Support non-cluster host scaling with Typha #3817
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hjiawei
force-pushed
the
noncluster-typha-scaling
branch
from
0a38df7 to
bf7ee6b
Compare
hjiawei
commented
Mar 18, 2025
| @@ -72,16 +71,10 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { | |||
|
|
|||
| // Established deferred watches against the v3 API that should succeed after the Enterprise API Server becomes available. | |||
| if opts.EnterpriseCRDExists { | |||
| k8sClient, err := kubernetes.NewForConfig(mgr.GetConfig()) | |||
There was a problem hiding this comment.
This code to create a new k8s clientset is repeated across almost all controllers. It has now been refactored to be initialized once in the main function and passed as part of opts.
hjiawei
commented
Mar 18, 2025
pasanw
reviewed
Mar 19, 2025
rene-dekker
reviewed
Mar 19, 2025
rene-dekker
reviewed
Mar 19, 2025
hjiawei
force-pushed
the
noncluster-typha-scaling
branch
from
9d21afc to
9f3fbe7
Compare
rene-dekker
reviewed
Mar 20, 2025
| // Create a Typha autoscaler for non-cluster hosts | ||
| var typhaAutoscalerNonClusterHost *typhaAutoscaler | ||
| restConfig := mgr.GetConfig() | ||
| nonclusterhosts, err := utils.GetNonClusterHostDynamic(restConfig) |
There was a problem hiding this comment.
Does this mean that if there are no NCHs at boot time for the operator, that the core controller won't be watching heps going forward? Maybe we should just always watch them if there are enterprise CRDs in the cluster.
There was a problem hiding this comment.
I have moved the non-cluster host Typha auto-scaler initialization code to the Reconcile function. It will be initialized/started when the NonClusterHost resource exists and the scaler pointer is nil.
rene-dekker
reviewed
Mar 20, 2025
rene-dekker
reviewed
Mar 20, 2025
rene-dekker
reviewed
Mar 20, 2025
hjiawei
force-pushed
the
noncluster-typha-scaling
branch
from
851f17b to
b7b9e12
Compare
| } | ||
| if len(hepList.Items) == 0 { | ||
| return nil, nil | ||
| } |
There was a problem hiding this comment.
If for some reason the filter returns more items add a warning.
Suggested change
| } | |
| if len(hepList.Items) > 1 { | |
| log.WithFields(log.Fields{ | |
| "hostname": hostname, | |
| "count": len(hepList.Items), | |
| }).Warn("Multiple HostEndpoints found for node; returning the first one") | |
| } |
rene-dekker
reviewed
Mar 20, 2025
rene-dekker
reviewed
Mar 20, 2025
hjiawei
force-pushed
the
noncluster-typha-scaling
branch
2 times, most recently
from
4cc6578 to
16fdc27
Compare
hjiawei
force-pushed
the
noncluster-typha-scaling
branch
from
16fdc27 to
de9eecc
Compare
rene-dekker
approved these changes
Mar 21, 2025
5 tasks
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 25, 2025
* Support non-cluster host scaling with Typha * Create Kubernetes Clientset from config only once * Allow certificate signing request from non-cluster hosts * Add and fix unit tests * Create a separate key pair for non-cluster host Typha * Start the non-cluster host Typha autoscaler for enterprise only * Perform SubjectAccessReview for non-cluster host CSRs * Start Typha auto-scaler when NonClusterHost resource exists * Add a 10 second timeout when performing access reviews * Rerun make generate
5 tasks
rene-dekker
pushed a commit
that referenced
this pull request
Mar 26, 2025
* Support non-cluster host scaling with Typha (#3817) * Support non-cluster host scaling with Typha * Create Kubernetes Clientset from config only once * Allow certificate signing request from non-cluster hosts * Add and fix unit tests * Create a separate key pair for non-cluster host Typha * Start the non-cluster host Typha autoscaler for enterprise only * Perform SubjectAccessReview for non-cluster host CSRs * Start Typha auto-scaler when NonClusterHost resource exists * Add a 10 second timeout when performing access reviews * Rerun make generate * Render CSR roles when NonClusterHost feature is enabled (#3834) This change adds the NonClusterHost resource check to render CSR roles for the CSR controller. It is required to validate and sign CSRs generated from non-cluster hosts. * FV test with Calico OSS release-v3.30
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This changeset introduces support for non-cluster Felix auto-scaling with Typha. It implements a dedicated Typha deployment for non-cluster hosts. The newly added Thpha auto-scaler monitors the total number of non-cluster hosts and dynamically scales Typha deployment accordingly. Additionally, the Tigera operator CSR controller has been enhanced to accept CSRs from both Pods and non-cluster HostEndpoints.
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.