fix: get workload cluster client from proper kubeconfig

apedriza · apedriza · commit 63b0964d1387 · 2026-02-10T12:50:18.000+01:00
Signed-off-by: apedriza &lt;adripedriza@gmail.com&gt;
diff --git a/e2e/controlplane_conditions_test.go b/e2e/controlplane_conditions_test.go
@@ -26,7 +26,7 @@ import (
 
 	cpv1beta1 "github.com/k0sproject/k0smotron/api/controlplane/v1beta1"
 	e2eutil "github.com/k0sproject/k0smotron/e2e/util"
-	"github.com/k0sproject/k0smotron/internal/util"
+	"github.com/k0sproject/k0smotron/internal/controller/util"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
diff --git a/e2e/ingress_test.go b/e2e/ingress_test.go
@@ -33,8 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	e2eutil "github.com/k0sproject/k0smotron/e2e/util"
+	"github.com/k0sproject/k0smotron/internal/controller/util"
 	podexec "github.com/k0sproject/k0smotron/internal/exec"
-	"github.com/k0sproject/k0smotron/internal/util"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
diff --git a/e2e/k0smotron_upgrade_test.go b/e2e/k0smotron_upgrade_test.go
@@ -27,7 +27,7 @@ import (
 
 	"github.com/k0sproject/k0smotron/e2e/mothership"
 	e2eutil "github.com/k0sproject/k0smotron/e2e/util"
-	"github.com/k0sproject/k0smotron/internal/util"
+	"github.com/k0sproject/k0smotron/internal/controller/util"
 	"github.com/stretchr/testify/require"
 	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
diff --git a/e2e/util/namespaces.go b/e2e/util/namespaces.go
@@ -23,7 +23,7 @@ import (
 	"fmt"
 	"path/filepath"
 
-	"github.com/k0sproject/k0smotron/internal/util"
+	"github.com/k0sproject/k0smotron/internal/controller/util"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/cluster-api/test/framework"
 	capiframework "sigs.k8s.io/cluster-api/test/framework"
diff --git a/internal/controller/bootstrap/controlplane_bootstrap_controller.go b/internal/controller/bootstrap/controlplane_bootstrap_controller.go
@@ -42,7 +42,6 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 	bsutil "sigs.k8s.io/cluster-api/bootstrap/util"
 	"sigs.k8s.io/cluster-api/controllers/external"
-	"sigs.k8s.io/cluster-api/controllers/remote"
 	capiutil "sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	"sigs.k8s.io/cluster-api/util/collections"
@@ -58,7 +57,6 @@ import (
 	bootstrapv1 "github.com/k0sproject/k0smotron/api/bootstrap/v1beta1"
 	"github.com/k0sproject/k0smotron/internal/controller/util"
 	"github.com/k0sproject/k0smotron/internal/provisioner"
-	kutil "github.com/k0sproject/k0smotron/internal/util"
 	"github.com/k0sproject/version"
 )
 
@@ -452,12 +450,12 @@ func (c *ControlPlaneController) genControlPlaneJoinFiles(ctx context.Context, s
 	}
 
 	// Create the token using the child cluster client
-	tokenID := kutil.RandomString(6)
-	tokenSecret := kutil.RandomString(16)
+	tokenID := util.RandomString(6)
+	tokenSecret := util.RandomString(16)
 	token := fmt.Sprintf("%s.%s", tokenID, tokenSecret)
 	tokenKubeSecret := createTokenSecret(tokenID, tokenSecret)
 
-	chCS, err := remote.NewClusterClient(ctx, "k0smotron", c.Client, capiutil.ObjectKey(scope.Cluster))
+	chCS, err := util.GetControllerRuntimeClient(ctx, c.Client, scope.Cluster, &scope.Config.Spec.Tunneling)
 	if err != nil {
 		log.Error(err, "Failed to getting child cluster client set")
 		return nil, err
@@ -475,7 +473,7 @@ func (c *ControlPlaneController) genControlPlaneJoinFiles(ctx context.Context, s
 		return nil, err
 	}
 
