only init cluster and csr client in bootstrap phase (#1229)

openshift-cherrypick-robot · skeeey · web-flow · commit ac48573cf4be · 2025-10-29T01:09:05.000Z
Signed-off-by: Wei Liu &lt;liuweixa@redhat.com&gt;
Co-authored-by: Wei Liu &lt;liuweixa@redhat.com&gt;
diff --git a/pkg/registration/register/grpc/spoke_driver.go b/pkg/registration/register/grpc/spoke_driver.go
@@ -86,6 +86,32 @@ func (d *GRPCDriver) BuildClients(ctx context.Context, secretOption register.Sec
 		clusterClient, 10*time.Minute).Cluster().V1().ManagedClusters()
 	clusterWatchStore.SetInformer(clusterInformers.Informer())
 
+	csrClientHolder, err := cloudeventscsr.NewAgentClientHolder(ctx,
+		cloudeventsoptions.NewGenericClientOptions(
+			config,
+			cloudeventscsr.NewCSRCodec(),
+			secretOption.ClusterName,
+		).WithClusterName(secretOption.ClusterName),
+	)
+	if err != nil {
+		return nil, err
+	}
+	csrControl := &ceCSRControl{csrClientHolder: csrClientHolder}
+	if err := d.csrDriver.SetCSRControl(csrControl, secretOption.ClusterName); err != nil {
+		return nil, err
+	}
+	d.control = csrControl
+
+	// Initialize the cluster client and CSR control in the bootstrap phase.
+	// Other clients should not be initialized, since they require
+	// permissions that are not allowed in the bootstrap phase.
+	if bootstrapped {
+		return &register.Clients{
+			ClusterClient:   clusterClient,
+			ClusterInformer: clusterInformers,
+		}, nil
+	}
+
 	leaseWatchStore := cloudeventsstore.NewSimpleStore[*coordv1.Lease]()
 	leaseClient, err := cloudeventslease.NewLeaseClient(
 		ctx,
@@ -128,22 +154,6 @@ func (d *GRPCDriver) BuildClients(ctx context.Context, secretOption register.Sec
 		Addon().V1alpha1().ManagedClusterAddOns()
 	addonWatchStore.SetInformer(addonInformer.Informer())
 
-	csrClientHolder, err := cloudeventscsr.NewAgentClientHolder(ctx,
-		cloudeventsoptions.NewGenericClientOptions(
-			config,
-			cloudeventscsr.NewCSRCodec(),
-			secretOption.ClusterName,
-		).WithClusterName(secretOption.ClusterName),
-	)
-	if err != nil {
-		return nil, err
-	}
-	csrControl := &ceCSRControl{csrClientHolder: csrClientHolder}
-	if err := d.csrDriver.SetCSRControl(csrControl, secretOption.ClusterName); err != nil {
-		return nil, err
-	}
-	d.control = csrControl
-
 	clients := &register.Clients{
 		ClusterClient:   clusterClient,
 		ClusterInformer: clusterInformers,
