openmcp-project · ValentinGerlach · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
diff --git a/internal/controller/controlplane_controller.go b/internal/controller/controlplane_controller.go
@@ -48,8 +48,10 @@ import (
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	corev1beta1 "github.com/openmcp-project/control-plane-operator/api/v1beta1"
 	"github.com/openmcp-project/control-plane-operator/pkg/controlplane/components"
@@ -191,6 +193,9 @@ func (r *ControlPlaneReconciler) getReleaseChannels(ctx context.Context) corev1b
 func (r *ControlPlaneReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1beta1.ControlPlane{}).
+		WithOptions(controller.TypedOptions[reconcile.Request]{
+			MaxConcurrentReconciles: 10,
+		}).
 		Complete(r)
 }
 

diff --git a/internal/controller/kubeconfigs.go b/internal/controller/kubeconfigs.go
@@ -41,8 +41,11 @@ func (r *ControlPlaneReconciler) ensureKubeconfig(ctx context.Context, remoteCfg
 			return nil, err
 		}
 
+		remainingLifetime := time.Until(expiration)
+
 		// check if token would expire before next planned reconciliation
-		if time.Now().Before(expiration.Add(-r.ReconcilePeriod)) {
+		// or less than a third of the desired lifetime is left
+		if remainingLifetime < r.ReconcilePeriod || remainingLifetime < r.FluxTokenLifetime/3 {
 			// kubeconfig is still valid
 			return &corev1.SecretReference{Name: secret.Name, Namespace: secret.Namespace}, nil
 		}