-	joinToken, err := kutil.CreateK0sJoinToken(ca.KeyPair.Cert, token, host, "controller-bootstrap")
+	joinToken, err := util.CreateK0sJoinToken(ca.KeyPair.Cert, token, host, "controller-bootstrap")
 
 	files = append(files, provisioner.File{
 		Path:        scope.Config.Spec.GetJoinTokenPath(),
diff --git a/internal/controller/bootstrap/providerid_controller.go b/internal/controller/bootstrap/providerid_controller.go
@@ -20,6 +20,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
+	bootstrapv1beta1 "github.com/k0sproject/k0smotron/api/bootstrap/v1beta1"
 	k0smoutil "github.com/k0sproject/k0smotron/internal/controller/util"
 )
 
@@ -64,7 +65,7 @@ func (p *ProviderIDController) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, fmt.Errorf("can't get cluster %s/%s: %w", machine.Namespace, machine.Spec.ClusterName, err)
 	}
 
-	childClient, err := k0smoutil.GetKubeClient(context.Background(), p.Client, cluster)
+	childClient, err := k0smoutil.GetKubeClientSet(context.Background(), p.Client, cluster, bootstrapv1beta1.TunnelingSpec{})
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("can't get kube client for cluster %s/%s: %w. may not be created yet", machine.Namespace, machine.Spec.ClusterName, err)
 	}
diff --git a/internal/controller/bootstrap/worker_bootstrap_controller.go b/internal/controller/bootstrap/worker_bootstrap_controller.go
@@ -34,7 +34,6 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 	bsutil "sigs.k8s.io/cluster-api/bootstrap/util"
 	"sigs.k8s.io/cluster-api/controllers/external"
-	"sigs.k8s.io/cluster-api/controllers/remote"
 	capiutil "sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	"sigs.k8s.io/cluster-api/util/conditions"
@@ -51,7 +50,6 @@ import (
 	km "github.com/k0sproject/k0smotron/api/k0smotron.io/v1beta1"
 	"github.com/k0sproject/k0smotron/internal/controller/util"
 	"github.com/k0sproject/k0smotron/internal/provisioner"
-	kutil "github.com/k0sproject/k0smotron/internal/util"
 )
 
 const (
@@ -355,15 +353,15 @@ func (r *Controller) getK0sToken(ctx context.Context, scope *Scope) (string, err
 	client := r.workloadClusterClient
 	if client == nil {
 		var err error
-		client, err = remote.NewClusterClient(ctx, "k0smotron", r.Client, capiutil.ObjectKey(scope.Cluster))
+		client, err = util.GetControllerRuntimeClient(ctx, r.Client, scope.Cluster, nil)
 		if err != nil {
 			return "", fmt.Errorf("failed to create child cluster client: %w", err)
 		}
 	}
 
 	// Create the token using the child cluster client
-	tokenID := kutil.RandomString(6)
-	tokenSecret := kutil.RandomString(16)
+	tokenID := util.RandomString(6)
+	tokenSecret := util.RandomString(16)
 	token := fmt.Sprintf("%s.%s", tokenID, tokenSecret)
 	if err := client.Create(ctx, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -400,7 +398,7 @@ func (r *Controller) getK0sToken(ctx context.Context, scope *Scope) (string, err
 		joinURL = fmt.Sprintf("https://%s:%d", scope.ingressSpec.APIHost, scope.ingressSpec.Port)
 	}
 
-	joinToken, err := kutil.CreateK0sJoinToken(ca.KeyPair.Cert, token, joinURL, "kubelet-bootstrap")
+	joinToken, err := util.CreateK0sJoinToken(ca.KeyPair.Cert, token, joinURL, "kubelet-bootstrap")
 	if err != nil {
 		return "", fmt.Errorf("failed to create join token: %w", err)
 	}
diff --git a/internal/controller/controlplane/helper.go b/internal/controller/controlplane/helper.go
@@ -507,8 +507,8 @@ func (c *K0sController) markChildControlNodeToLeave(ctx context.Context, name st
 	return nil
 }
 
