVar(&runtimeCtrlGardenerRequestTimeout, "gardener-request-timeout", defaultGardenerRequestTimeout, "Timeout duration for Gardener client for Runtime Controller")
+	flag.IntVar(&runtimeCtrlGardenerRateLimiterQPS, "gardener-ratelimiter-qps", defaultGardenerRateLimiterQPS, "Gardener client rate limiter QPS for Runtime Controller")
+	flag.IntVar(&runtimeCtrlGardenerRateLimiterBurst, "gardener-ratelimiter-burst", defaultGardenerRateLimiterBurst, "Gardener client rate limiter burst for Runtime Controller")
 	flag.StringVar(&converterConfigFilepath, "converter-config-filepath", "/converter-config/converter_config.json", "A file path to the gardener shoot converter configuration.")
 	flag.BoolVar(&shootSpecDumpEnabled, "shoot-spec-dump-enabled", false, "Feature flag to allow persisting specs of created shoots")
 	flag.BoolVar(&auditLogMandatory, "audit-log-mandatory", true, "Feature flag to enable strict mode for audit log configuration")
@@ -137,7 +153,7 @@ func main() {
 	}
 
 	gardenerNamespace := fmt.Sprintf("garden-%s", gardenerProjectName)
-	gardenerClient, shootClient, dynamicKubeconfigClient, err := initGardenerClients(gardenerKubeconfigPath, gardenerNamespace)
+	gardenerClient, shootClient, dynamicKubeconfigClient, err := initGardenerClients(gardenerKubeconfigPath, gardenerNamespace, runtimeCtrlGardenerRequestTimeout, runtimeCtrlGardenerRateLimiterQPS, runtimeCtrlGardenerRateLimiterBurst)
 
 	if err != nil {
 		setupLog.Error(err, "unable to initialize gardener clients", "controller", "GardenerCluster")
@@ -158,7 +174,7 @@ func main() {
 		logger,
 		rotationPeriod,
 		minimalRotationTimeRatio,
-		gardenerRequestTimeout,
+		gardenerCtrlReconciliationTimeout,
 		metrics,
 	).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "GardenerCluster")
@@ -188,14 +204,17 @@ func main() {
 	}
 
 	cfg := fsm.RCCfg{
-		GardenerRequeueDuration:     defaultGardenerRequeueDuration,
-		ControlPlaneRequeueDuration: defaultControlPlaneRequeueDuration,
-		Finalizer:                   infrastructuremanagerv1.Finalizer,
-		ShootNamesapace:             gardenerNamespace,
-		Config:                      config,
-		AuditLogMandatory:           auditLogMandatory,
-		Metrics:                     metrics,
-		AuditLogging:                auditLogDataMap,
+		GardenerRequeueDuration:       defaultGardenerRequeueDuration,
+		RequeueDurationShootCreate:    defaultShootCreateRequeueDuration,
+		RequeueDurationShootDelete:    defaultShootDeleteRequeueDuration,
+		RequeueDurationShootReconcile: defaultShootReconcileRequeueDuration,
+		ControlPlaneRequeueDuration:   defaultControlPlaneRequeueDuration,
+		Finalizer:                     infrastructuremanagerv1.Finalizer,
+		ShootNamesapace:               gardenerNamespace,
+		Config:                        config,
+		AuditLogMandatory:             auditLogMandatory,
+		Metrics:                       metrics,
+		AuditLogging:                  auditLogDataMap,
 	}
 	if shootSpecDumpEnabled {
 		cfg.PVCPath = "/testdata/kim"
@@ -234,12 +253,15 @@ func main() {
 	}
 }
 
-func initGardenerClients(kubeconfigPath string, namespace string) (client.Client, gardener_apis.ShootInterface, client.SubResourceClient, error) {
+func initGardenerClients(kubeconfigPath string, namespace string, timeout time.Duration, rlQPS, rlBurst int) (client.Client, gardener_apis.ShootInterface, client.SubResourceClient, error) {
 	restConfig, err := gardener.NewRestConfigFromFile(kubeconfigPath)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
+	restConfig.Timeout = timeout
+	restConfig.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(float32(rlQPS), rlBurst)
+
 	gardenerClientSet, err := gardener_apis.NewForConfig(restConfig)
 	if err != nil {
 		return nil, nil, nil, err

