refactor(kubeclient): consolidate duplicate code (kubernetes-sigs#6076)

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Co-authored-by: vflaux <38909103+vflaux@users.noreply.github.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* refactore(kubeclient): consolidate duplicate code to ensure consistent client creation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

---------

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Co-authored-by: vflaux <38909103+vflaux@users.noreply.github.com>

Author: ivankatliarchuk

controller/execute.go

@@ -131,7 +131,7 @@ func Execute() {
 		os.Exit(0)
 	}
 
-	ctrl, err := buildController(ctx, cfg, endpointsSource, prvdr, domainFilter)
+	ctrl, err := buildController(ctx, cfg, sCfg, endpointsSource, prvdr, domainFilter)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -362,6 +362,7 @@ func buildProvider(
 func buildController(
 	ctx context.Context,
 	cfg *externaldns.Config,
+	sCfg *source.Config,
 	src source.Source,
 	p provider.Provider,
 	filter *endpoint.DomainFilter,
@@ -375,14 +376,17 @@ func buildController(
 		return nil, err
 	}
 	eventsCfg := events.NewConfig(
-		events.WithKubeConfig(cfg.KubeConfig, cfg.APIServerURL, cfg.RequestTimeout),
 		events.WithEmitEvents(cfg.EmitEvents),
 		events.WithDryRun(cfg.DryRun))
 	var eventEmitter events.EventEmitter
 	if eventsCfg.IsEnabled() {
-		eventCtrl, err := events.NewEventController(eventsCfg)
+		kubeClient, err := sCfg.ClientGenerator().KubeClient()
 		if err != nil {
-			log.Fatal(err)
+			return nil, err
+		}
+		eventCtrl, err := events.NewEventController(kubeClient.EventsV1(), eventsCfg)
+		if err != nil {
+			return nil, err
 		}
 		eventCtrl.Run(ctx)
 		eventEmitter = eventCtrl

controller/execute_test.go

@@ -446,9 +446,10 @@ func TestControllerRunCancelContextStopsLoop(t *testing.T) {
 		Registry:   "txt",
 		TXTOwnerID: "test-owner",
 	}
+	sCfg := source.NewSourceConfig(cfg)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	src, err := buildSource(ctx, source.NewSourceConfig(cfg))
+	src, err := buildSource(ctx, sCfg)
 	require.NoError(t, err)
 	domainFilter := endpoint.NewDomainFilterWithOptions(
 		endpoint.WithDomainFilter(cfg.DomainFilter),
@@ -458,7 +459,7 @@ func TestControllerRunCancelContextStopsLoop(t *testing.T) {
 	)
 	p, err := buildProvider(ctx, cfg, domainFilter)
 	require.NoError(t, err)
-	ctrl, err := buildController(ctx, cfg, src, p, domainFilter)
+	ctrl, err := buildController(ctx, cfg, sCfg, src, p, domainFilter)
 	require.NoError(t, err)
 
 	done := make(chan struct{})

pkg/OWNERS

@@ -0,0 +1,4 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+labels:
+- pkg

pkg/client/OWNERS

@@ -0,0 +1,4 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+labels:
+- client