-func (c *K0sController) deleteOldControlNodes(ctx context.Context, cluster *clusterv1.Cluster) error {
-	kubeClient, err := c.getKubeClient(ctx, cluster)
+func (c *K0sController) deleteOldControlNodes(ctx context.Context, cluster *clusterv1.Cluster, kcp *cpv1beta1.K0sControlPlane) error {
+	kubeClient, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)
 	if err != nil {
 		return fmt.Errorf("error getting kube client: %w", err)
 	}
diff --git a/internal/controller/controlplane/k0s_controlplane_controller.go b/internal/controller/controlplane/k0s_controlplane_controller.go
@@ -59,7 +59,6 @@ import (
 
 	bootstrapv1 "github.com/k0sproject/k0smotron/api/bootstrap/v1beta1"
 	cpv1beta1 "github.com/k0sproject/k0smotron/api/controlplane/v1beta1"
-	kutil "github.com/k0sproject/k0smotron/internal/util"
 )
 
 const (
@@ -448,7 +447,7 @@ func (c *K0sController) reconcileMachines(ctx context.Context, cluster *clusterv
 	go func() {
 		// The k8s API of the workload cluster must be available to make requests.
 		if kcp.Status.Ready {
-			err = c.deleteOldControlNodes(ctx, cluster)
+			err = c.deleteOldControlNodes(ctx, cluster, kcp)
 			if err != nil {
 				logger.Error(err, "Error deleting old control nodes")
 			}
@@ -467,7 +466,7 @@ func (c *K0sController) reconcileMachines(ctx context.Context, cluster *clusterv
 				}
 			}
 		} else {
-			kubeClient, err := c.getKubeClient(ctx, cluster)
+			kubeClient, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)
 			if err != nil {
 				return fmt.Errorf("error getting cluster client set for machine update: %w", err)
 			}
@@ -485,7 +484,7 @@ func (c *K0sController) reconcileMachines(ctx context.Context, cluster *clusterv
 		tooManyMachines ||
 		isRecreateDeleteFirstPossible(kcp, clusterHasChanged, machineNamesToDelete, desiredMachines) {
 		m := activeMachines.Newest().Name
-		err := c.checkMachineIsReady(ctx, m, cluster)
+		err := c.checkMachineIsReady(ctx, m, cluster, kcp)
 		if err != nil {
 			logger.Error(err, "Error checking machine left", "machine", m)
 			return err
@@ -527,7 +526,7 @@ func (c *K0sController) reconcileMachines(ctx context.Context, cluster *clusterv
 		// machine to be ready It's not slowing down the process overall, as we wait to the first machine anyway to
 		// create join tokens.
 		if activeMachines.Len() >= 1 {
-			err := c.checkMachineIsReady(ctx, activeMachines.Newest().Name, cluster)
+			err := c.checkMachineIsReady(ctx, activeMachines.Newest().Name, cluster, kcp)
 			if err != nil {
 				return err
 			}
@@ -590,7 +589,7 @@ func (c *K0sController) deleteK0sNodeResources(ctx context.Context, cluster *clu
 	logger := log.FromContext(ctx)
 
 	if kcp.Status.Ready {
-		kubeClient, err := c.getKubeClient(ctx, cluster)
+		kubeClient, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)
 		if err != nil {
 			return fmt.Errorf("error getting cluster client set for deletion: %w", err)
 		}
@@ -656,8 +655,8 @@ func (c *K0sController) createBootstrapConfig(ctx context.Context, name string,
 	return nil
 }
 
-func (c *K0sController) checkMachineIsReady(ctx context.Context, machineName string, cluster *clusterv1.Cluster) error {
-	kubeClient, err := c.getKubeClient(ctx, cluster)
+func (c *K0sController) checkMachineIsReady(ctx context.Context, machineName string, cluster *clusterv1.Cluster, kcp *cpv1beta1.K0sControlPlane) error {
+	kubeClient, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)
 	if err != nil {
 		return fmt.Errorf("error getting cluster client set for machine update: %w", err)
 	}
@@ -727,7 +726,7 @@ func (c *K0sController) reconcileConfig(ctx context.Context, cluster *clusterv1.
 		}
 
 		// Reconcile the dynamic config
-		dErr := kutil.ReconcileDynamicConfig(ctx, cluster, c.Client, *kcp.Spec.K0sConfigSpec.K0s.DeepCopy())
+		dErr := util.ReconcileDynamicConfig(ctx, cluster, c.Client, *kcp.Spec.K0sConfigSpec.K0s.DeepCopy(), &kcp.Spec.K0sConfigSpec.Tunneling)
 		if dErr != nil {
 			// Don't return error from dynamic config reconciliation, as it may not be created yet
 			log.Error(fmt.Errorf("failed to reconcile dynamic config, kubeconfig may not be available yet: %w", dErr), "Failed to reconcile dynamic config")
diff --git a/internal/controller/controlplane/k0smotron_controlplane_controller.go b/internal/controller/controlplane/k0smotron_controlplane_controller.go
@@ -34,7 +34,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/cluster-api/controllers/external"
-	"sigs.k8s.io/cluster-api/controllers/remote"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -567,7 +566,7 @@ func (c *K0smotronController) computeAvailability(ctx context.Context, cluster *
 	logger.Info("Pinging the workload cluster API")
 
