Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use /status/ready as readiness probe of gateway for gateway discovery #4368

Merged
merged 11 commits into from
Jul 21, 2023
Merged

feat: use /status/ready as readiness probe of gateway for gateway discovery #4368

merged 11 commits into from
Jul 21, 2023

Conversation

czeslavo
Copy link
Contributor

What this PR does / why we need it:

Changes the Gateway's Pod readiness probe from /status to /status/ready. /status/ready returns 200 after receiving the first non-empty configuration. That allows to make Gateway pods to serve proxy traffic only after they're initially configured by KIC.

In KIC's Gateway discovery, instead of relying on EndpointSlices Endpoints' being ready, we use the discovered endpoints despite their readiness (we only discard terminating ones) and verify their readiness on our own with the use of the Admin API's /status in the ReadinessChecker. It requires running a periodic readiness reconciliation loop to check whether the endpoints that were ready should be moved to the pending list and vice versa.

Fundamental changes that were made in this PR:

  • KongAdminAPIServiceReconciler watches Admin API service endpoints and pushes all but terminating ones to the AdminAPIClientsManager (via Notify method)
  • AdminAPIClientsManager accepts the discovered endpoints and verifies their readiness with use of a new ReadinessChecker first:
    • if they're not ready - they're kept on a pending list
    • if they're ready - they're kept on an active list (that is used to return GatewayClients() to the upper layers)
  • AdminAPIClientsManager is responsible for running a readiness reconciliation loop in which it uses ReadinessChecker to verify if:
    • the clients kept on the active list became not ready; if yes, move them to the pending list
    • the clients kept on the pending list became ready; if yes, move them to the active list

Which issue this PR fixes:

Closes #3499.

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@czeslavo czeslavo added the ci/run-e2e Trigger e2e test run from PR label Jul 18, 2023
@czeslavo czeslavo self-assigned this Jul 18, 2023
@czeslavo czeslavo added this to the KIC v2.11.0 milestone Jul 18, 2023
@team-k8s-bot
Copy link
Collaborator

E2E (targeted) tests with KIND-based clusters were started at https://github.com/Kong/kubernetes-ingress-controller/actions/runs/5591322167

@team-k8s-bot team-k8s-bot removed the ci/run-e2e Trigger e2e test run from PR label Jul 18, 2023
@codecov
Copy link

codecov bot commented Jul 18, 2023
edited

Codecov Report

Patch coverage: 93.1% and project coverage change: +0.2 🎉

Comparison is base (00cf5d1) 65.7% compared to head (92ffd58) 65.9%.

Additional details and impacted files 
@@           Coverage Diff           @@
##            main   #4368     +/-   ##
=======================================
+ Coverage   65.7%   65.9%   +0.2%     
=======================================
  Files        157     158      +1     
  Lines      18159   18274    +115     
=======================================
+ Hits       11939   12052    +113     
- Misses      5481    5484      +3     
+ Partials     739     738      -1
Impacted Files Coverage Δ
internal/adminapi/client.go 47.0% <0.0%> (-1.5%) ⬇️
internal/manager/run.go 53.2% <50.0%> (+0.1%) ⬆️
internal/clients/readiness.go 89.8% <89.8%> (ø)
internal/adminapi/endpoints.go 84.2% <100.0%> (ø)
internal/clients/manager.go 97.7% <100.0%> (+2.9%) ⬆️
...ntrollers/configuration/kongadminapi_controller.go 62.7% <100.0%> (+0.4%) ⬆️

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@czeslavo czeslavo added the ci/run-e2e Trigger e2e test run from PR label Jul 18, 2023
@team-k8s-bot
Copy link
Collaborator

E2E (targeted) tests with KIND-based clusters were started at https://github.com/Kong/kubernetes-ingress-controller/actions/runs/5591805351

@team-k8s-bot team-k8s-bot removed the ci/run-e2e Trigger e2e test run from PR label Jul 18, 2023
@czeslavo czeslavo marked this pull request as ready for review July 18, 2023 20:34
@czeslavo czeslavo requested a review from a team as a code owner July 18, 2023 20:34
@czeslavo czeslavo force-pushed the feat/use-gateway-status-ready branch from b099152 to e086e3e Compare July 18, 2023 20:36
rainest
rainest previously approved these changes Jul 18, 2023
View reviewed changes
Copy link
Contributor

@rainest rainest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we expect this to have any affect on interaction with older versions? I don't see any testing with 3.0 (proxy pods come up fine and get config, no controller errors for the most part) but have a minor bugbear that there should be some odd behavior on versions where the endpoint doesn't exist.