pkg/client/config.go

@@ -0,0 +1,103 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kubeclient provides shared utilities for creating Kubernetes REST configurations
+// and clients with standardized metrics instrumentation.
+package kubeclient
+
+import (
+	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	extdnshttp "sigs.k8s.io/external-dns/pkg/http"
+)
+
+// GetRestConfig returns the REST client configuration for Kubernetes API access.
+// Supports both in-cluster and external cluster configurations.
+//
+// Configuration Priority:
+// 1. KubeConfig file if specified
+// 2. Recommended home file (~/.kube/config)
+// 3. In-cluster config
+// TODO: consider clientcmd.NewDefaultClientConfigLoadingRules() with clientcmd.NewNonInteractiveDeferredLoadingClientConfig
+func GetRestConfig(kubeConfig, apiServerURL string) (*rest.Config, error) {
+	if kubeConfig == "" {
+		if _, err := os.Stat(clientcmd.RecommendedHomeFile); err == nil {
+			kubeConfig = clientcmd.RecommendedHomeFile
+		}
+	}
+	log.Debugf("apiServerURL: %s", apiServerURL)
+	log.Debugf("kubeConfig: %s", kubeConfig)
+
+	// evaluate whether to use kubeConfig-file or serviceaccount-token
+	var (
+		config *rest.Config
+		err    error
+	)
+	if kubeConfig == "" {
+		log.Debug("Using inCluster-config based on serviceaccount-token")
+		config, err = rest.InClusterConfig()
+	} else {
+		log.Debug("Using kubeConfig")
+		config, err = clientcmd.BuildConfigFromFlags(apiServerURL, kubeConfig)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+// InstrumentedRESTConfig creates a REST config with request instrumentation for monitoring.
+// Adds HTTP transport wrapper for Prometheus metrics collection and request timeout configuration.
+//
+// Metrics: Wraps the transport with pkg/http.NewInstrumentedTransport to collect
+// HTTP request duration metrics for all Kubernetes API calls.
+//
+// Timeout: Applies the specified request timeout to prevent hanging requests.
+func InstrumentedRESTConfig(kubeConfig, apiServerURL string, requestTimeout time.Duration) (*rest.Config, error) {
+	config, err := GetRestConfig(kubeConfig, apiServerURL)
+	if err != nil {
+		return nil, err
+	}
+
+	config.WrapTransport = extdnshttp.NewInstrumentedTransport
+	config.Timeout = requestTimeout
+
+	return config, nil
+}
+
+// NewKubeClient returns a new Kubernetes client object. It takes a Config and
+// uses APIServerURL and KubeConfig attributes to connect to the cluster. If
+// KubeConfig isn't provided it defaults to using the recommended default.
+func NewKubeClient(kubeConfig, apiServerURL string, requestTimeout time.Duration) (*kubernetes.Clientset, error) {
+	log.Infof("Instantiating new Kubernetes client")
+	config, err := InstrumentedRESTConfig(kubeConfig, apiServerURL, requestTimeout)
+	if err != nil {
+		return nil, err
+	}
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	log.Infof("Created Kubernetes client %s", config.Host)
+	return client, nil
+}