 	// Get the CAPI cluster accessor
-	client, err := remote.NewClusterClient(ctx, "k0smotron", c.Client, capiutil.ObjectKey(cluster))
+	client, err := util.GetControllerRuntimeClient(ctx, c.Client, cluster, nil)
 	if err != nil {
 		logger.Info("Failed to create cluster client", "error", err)
 		conditions.Set(kcp, metav1.Condition{
diff --git a/internal/controller/controlplane/status.go b/internal/controller/controlplane/status.go
@@ -29,8 +29,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
-	"sigs.k8s.io/cluster-api/controllers/remote"
-	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	"sigs.k8s.io/cluster-api/util/collections"
 	"sigs.k8s.io/cluster-api/util/conditions"
@@ -41,6 +39,7 @@ import (
 	autopilot "github.com/k0sproject/k0s/pkg/apis/autopilot/v1beta2"
 	"github.com/k0sproject/k0s/pkg/autopilot/controller/plans/core"
 	cpv1beta1 "github.com/k0sproject/k0smotron/api/controlplane/v1beta1"
+	"github.com/k0sproject/k0smotron/internal/controller/util"
 	"github.com/k0sproject/version"
 )
 
@@ -83,7 +82,7 @@ func (c *K0sController) newReplicasStatusComputer(ctx context.Context, cluster *
 
 	switch kcp.Spec.UpdateStrategy {
 	case cpv1beta1.UpdateInPlace:
-		kc, err := c.getKubeClient(ctx, cluster)
+		kc, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)
 		if err != nil {
 			return nil, err
 		}
@@ -304,7 +303,7 @@ func (c *K0sController) computeAvailability(ctx context.Context, cluster *cluste
 	// and checking if the control plane is initialized
 	logger.Info("Pinging the workload cluster API")
 	// Get the CAPI cluster accessor
-	client, err := remote.NewClusterClient(ctx, "k0smotron", c.Client, util.ObjectKey(cluster))
+	client, err := util.GetControllerRuntimeClient(ctx, c.Client, cluster, &kcp.Spec.K0sConfigSpec.Tunneling)
 	if err != nil {
 		logger.Info("Failed to create cluster client", "error", err)
 		return
diff --git a/internal/controller/controlplane/util.go b/internal/controller/controlplane/util.go
@@ -145,12 +145,12 @@ func (c *K0sController) regenerateKubeconfigSecret(ctx context.Context, kubeconf
 	return c.Update(ctx, kubeconfigSecret)
 }
 
-func (c *K0sController) getKubeClient(ctx context.Context, cluster *clusterv1.Cluster) (*kubernetes.Clientset, error) {
+func (c *K0sController) getKubeClient(ctx context.Context, cluster *clusterv1.Cluster, tunnelingSpec bootstrapv1beta1.TunnelingSpec) (*kubernetes.Clientset, error) {
 	if c.workloadClusterKubeClient != nil {
 		return c.workloadClusterKubeClient, nil
 	}
 
-	return k0smoutil.GetKubeClient(ctx, c.SecretCachingClient, cluster)
+	return k0smoutil.GetKubeClientSet(ctx, c.SecretCachingClient, cluster, tunnelingSpec)
 }
 
 func enrichK0sConfigWithClusterData(cluster *clusterv1.Cluster, k0sConfig *unstructured.Unstructured) (*unstructured.Unstructured, error) {
diff --git a/internal/controller/k0smotron.io/k0smotroncluster_configmap.go b/internal/controller/k0smotron.io/k0smotroncluster_configmap.go
@@ -33,7 +33,6 @@ import (
 
 	km "github.com/k0sproject/k0smotron/api/k0smotron.io/v1beta1"
 	kcontrollerutil "github.com/k0sproject/k0smotron/internal/controller/util"
-	"github.com/k0sproject/k0smotron/internal/util"
 )
 
 const kineDataSourceURLPlaceholder = "__K0SMOTRON_KINE_DATASOURCE_URL_PLACEHOLDER__"
@@ -173,7 +172,7 @@ func reconcileDynamicConfig(ctx context.Context, kmc *km.Cluster, k0sConfig map[
 		}
 	}
 