There were some errors on scale up about failing to post config, but posts were successful after a few seconds, so it seems like we maybe try and push config before the instance is fully ready, but that's benign (and happens with 3.3 too, so it's not an older version behavior difference).

randmonkey
randmonkey reviewed Jul 19, 2023
View reviewed changes
internal/clients/manager.go Outdated Show resolved Hide resolved
internal/clients/manager.go Show resolved Hide resolved
@czeslavo
Copy link
Contributor Author

Do we expect this to have any affect on interaction with older versions? I don't see any testing with 3.0 (proxy pods come up fine and get config, no controller errors for the most part) but have a minor bugbear that there should be some odd behavior on versions where the endpoint doesn't exist.

I don't think so. The behavior of the controller will be compatible with any version of Gateway we supported so far. Despite the readiness endpoint used for Gateway's readinessProbe, it will detect all the endpoints behind an Admin API Service (with an exception for terminating ones) and will ensure their readiness by calling Admin API's /status endpoint. For Gateway 3.0 with /status configured as readinessProbe, it will work the same way which should be fine (we may say the effort for readiness checking will be doubled in a way, but it won't make it break).

There were some errors on scale up about failing to post config, but posts were successful after a few seconds, so it seems like we maybe try and push config before the instance is fully ready, but that's benign (and happens with 3.3 too, so it's not an older version behavior difference).

That's interesting - I was able to reproduce it on scale up as you mentioned. The initial readiness check passes (we succeed to create a client and it returns no error on /status) but later in the config push loop sometimes it happens that it refuses the connection on the first and/or second config push. Eventually, it always gets to the right state.

Perhaps this could be solved by making the checks made by KIC to keep track of success calls and consider clients ready only after they reach some success threshold (and similarly - we could have such a threshold for failures). I'd say that if we'd like to implement this, we can do that in a separate PR, WDYT?

@czeslavo czeslavo force-pushed the feat/use-gateway-status-ready branch from 36cf2c3 to 68a21f2 Compare July 19, 2023 09:19
@rainest
Copy link
Contributor

rainest commented Jul 19, 2023

Perhaps this could be solved by making the checks made by KIC to keep track of success calls and consider clients ready only after they reach some success threshold (and similarly - we could have such a threshold for failures). I'd say that if we'd like to implement this, we can do that in a separate PR, WDYT?

Yeah, it's not a concern for what this PR is trying to do, nor was it introduced by the changes here. I just noticed it when checking for these changes' backwards compatibility. Backwards compatibility for this is indeed fine.

randmonkey
randmonkey reviewed Jul 21, 2023
View reviewed changes
internal/clients/readiness.go Outdated Show resolved Hide resolved
internal/manager/run.go Outdated Show resolved Hide resolved
@czeslavo czeslavo requested a review from randmonkey July 21, 2023 08:47
@czeslavo czeslavo force-pushed the feat/use-gateway-status-ready branch from e04f1d5 to 92ffd58 Compare July 21, 2023 14:19
@czeslavo czeslavo merged commit 08c67a9 into main Jul 21, 2023
30 checks passed
@czeslavo czeslavo deleted the feat/use-gateway-status-ready branch July 21, 2023 18:47
@rainest rainest mentioned this pull request Aug 15, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@programmer04 programmer04 programmer04 left review comments

@rainest rainest rainest approved these changes

@randmonkey randmonkey Awaiting requested review from randmonkey

Assignees

@czeslavo czeslavo

Labels
size/XXL
Projects
None yet
Milestone
KIC v2.11.0
Development

Successfully merging this pull request may close these issues.

Gateway Discovery: implement marking Gateway proxy service ready after config has been pushed
5 participants
@czeslavo @team-k8s-bot @rainest @programmer04 @randmonkey