pkg/client/config_test.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeclient
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func TestGetRestConfig_WithKubeConfig(t *testing.T) {
+	svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer svr.Close()
+
+	mockKubeCfgDir := filepath.Join(t.TempDir(), ".kube")
+	mockKubeCfgPath := filepath.Join(mockKubeCfgDir, "config")
+	err := os.MkdirAll(mockKubeCfgDir, 0755)
+	require.NoError(t, err)
+
+	kubeCfgTemplate := `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: %s
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+  name: test-context
+current-context: test-context
+users:
+- name: test-user
+  user:
+    token: fake-token
+`
+	err = os.WriteFile(mockKubeCfgPath, fmt.Appendf(nil, kubeCfgTemplate, svr.URL), 0644)
+	require.NoError(t, err)
+
+	config, err := GetRestConfig(mockKubeCfgPath, "")
+	require.NoError(t, err)
+	require.NotNil(t, config)
+	assert.Equal(t, svr.URL, config.Host)
+}
+
+func TestInstrumentedRESTConfig_AddsMetrics(t *testing.T) {
+	svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer svr.Close()
+
+	mockKubeCfgDir := filepath.Join(t.TempDir(), ".kube")
+	mockKubeCfgPath := filepath.Join(mockKubeCfgDir, "config")
+	err := os.MkdirAll(mockKubeCfgDir, 0755)
+	require.NoError(t, err)
+
+	kubeCfgTemplate := `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: %s
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+  name: test-context
+current-context: test-context
+users:
+- name: test-user
+  user:
+    token: fake-token
+`
+	err = os.WriteFile(mockKubeCfgPath, fmt.Appendf(nil, kubeCfgTemplate, svr.URL), 0644)
+	require.NoError(t, err)
+
+	timeout := 30 * time.Second
+	config, err := InstrumentedRESTConfig(mockKubeCfgPath, "", timeout)
+	require.NoError(t, err)
+	require.NotNil(t, config)
+
+	assert.Equal(t, timeout, config.Timeout)
+	assert.NotNil(t, config.WrapTransport, "WrapTransport should be set for metrics")
+}
+
+func TestGetRestConfig_RecommendedHomeFile(t *testing.T) {
+	svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer svr.Close()
+
+	mockKubeCfgDir := filepath.Join(t.TempDir(), ".kube")
+	mockKubeCfgPath := filepath.Join(mockKubeCfgDir, "config")
+	err := os.MkdirAll(mockKubeCfgDir, 0755)
+	require.NoError(t, err)
+
+	kubeCfgTemplate := `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: %s
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+  name: test-context
+current-context: test-context
+`
+	err = os.WriteFile(mockKubeCfgPath, fmt.Appendf(nil, kubeCfgTemplate, svr.URL), 0644)
+	require.NoError(t, err)
+
+	prevRecommendedHomeFile := clientcmd.RecommendedHomeFile
+	t.Cleanup(func() {
+		clientcmd.RecommendedHomeFile = prevRecommendedHomeFile
+	})
+	clientcmd.RecommendedHomeFile = mockKubeCfgPath
+
+	config, err := GetRestConfig("", "")
+	require.NoError(t, err)
+	require.NotNil(t, config)
+	assert.Equal(t, svr.URL, config.Host)
+}

pkg/events/controller.go

@@ -28,8 +28,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	v1 "k8s.io/client-go/kubernetes/typed/events/v1"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/util/workqueue"
 )
 
@@ -53,23 +51,11 @@ type Controller struct {
 	hostname        string
 }
 
-func NewEventController(cfg *Config) (*Controller, error) {
+func NewEventController(client v1.EventsV1Interface, cfg *Config) (*Controller, error) {
 	queue := workqueue.NewTypedRateLimitingQueueWithConfig[any](
 		workqueue.DefaultTypedControllerRateLimiter[any](),
 		workqueue.TypedRateLimitingQueueConfig[any]{Name: controllerName},
 	)
-	// TODO: to externalize this as similar to source.GetRestConfig
-	// TODO: instrument with metrics
-	rConfig, err := GetRestConfig(cfg.kubeConfig, cfg.apiServerURL)
-	if err != nil {
-		return nil, err
-	}
-	rConfig.Timeout = cfg.timeout
-
-	client, err := v1.NewForConfig(rConfig)
-	if err != nil {
-		return nil, err
-	}
 	hostname, _ := os.Hostname()
 	return &Controller{
 		client:          client,
@@ -155,28 +141,3 @@ func (ec *Controller) emit(event *eventsv1.Event) {
 	event.ReportingController = controllerName
 	ec.queue.Add(event)
 }
-
-// GetRestConfig TODO: copy of source.GetRestConfig, consider moving to a common package
-func GetRestConfig(kubeConfig, apiServerURL string) (*rest.Config, error) {
-	if kubeConfig == "" {
-		if _, err := os.Stat(clientcmd.RecommendedHomeFile); err == nil {
-			kubeConfig = clientcmd.RecommendedHomeFile
-		}
-	}
-
-	var (
-		config *rest.Config
-		err    error
-	)
-	if kubeConfig == "" {
-		log.Debug("Using inCluster-config based on serviceaccount-token")
-		config, err = rest.InClusterConfig()
-	} else {
-		log.Debug("Using kubeConfig")
-		config, err = clientcmd.BuildConfigFromFlags(apiServerURL, kubeConfig)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return config, nil
-}