OCPBUGS-1458: Allow CVO to update KUBERNETES_SERVICE_HOST with LB address

[petr-muller]

The problem was identified to be a broken substitution of internal load balancer into KUBERNETES_SERVICE_HOST by Trevor and David (see my JIRA comment and related Slack thread).

CVO injects the LB hostname in the ModifyDeployment fine, but then the deployment gets applied in ApplyDeployment and the EnsureDeployment->ensurePodTemplateSpec->ensurePodSpec->ensureContainers->ensureContainer->ensureEnvVar chain stomps the updated value in required by the old value from existing and reverts the injection.

This behavior was added intentionally in #559 as a part of a fix for various hot-looping issues. The substitution apparently caused some hot-looping issues in the past (slack thread). I have tested removing the special handling KUBERNETES_SERVICE_HOST thoroughly, and saw no problematic behavior. After fixing other hot-looping problems in #855 to eliminate noise, no new hot-loops occurs with KUBERNETES_SERVICE_HOST handling removed.

Even with the substitution fix, I observed further network problems in CVO (example):

F1024 17:40:24.591942       1 start.go:29] error: Get "https://api-int.ci-op-02b7hikv-3302f.ci.azure.devcluster.openshift.com:6443/apis/config.openshift.io/v1/featuregates/cluster": dial tcp: lookup api-int.ci-op-02b7hikv-3302f.ci.azure.devcluster.openshift.com on 172.30.0.10:53: read udp 169.254.169.2:48475->172.30.0.10:53: i/o timeout

To get rid of these, I added a client-side poll to CVO, but I currently fail to reproduce the issue in #859, so maybe the i/o timeout issues were just some co-indidental disruption bug that we happened to fix in the meantime? Not sure.

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-1458, which is invalid:

• expected the bug to target the "4.12.0" version, but it targets "4.12" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This just adds the reproducer for the behavior that (I think) is the culprit of OCPBUGS-1458. The problem was identified to be a broken substitution of internal load balancer into KUBERNETES_SERVICE_HOST by Trevor and David (see my JIRA comment and related Slack thread).

CVO injects the LB hostname in the ModifyDeployment fine, but then the deployment gets applied in ApplyDeployment and the EnsureDeployment->ensurePodTemplateSpec->ensurePodSpec->ensureContainers->ensureContainer->ensureEnvVar chain stomps the updated value in required by the old value from existing and reverts the injection in this way:

cluster-version-operator/lib/resourcemerge/core.go

Lines 115 to 120 in dc1ad0a

	// Currently only CVO deployment uses this variable to inject internal LB host.
	// This may result in an IP address being returned by API so assuming the
	// returned value is correct.
	if required[envidx].Name == "KUBERNETES_SERVICE_HOST" {
	ensureEnvVarKubeService(*existing, &required[envidx])
	}

cluster-version-operator/lib/resourcemerge/core.go

Lines 132 to 138 in dc1ad0a

	func ensureEnvVarKubeService(existing []corev1.EnvVar, required *corev1.EnvVar) {
	for envidx := range existing {
	if existing[envidx].Name == required.Name {
	required.Value = existing[envidx].Value
	}
	}
	}

This behavior was added intentionally in #559, but I do not understand the reasoning given in the comment:

Currently only CVO deployment uses KUBERNETES_SERVICE_HOST env variable to inject internal LB host.This may result in an IP address being returned by API so always assuming returned value is okay.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-1458, which is invalid:

• expected the bug to target the "4.12.0" version, but it targets "4.12" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

For now, this just adds the reproducer for the behavior that (I think) is the culprit of OCPBUGS-1458. The problem was identified to be a broken substitution of internal load balancer into KUBERNETES_SERVICE_HOST by Trevor and David (see my JIRA comment and related Slack thread).

CVO injects the LB hostname in the ModifyDeployment fine, but then the deployment gets applied in ApplyDeployment and the EnsureDeployment->ensurePodTemplateSpec->ensurePodSpec->ensureContainers->ensureContainer->ensureEnvVar chain stomps the updated value in required by the old value from existing and reverts the injection in this way:

cluster-version-operator/lib/resourcemerge/core.go

Lines 115 to 120 in dc1ad0a

	// Currently only CVO deployment uses this variable to inject internal LB host.
	// This may result in an IP address being returned by API so assuming the
	// returned value is correct.
	if required[envidx].Name == "KUBERNETES_SERVICE_HOST" {
	ensureEnvVarKubeService(*existing, &required[envidx])
	}

cluster-version-operator/lib/resourcemerge/core.go

Lines 132 to 138 in dc1ad0a

	func ensureEnvVarKubeService(existing []corev1.EnvVar, required *corev1.EnvVar) {
	for envidx := range existing {
	if existing[envidx].Name == required.Name {
	required.Value = existing[envidx].Value
	}
	}
	}

This behavior was added intentionally in #559, but I do not understand the reasoning given in the comment:

Currently only CVO deployment uses KUBERNETES_SERVICE_HOST env variable to inject internal LB host.This may result in an IP address being returned by API so always assuming returned value is okay.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[petr-muller]

/test all

[petr-muller]

/test unit

[petr-muller]

/retest

[petr-muller]

/test all

[petr-muller]

/retest

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-1458, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.12.0) matches configured target version for branch (4.12.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @shellyyang1989

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-1458, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.12.0) matches configured target version for branch (4.12.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @shellyyang1989

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The problem was identified to be a broken substitution of internal load balancer into KUBERNETES_SERVICE_HOST by Trevor and David (see my JIRA comment and related Slack thread).

