Skip to content

Make controllers kubeclient QPS & Burst configurable. #1834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alvneiayu merged 1 commit into from
Nov 20, 2025
+40 −19
Merged

Make controllers kubeclient QPS & Burst configurable. #1834

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions cmd/controller/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {
_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")

fs.IntVar(&f.MaxRetries, "max-unseal-retries", 5, "Max unseal retries.")

fs.Float32Var(&f.KubeClientQPS, "kubeclient-qps", 5, "Kubeclient QPS (negative value disables ratelimiting)")
fs.IntVar(&f.KubeClientBurst, "kubeclient-burst", 10, "Kubeclient Burst")
}

func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagSet) {
Expand Down
37 changes: 18 additions & 19 deletions helm/sealed-secrets/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ The command removes all the Kubernetes components associated with the chart and
| `logFormat` | Specifies log format (text,json) | `""` |
| `maxRetries` | Number of maximum retries | `""` |
| `watchForSecrets` | Specifies whether the Sealed Secrets controller will watch for new secrets | `false` |
| `kubeClientQPS` | Kubeclient QPS (negative value disables ratelimiting) | `""` |
| `kubeClientBurst` | Kubeclient Burst | `""` |
| `command` | Override default container command | `[]` |
| `args` | Override default container args | `[]` |
| `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` |
Expand Down Expand Up @@ -184,25 +186,22 @@ The command removes all the Kubernetes components associated with the chart and

### Other Parameters

| Name | Description | Value |
| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` |
| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` |
| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` |
| `rbac.namespacedRolesName` | Specifies the name for the namespaced Role resource | `secrets-unsealer` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| `rbac.serviceProxier.create` | Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API | `true` |
| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "proxier" role | `true` |
| `rbac.serviceProxier.subjects` | Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding | `- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
` |
| Name | Description | Value |
| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` |
| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` |
| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` |
| `rbac.namespacedRolesName` | Specifies the name for the namespaced Role resource | `secrets-unsealer` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| `rbac.serviceProxier.create` | Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API | `true` |
| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "proxier" role | `true` |
| `rbac.serviceProxier.subjects` | Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding | <pre><code>- apiGroup: rbac.authorization.k8s.io<br> kind: Group<br> name: system:authenticated</code></pre> |

### Metrics parameters

Expand Down
8 changes: 8 additions & 0 deletions helm/sealed-secrets/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,14 @@ spec:
{{- if .Values.watchForSecrets }}
- --watch-for-secrets
{{- end }}
{{- if .Values.kubeClientQPS }}
- --kubeclient-qps
- {{ .Values.kubeClientQPS | quote }}
{{- end }}
{{- if .Values.kubeClientBurst }}
- --kubeclient-burst
- {{ .Values.kubeClientBurst | quote }}
{{- end }}
{{- end }}
image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
Expand Down
6 changes: 6 additions & 0 deletions helm/sealed-secrets/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,12 @@ maxRetries: ""
## @param watchForSecrets Specifies whether the Sealed Secrets controller will watch for new secrets
##
watchForSecrets: false
## @param kubeClientQPS Kubeclient QPS (negative value disables ratelimiting)
##
kubeClientQPS: ""
## @param kubeClientBurst Kubeclient Burst
##
kubeClientBurst: ""
## @param command Override default container command
##
command: []
Expand Down
5 changes: 5 additions & 0 deletions pkg/controller/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ type Flags struct {
PrivateKeyLabels string
MaxRetries int
WatchForSecrets bool
KubeClientQPS float32
KubeClientBurst int
}

func initKeyPrefix(keyPrefix string) (string, error) {
Expand Down Expand Up @@ -210,6 +212,9 @@ func Main(f *Flags, version string) error {
return err
}

config.QPS = f.KubeClientQPS
config.Burst = f.KubeClientBurst

clientset, err := kubernetes.NewForConfig(config)
if err != nil {
return err
Expand Down
Loading