diff --git a/go.mod b/go.mod
@@ -5,20 +5,20 @@ go 1.23.1
 require (
 	github.com/Masterminds/semver/v3 v3.3.0
 	github.com/gardener/gardener v1.106.1
-	github.com/gardener/gardener-extension-provider-aws v1.57.1
-	github.com/gardener/gardener-extension-provider-gcp v1.39.0
+	github.com/gardener/gardener-extension-provider-aws v1.58.3
+	github.com/gardener/gardener-extension-provider-gcp v1.40.1
 	github.com/gardener/gardener-extension-provider-openstack v1.42.1
-	github.com/gardener/oidc-webhook-authenticator v0.32.0
+	github.com/gardener/oidc-webhook-authenticator v0.33.0
 	github.com/go-logr/logr v1.4.2
-	github.com/go-playground/validator/v10 v10.22.1
+	github.com/go-playground/validator/v10 v10.23.0
 	github.com/onsi/ginkgo/v2 v2.20.2
 	github.com/onsi/gomega v1.34.2
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.20.5
 	github.com/stretchr/testify v1.9.0
-	k8s.io/api v0.31.2
-	k8s.io/apimachinery v0.31.2
-	k8s.io/client-go v0.31.2
+	k8s.io/api v0.31.3
+	k8s.io/apimachinery v0.31.3
+	k8s.io/client-go v0.31.3
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
 	sigs.k8s.io/controller-runtime v0.19.1
 	sigs.k8s.io/yaml v1.4.0

diff --git a/go.sum b/go.sum
@@ -24,14 +24,14 @@ github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uq
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/gardener/gardener v1.106.1 h1:nbWHqV/rV5Q/7nfuMD5mudWmRnBYZfaJC3O0QaVqwYI=
 github.com/gardener/gardener v1.106.1/go.mod h1:l5TUgzs/Gv8SbuUFW/hCnfID6oo1/DRrGXx/IbjwQi8=
-github.com/gardener/gardener-extension-provider-aws v1.57.1 h1:9CLTxWw1q1TGTlW+8fJEj/ilxkZurcv2KmebLrgH5lU=
-github.com/gardener/gardener-extension-provider-aws v1.57.1/go.mod h1:7eonlUnJVODAER50EvdTrvZUVBL+peNOxfYNjyOzOks=
-github.com/gardener/gardener-extension-provider-gcp v1.39.0 h1:fLx5tiu6EUa1VJzkqLltnlkDm+l5xLCJuQ13h8o3Uhg=
-github.com/gardener/gardener-extension-provider-gcp v1.39.0/go.mod h1:0+YVRmwO0Scvm7M3AZoxq2k30tHxRUgAbQZbmhUs920=
+github.com/gardener/gardener-extension-provider-aws v1.58.3 h1:YDv5s5BEVpPQ+x70tHOcwf762/vo/I6OvwjeT3FD3AU=
+github.com/gardener/gardener-extension-provider-aws v1.58.3/go.mod h1:EFrr2XNSCCEzC6U8Y/wUxCri3Y8zwgaRvFxEPkMOJww=
+github.com/gardener/gardener-extension-provider-gcp v1.40.1 h1:ErTgztMj/6zLSN8sFJXQ2D3ZNyGD1t+GZjAcCBIP+mU=
+github.com/gardener/gardener-extension-provider-gcp v1.40.1/go.mod h1:7Ra8FdadX+y2xcSwJ1Y4gLOYoS5dcY28lIbNamafVqA=
 github.com/gardener/gardener-extension-provider-openstack v1.42.1 h1:Umj1dOFn0bLsNQR3dZup3+20j5UtSSAOm3ms5LkaZt0=
 github.com/gardener/gardener-extension-provider-openstack v1.42.1/go.mod h1:77m0Wte0mF1HiQxi3ixLqCyHoJKRs9INCAI/9CKF7Xc=
-github.com/gardener/oidc-webhook-authenticator v0.32.0 h1:neLYl+t62wkCVtgSIQbbckj+2zHD24kg81d0fADY4xg=
-github.com/gardener/oidc-webhook-authenticator v0.32.0/go.mod h1:a5jrgVLDX0jpQYFPRHlpr2mp3ZKFm6LNhrXPKzep1b4=
+github.com/gardener/oidc-webhook-authenticator v0.33.0 h1:2qMM9dol/S3Paz1GUxFb6ZXqWEKK/dfy/XFrbjNXZGk=
+github.com/gardener/oidc-webhook-authenticator v0.33.0/go.mod h1:a5jrgVLDX0jpQYFPRHlpr2mp3ZKFm6LNhrXPKzep1b4=
 github.com/go-jose/go-jose/v4 v4.0.3 h1:o8aphO8Hv6RPmH+GfzVuyf7YXSBibp+8YyHdOoDESGo=
 github.com/go-jose/go-jose/v4 v4.0.3/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
@@ -52,8 +52,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
-github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
+github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -189,14 +189,14 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
-k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
+k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8=
+k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE=
 k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40=
 k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ=
-k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
-k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
-k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs=
+k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
+k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4=
+k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA=