improve tunnel availability

cmd/yurt-tunnel-agent/app/start.go

@@ -18,6 +18,7 @@ package app
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/openyurtio/openyurt/cmd/yurt-tunnel-agent/app/config"
 	"github.com/openyurtio/openyurt/cmd/yurt-tunnel-agent/app/options"
@@ -30,6 +31,8 @@ import (
 	"github.com/openyurtio/openyurt/pkg/yurttunnel/util"
 
 	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/certificate"
 	"k8s.io/klog/v2"
 )
@@ -91,6 +94,17 @@ func Run(cfg *config.CompletedConfig, stopCh <-chan struct{}) error {
 	}
 	agentCertMgr.Start()
 
+	// 2.1. waiting for the certificate is generated
+	_ = wait.PollUntil(5*time.Second, func() (bool, error) {
+		if agentCertMgr.Current() != nil {
+			return true, nil
+		}
+		klog.Infof("certificate %s not signed, waiting...",
+			projectinfo.GetAgentName())
+		return false, nil
+	}, stopCh)
+	klog.Infof("certificate %s ok", projectinfo.GetAgentName())
+
 	// 3. generate a TLS configuration for securing the connection to server
 	tlsCfg, err := pki.GenTLSConfigUseCertMgrAndCA(agentCertMgr,
 		tunnelServerAddr, constants.YurttunnelCAFile)

cmd/yurt-tunnel-server/app/options/options.go

@@ -150,7 +150,7 @@ func (o *ServerOptions) Config() (*config.Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	cfg.SharedInformerFactory = informers.NewSharedInformerFactory(cfg.Client, 10*time.Second)
+	cfg.SharedInformerFactory = informers.NewSharedInformerFactory(cfg.Client, 24*time.Hour)
 
 	klog.Infof("yurttunnel server config: %#+v", cfg)
 	return cfg, nil

pkg/yurttunnel/pki/certmanager/csrapprover.go

@@ -108,7 +108,25 @@ func enqueueObj(wq workqueue.RateLimitingInterface, obj interface{}) {
 		runtime.HandleError(err)
 		return
 	}
-	wq.AddRateLimited(key)
+
+	csr, ok := obj.(*certificates.CertificateSigningRequest)
+	if !ok {
+		klog.Errorf("%s is not a csr", key)
+		return
+	}
+
+	if !isYurttunelCSR(csr) {
+		klog.Infof("csr(%s) is not %s csr", csr.GetName(), projectinfo.GetTunnelName())
+		return
+	}
+
+	approved, denied := checkCertApprovalCondition(&csr.Status)
+	if !approved && !denied {
+		klog.Infof("non-approved and non-denied csr, enqueue: %s", key)
+		wq.AddRateLimited(key)
+	}
+
+	klog.V(4).Infof("approved or denied csr, ignore it: %s", key)
 }
 
 // NewCSRApprover creates a new YurttunnelCSRApprover
@@ -139,6 +157,7 @@ func approveYurttunnelCSR(
 	csrClient typev1beta1.CertificateSigningRequestInterface) error {
 	csr, ok := obj.(*certificates.CertificateSigningRequest)
 	if !ok {
+		klog.Infof("object is not csr: %v", obj)
 		return nil
 	}
 
@@ -149,12 +168,12 @@ func approveYurttunnelCSR(
 
 	approved, denied := checkCertApprovalCondition(&csr.Status)
 	if approved {
-		klog.V(4).Infof("csr(%s) is approved", csr.GetName())
+		klog.Infof("csr(%s) is approved", csr.GetName())
 		return nil
 	}
 
 	if denied {
-		klog.V(4).Infof("csr(%s) is denied", csr.GetName())
+		klog.Infof("csr(%s) is denied", csr.GetName())
 		return nil
 	}