Skip to content

fix: controller cache-sync readiness check #7430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jukie merged 3 commits into from
Feb 1, 2026
+24 −2
Merged

fix: controller cache-sync readiness check #7430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
364e578
Add wait for cache sync to controller readiness check
jukie Jan 31, 2026
1680da8
format
jukie Feb 1, 2026
71d0de9
Merge branch 'main' into readiness-check-tweak
jukie Feb 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions internal/provider/kubernetes/kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ package kubernetes
import (
"context"
"fmt"
"net/http"
"time"

appsv1 "k8s.io/api/apps/v1"
Expand Down Expand Up @@ -66,6 +67,26 @@ var (
webhookTLSPort = 9443
)

// cacheReadyCheck returns a healthz.Checker that verifies the manager's cache has synced.
// This ensures the control plane has populated its cache with all resources from the API server
// before reporting ready. This prevents serving inconsistent xDS configuration to Envoy proxies
// when running multiple control plane replicas during periods of resource churn.
func cacheReadyCheck(mgr manager.Manager) healthz.Checker {
return func(req *http.Request) error {
// Use a short timeout to avoid blocking the health check indefinitely.
// The readiness probe will retry periodically until the cache syncs.
ctx, cancel := context.WithTimeout(req.Context(), 1*time.Second)
defer cancel()

// WaitForCacheSync returns true if the cache has synced, false if the context is cancelled.
if !mgr.GetCache().WaitForCacheSync(ctx) {
return fmt.Errorf("cache not synced yet")
}

return nil
}
}

func New(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server,
resources *message.ProviderResources, errNotifier message.RunnerErrorNotifier,
) (*Provider, error) {
Expand Down Expand Up @@ -219,8 +240,8 @@ func newProvider(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server,
return nil, fmt.Errorf("unable to set up health check: %w", err)
}

// Add ready check health probes.
if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
// Add ready check to wait for a successful sync of the cache.
if err := mgr.AddReadyzCheck("cache-sync", cacheReadyCheck(mgr)); err != nil {
return nil, fmt.Errorf("unable to set up ready check: %w", err)
}

Expand Down
1 change: 1 addition & 0 deletions release-notes/current.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ bug fixes: |
Fixed SecurityPolicy BasicAuth validation to reject invalid {SHA} htpasswd entries.
Allowed single-label backend hostnames when running with the Host infrastructure, enabling Docker Compose service names for telemetry backends.
Fixed an issue that message package didn't adopt logging level.
Fixed issue with controller pods reporting as ready before successful cache sync.

# Enhancements that improve performance.
performance improvements: |
Expand Down