Enable leader election for admission controller

Since admission controllers now run the certificate controller, leader election must be enabled to prevent any interference.
gardener · Jan 4, 2024 · 6c1bbf7 · 6c1bbf7
1 parent 67954bd
commit 6c1bbf7
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 18 deletions.
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/deployment.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/templates/deployment.yaml
@@ -51,6 +51,7 @@ spec:
         - --metrics-bind-address=:{{ .Values.global.metricsPort }}
         {{- end }}
         - --health-bind-address=:{{ .Values.global.healthPort }}
+        - --leader-election-id={{ include "leaderelectionid" . }}
         - --enable-overlay-as-default-for-calico={{ .Values.global.enableOverlayAsDefaultForCalico }}
         - --enable-overlay-as-default-for-cilium={{ .Values.global.enableOverlayAsDefaultForCilium }}
         livenessProbe:

diff --git a/charts/gardener-extension-admission-openstack/templates/_helpers.tpl b/charts/gardener-extension-admission-openstack/templates/_helpers.tpl
@@ -21,3 +21,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
   {{- printf "%s:%s" .repository .tag }}
   {{- end }}
 {{- end }}
+
+{{- define "leaderelectionid" -}}
+gardener-extension-admission-openstack
+{{- end -}}
diff --git a/cmd/gardener-extension-admission-openstack/app/app.go b/cmd/gardener-extension-admission-openstack/app/app.go
@@ -26,6 +26,7 @@ import (
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	gardenerhealthz "github.com/gardener/gardener/pkg/healthz"
 	"github.com/spf13/cobra"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	componentbaseconfig "k8s.io/component-base/config"
 	"k8s.io/component-base/version/verflag"
@@ -41,17 +42,23 @@ import (
 	provideropenstack "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 )
 
+// AdmissionName is the name of the admission component.
+const AdmissionName = "admission-openstack"
+
 var log = logf.Log.WithName("gardener-extension-admission-openstack")
 
 // NewAdmissionCommand creates a new command for running an Openstack admission webhook.
 func NewAdmissionCommand(ctx context.Context) *cobra.Command {
 	var (
 		restOpts = &controllercmd.RESTOptions{}
 		mgrOpts  = &controllercmd.ManagerOptions{
-			WebhookServerPort:  443,
-			MetricsBindAddress: ":8080",
-			HealthBindAddress:  ":8081",
-			WebhookCertDir:     "/tmp/admission-openstack-cert",
+			LeaderElection:          true,
+			LeaderElectionID:        controllercmd.LeaderElectionNameID(AdmissionName),
+			LeaderElectionNamespace: os.Getenv("LEADER_ELECTION_NAMESPACE"),
+			WebhookServerPort:       443,
+			MetricsBindAddress:      ":8080",
+			HealthBindAddress:       ":8081",
+			WebhookCertDir:          "/tmp/admission-openstack-cert",
 		}
 		// options for the webhook server
 		webhookServerOptions = &webhookcmd.ServerOptions{
@@ -92,32 +99,38 @@ func NewAdmissionCommand(ctx context.Context) *cobra.Command {
 				Burst: 130,
 			}, restOpts.Completed().Config)
 
-			mgr, err := manager.New(restOpts.Completed().Config, mgrOpts.Completed().Options())
-			if err != nil {
-				return fmt.Errorf("could not instantiate manager: %w", err)
-			}
-
-			install.Install(mgr.GetScheme())
-
-			if err := openstackinstall.AddToScheme(mgr.GetScheme()); err != nil {
-				return fmt.Errorf("could not update manager scheme: %w", err)
-			}
+			managerOptions := mgrOpts.Completed().Options()
 
 			// Operators can enable the source cluster option via SOURCE_CLUSTER environment variable.
 			// In-cluster config will be used if no SOURCE_KUBECONFIG is specified.
 			//
 			// The source cluster is for instance used by Gardener's certificate controller, to maintain certificate
 			// secrets in a different cluster ('runtime-garden') than the cluster where the webhook configurations
 			// are maintained ('virtual-garden').
-			var sourceCluster cluster.Cluster
+			var sourceClusterConfig *rest.Config
 			if sourceClusterEnabled := os.Getenv("SOURCE_CLUSTER"); sourceClusterEnabled != "" {
-				log.Info("Configuring source cluster option")
-				config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("SOURCE_KUBECONFIG"))
+				var err error
+				sourceClusterConfig, err = clientcmd.BuildConfigFromFlags("", os.Getenv("SOURCE_KUBECONFIG"))
 				if err != nil {
 					return err
 				}
+				managerOptions.LeaderElectionConfig = sourceClusterConfig
+			}
 
-				sourceCluster, err = cluster.New(config, func(opts *cluster.Options) {
+			mgr, err := manager.New(restOpts.Completed().Config, managerOptions)
+			if err != nil {
+				return fmt.Errorf("could not instantiate manager: %w", err)
+			}
+
+			install.Install(mgr.GetScheme())
+
+			if err := openstackinstall.AddToScheme(mgr.GetScheme()); err != nil {
+				return fmt.Errorf("could not update manager scheme: %w", err)
+			}
+
+			var sourceCluster cluster.Cluster
+			if sourceClusterConfig != nil {
+				sourceCluster, err = cluster.New(sourceClusterConfig, func(opts *cluster.Options) {
 					opts.Logger = log
 					opts.Cache.DefaultNamespaces = map[string]cache.Config{v1beta1constants.GardenNamespace: {}}
 				})