Review comments

Author: carreter

Makefile

@@ -55,7 +55,7 @@ DOCKER_CMD ?= docker
 DOCKER_CLI_EXPERIMENTAL ?= enabled
 PROXY_SERVER_IP ?= 127.0.0.1
 
-KIND_IMAGE ?= kindest/node
+KIND_IMAGE ?= kindest/node:v1.30.2
 CONNECTION_MODE ?= grpc
 ## --------------------------------------
 ## Testing

cmd/agent/app/server.go

@@ -40,6 +40,7 @@ import (
 	"google.golang.org/grpc/keepalive"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
+	coordinationv1lister "k8s.io/client-go/listers/coordination/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
@@ -49,8 +50,9 @@ import (
 )
 
 const (
-	ReadHeaderTimeout = 60 * time.Second
-	LeaseNamespace    = "kube-system"
+	ReadHeaderTimeout   = 60 * time.Second
+	LeaseNamespace      = "kube-system"
+	LeaseInformerResync = time.Second * 10
 )
 
 func NewAgentCommand(a *Agent, o *options.GrpcProxyAgentOptions) *cobra.Command {
@@ -150,10 +152,13 @@ func (a *Agent) runProxyConnection(o *options.GrpcProxyAgentOptions, drainCh, st
 		if err != nil {
 			return nil, fmt.Errorf("failed to create kubernetes clientset: %v", err)
 		}
+		leaseInformer := agent.NewLeaseInformerWithMetrics(k8sClient, "", LeaseInformerResync)
+		go leaseInformer.Run(stopCh)
+		leaseLister := coordinationv1lister.NewLeaseLister(leaseInformer.GetIndexer())
 		serverLeaseSelector, _ := labels.Parse("k8s-app=konnectivity-server")
 		serverLeaseCounter := agent.NewServerLeaseCounter(
 			clock.RealClock{},
-			k8sClient,
+			leaseLister,
 			serverLeaseSelector,
 			LeaseNamespace,
 		)

e2e/lease_count_test.go

@@ -1,3 +1,18 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 package e2e
 
 import (

e2e/main_test.go

@@ -1,3 +1,18 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 package e2e
 
 import (
@@ -218,13 +233,6 @@ func deleteDeployment(obj client.Object) func(context.Context, *testing.T, *envc
 	}
 }
 
-func sleepFor(duration time.Duration) func(context.Context, *testing.T, *envconf.Config) context.Context {
-	return func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
-		time.Sleep(duration)
-		return ctx
-	}
-}
-
 func waitForDeployment(obj client.Object) func(context.Context, *testing.T, *envconf.Config) context.Context {
 	return func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 		deployment, ok := obj.(*appsv1api.Deployment)
@@ -235,7 +243,7 @@ func waitForDeployment(obj client.Object) func(context.Context, *testing.T, *env
 		k8sClient := kubernetes.NewForConfigOrDie(cfg.Client().RESTConfig())
 		err := wait.For(
 			conditions.New(cfg.Client().Resources(deployment.Namespace)).DeploymentAvailable(deployment.Name, deployment.Namespace),
-			wait.WithTimeout(60*time.Second),
+			wait.WithTimeout(120*time.Second),
 			wait.WithInterval(5*time.Second),
 		)
 		if err != nil {