CVO injects the LB hostname in the ModifyDeployment fine, but then the deployment gets applied in ApplyDeployment and the EnsureDeployment->ensurePodTemplateSpec->ensurePodSpec->ensureContainers->ensureContainer->ensureEnvVar chain stomps the updated value in required by the old value from existing and reverts the injection in this way:

cluster-version-operator/lib/resourcemerge/core.go

Lines 115 to 120 in dc1ad0a

	// Currently only CVO deployment uses this variable to inject internal LB host.
	// This may result in an IP address being returned by API so assuming the
	// returned value is correct.
	if required[envidx].Name == "KUBERNETES_SERVICE_HOST" {
	ensureEnvVarKubeService(*existing, &required[envidx])
	}

cluster-version-operator/lib/resourcemerge/core.go

Lines 132 to 138 in dc1ad0a

	func ensureEnvVarKubeService(existing []corev1.EnvVar, required *corev1.EnvVar) {
	for envidx := range existing {
	if existing[envidx].Name == required.Name {
	required.Value = existing[envidx].Value
	}
	}
	}

This behavior was added intentionally in #559 as a part of a fix for various hot-looping issues. The substitution apparently caused some hot-looping issues in the past (slack thread). I have tested removing the special handling KUBERNETES_SERVICE_HOST thoroughly, and saw no problematic behavior. After fixing other hot-looping problems in #855 to eliminate noise, no new hot-loops occurs with KUBERNETES_SERVICE_HOST handling removed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[petr-muller]

/wip

[petr-muller]

Needs #855 first

[petr-muller]

/retest

[petr-muller]

@wking @LalatenduMohanty I was seeing some surprising behavior of the timeout in PollImmediate. That method does not seem to interact well with ConditionFuncs that take a long time to execute (as in our case, where the client-go retry logic can make the GET take 30 seconds to execute). PollImmediate as implemented will always execute at least three iterations of ConditionFunc even if the timeout expires earlier, check out the testcase here: https://go.dev/play/p/frtOTVNGOHk. This means that our failure cases would cause CVO to shutdown in 90s in worst cases.

I solved this by implementing the timeout with a context instead, happy to hear your thoughts.

[petr-muller]

upgrade-out-of-change failure does not seem related:

alert TargetDown fired for 990 seconds with labels: {job="prometheus-k8s", namespace="openshift-monitoring", service="prometheus-k8s", severity="warning"}

/retest

[petr-muller]

[sig-node] nodes should not go unready after being upgraded and go unready only once expand_more :/
/retest

[petr-muller]

TestCVO_UpgradeFailedPayloadLoadWithCapsChanges
/test unit

[wking]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: petr-muller, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[petr-muller]

/retest

[openshift-bot]

/bugzilla refresh

The requirements for Bugzilla bugs have changed (BZs linked to PRs on main branch need to target OCP 4.12), recalculating validity.

[openshift-ci]

@openshift-bot: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Retaining the bugzilla/valid-bug label as it was manually added.

Details

In response to this:

/bugzilla refresh

The requirements for Bugzilla bugs have changed (BZs linked to PRs on main branch need to target OCP 4.12), recalculating validity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[petr-muller]

/retest

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-1458, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.13.0) matches configured target version for branch (4.13.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @shellyyang1989

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[petr-muller]

/test e2e-agnostic-upgrade-into-change

[petr-muller]

/retest

[petr-muller]

/retest

[petr-muller]

/test e2e-agnostic-upgrade-out-of-change

[petr-muller]

/test e2e-agnostic-upgrade-out-of-change

[petr-muller]

/test e2e-agnostic-upgrade-out-of-change

[openshift-ci]

@petr-muller: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@petr-muller: All pull requests linked via external trackers have merged:

• openshift/cluster-version-operator#851

Jira Issue OCPBUGS-1458 has been moved to the MODIFIED state.

Details

In response to this:

The problem was identified to be a broken substitution of internal load balancer into KUBERNETES_SERVICE_HOST by Trevor and David (see my JIRA comment and related Slack thread).

CVO injects the LB hostname in the ModifyDeployment fine, but then the deployment gets applied in ApplyDeployment and the EnsureDeployment->ensurePodTemplateSpec->ensurePodSpec->ensureContainers->ensureContainer->ensureEnvVar chain stomps the updated value in required by the old value from existing and reverts the injection.

This behavior was added intentionally in #559 as a part of a fix for various hot-looping issues. The substitution apparently caused some hot-looping issues in the past (slack thread). I have tested removing the special handling KUBERNETES_SERVICE_HOST thoroughly, and saw no problematic behavior. After fixing other hot-looping problems in #855 to eliminate noise, no new hot-loops occurs with KUBERNETES_SERVICE_HOST handling removed.

Even with the substitution fix, I observed further network problems in CVO (example):

F1024 17:40:24.591942       1 start.go:29] error: Get "https://api-int.ci-op-02b7hikv-3302f.ci.azure.devcluster.openshift.com:6443/apis/config.openshift.io/v1/featuregates/cluster": dial tcp: lookup api-int.ci-op-02b7hikv-3302f.ci.azure.devcluster.openshift.com on 172.30.0.10:53: read udp 169.254.169.2:48475->172.30.0.10:53: i/o timeout

To get rid of these, I added a client-side poll to CVO, but I currently fail to reproduce the issue in #859, so maybe the i/o timeout issues were just some co-indidental disruption bug that we happened to fix in the meantime? Not sure.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[petr-muller]

/cherry-pick release-4.12

[openshift-cherrypick-robot]

@petr-muller: new pull request created: #866

Details

In response to this:

/cherry-pick release-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.