-	return util.ReconcileDynamicConfig(ctx, kmc, c, u)
+	return kcontrollerutil.ReconcileDynamicConfig(ctx, kmc, c, u, nil)
 }
 
 func detectExternalAddress(ctx context.Context, c client.Client) (string, error) {
diff --git a/internal/controller/util/dynamic_config.go b/internal/controller/util/dynamic_config.go
@@ -5,16 +5,16 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/k0sproject/k0smotron/api/bootstrap/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
-	"sigs.k8s.io/cluster-api/controllers/remote"
-	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func ReconcileDynamicConfig(ctx context.Context, cluster metav1.Object, cli client.Client, u unstructured.Unstructured) error {
+// ReconcileDynamicConfig updates the cluster configuration taking the adventage of the dynamic configuration feature of k0s.
+func ReconcileDynamicConfig(ctx context.Context, cluster metav1.Object, cli client.Client, u unstructured.Unstructured, tunnelingSpec *v1beta1.TunnelingSpec) error {
 	u.SetName("k0s")
 	u.SetNamespace("kube-system")
 
@@ -29,7 +29,7 @@ func ReconcileDynamicConfig(ctx context.Context, cluster metav1.Object, cli clie
 		return fmt.Errorf("failed to marshal unstructured config: %w", err)
 	}
 
-	chCS, err := remote.NewClusterClient(ctx, "k0smotron", cli, util.ObjectKey(cluster))
+	chCS, err := GetControllerRuntimeClient(ctx, cli, cluster, tunnelingSpec)
 	if err != nil {
 		return fmt.Errorf("failed to create workload cluster client: %w", err)
 	}
diff --git a/internal/controller/util/kubeclient.go b/internal/controller/util/kubeclient.go
diff --git a/internal/controller/util/random.go b/internal/controller/util/random.go
diff --git a/internal/controller/util/token.go b/internal/controller/util/token.go

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ import (`
`20`	`20`	`"sigs.k8s.io/controller-runtime/pkg/controller"`
`21`	`21`	`"sigs.k8s.io/controller-runtime/pkg/log"`
`22`	`22`
	`23`	`+ bootstrapv1beta1 "github.com/k0sproject/k0smotron/api/bootstrap/v1beta1"`
`23`	`24`	`k0smoutil "github.com/k0sproject/k0smotron/internal/controller/util"`
`24`	`25`	`)`
`25`	`26`
`@@ -64,7 +65,7 @@ func (p *ProviderIDController) Reconcile(ctx context.Context, req ctrl.Request)`
`64`	`65`	`return ctrl.Result{}, fmt.Errorf("can't get cluster %s/%s: %w", machine.Namespace, machine.Spec.ClusterName, err)`
`65`	`66`	`}`
`66`	`67`
`67`		`- childClient, err := k0smoutil.GetKubeClient(context.Background(), p.Client, cluster)`
	`68`	`+ childClient, err := k0smoutil.GetKubeClientSet(context.Background(), p.Client, cluster, bootstrapv1beta1.TunnelingSpec{})`
`68`	`69`	`if err != nil {`
`69`	`70`	`return ctrl.Result{}, fmt.Errorf("can't get kube client for cluster %s/%s: %w. may not be created yet", machine.Namespace, machine.Spec.ClusterName, err)`
`70`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -507,8 +507,8 @@ func (c *K0sController) markChildControlNodeToLeave(ctx context.Context, name st`
`507`	`507`	`return nil`
`508`	`508`	`}`
`509`	`509`
`510`		`-func (c K0sController) deleteOldControlNodes(ctx context.Context, cluster clusterv1.Cluster) error {`
`511`		`- kubeClient, err := c.getKubeClient(ctx, cluster)`
	`510`	`+func (c K0sController) deleteOldControlNodes(ctx context.Context, cluster clusterv1.Cluster, kcp *cpv1beta1.K0sControlPlane) error {`
	`511`	`+ kubeClient, err := c.getKubeClient(ctx, cluster, kcp.Spec.K0sConfigSpec.Tunneling)`
`512`	`512`	`if err != nil {`
`513`	`513`	`return fmt.Errorf("error getting kube client: %w", err)`
`514`	`514`	`}`