e2e/metrics_assertions_test.go

@@ -1,3 +1,18 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 package e2e
 
 import (

e2e/static_count_test.go

@@ -1,3 +1,18 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 package e2e
 
 import (

examples/kind-multinode/rendered/kind.config

@@ -0,0 +1,82 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  ipFamily: ipv4
+nodes:
+- role: control-plane
+  kubeadmConfigPatchesJSON6902:
+  - kind: ClusterConfiguration
+    patch: |
+      - op: add
+        path: /apiServer/certSANs/-
+        value: konnectivity-server.kube-system.svc.cluster.local
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        "egress-selector-config-file": "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+      extraVolumes:
+      - name: egress-selector-config-file
+        hostPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        mountPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        readOnly: true
+      - name: konnectivity-server
+        hostPath: "/etc/kubernetes/konnectivity-server"
+        mountPath: "/etc/kubernetes/konnectivity-server"
+        readOnly: true
+  extraMounts:
+  - hostPath: ./egress_selector_configuration.yaml
+    containerPath: /etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml
+- role: control-plane
+  kubeadmConfigPatchesJSON6902:
+  - kind: ClusterConfiguration
+    patch: |
+      - op: add
+        path: /apiServer/certSANs/-
+        value: konnectivity-server.kube-system.svc.cluster.local
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        "egress-selector-config-file": "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+      extraVolumes:
+      - name: egress-selector-config-file
+        hostPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        mountPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        readOnly: true
+      - name: konnectivity-server
+        hostPath: "/etc/kubernetes/konnectivity-server"
+        mountPath: "/etc/kubernetes/konnectivity-server"
+        readOnly: true
+  extraMounts:
+  - hostPath: ./egress_selector_configuration.yaml
+    containerPath: /etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml
+- role: control-plane
+  kubeadmConfigPatchesJSON6902:
+  - kind: ClusterConfiguration
+    patch: |
+      - op: add
+        path: /apiServer/certSANs/-
+        value: konnectivity-server.kube-system.svc.cluster.local
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        "egress-selector-config-file": "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+      extraVolumes:
+      - name: egress-selector-config-file
+        hostPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        mountPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        readOnly: true
+      - name: konnectivity-server
+        hostPath: "/etc/kubernetes/konnectivity-server"
+        mountPath: "/etc/kubernetes/konnectivity-server"
+        readOnly: true
+  extraMounts:
+  - hostPath: ./egress_selector_configuration.yaml
+    containerPath: /etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml
+- role: worker
+- role: worker

examples/kind-multinode/rendered/konnectivity-agent-ds.yaml

@@ -0,0 +1,121 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:konnectivity-agent
+  labels:
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:konnectivity-agent
+  labels:
+    kubernetes.io/cluster-service: "true"
+subjects:
+- kind: ServiceAccount
+  name: konnectivity-agent
+  namespace:  kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:konnectivity-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konnectivity-agent
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: konnectivity-agent
+  namespace: kube-system
+  name: konnectivity-agent
+spec:
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-agent
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-agent
+    spec:
+      priorityClassName: system-cluster-critical
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - operator: "Exists"
+          effect: "NoExecute"
+      nodeSelector:
+        kubernetes.io/os: linux
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: konnectivity-agent-container
+        image: gcr.io/carreter-dev2/proxy-agent-amd64:01e3cce3bd4c8e4cff2366d1169c0326a2f1af02
+        resources:
+          requests:
+            cpu: 50m
+          limits:
+            memory: 30Mi
+        command: [ "/proxy-agent"]
+        args: [
+          "--logtostderr=true",
+          "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+          "--proxy-server-host=konnectivity-server.kube-system.svc.cluster.local",
+          "--proxy-server-port=8091",
+          "--sync-interval=5s",
+          "--sync-interval-cap=30s",
+          "--sync-forever",
+          "--probe-interval=5s",
+          "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token",
+          "--agent-identifiers=ipv4=${HOST_IP}",
+          "--count-server-leases",
+          ]
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+        livenessProbe:
+          httpGet:
+            scheme: HTTP
+            port: 8093
+            path: /healthz
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        readinessProbe:
+          httpGet:
+            scheme: HTTP
+            port: 8093
+            path: /readyz
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        volumeMounts:
+          - mountPath: /var/run/secrets/tokens
+            name: konnectivity-agent-token
+      serviceAccountName: konnectivity-agent
+      volumes:
+      - name: konnectivity-agent-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: konnectivity-agent-token
+              audience: system:konnectivity-server