container ssa: use readiness prob

[enoodle]

Instead of accessing the /healthz endpoint we can use kubernetes's
readinessProbe to do this for us and use the standard API instead of the
pod proxy which is less documented. This also simplifies the code.

This will hopefully solve two long outstanding BZs:
https://bugzilla.redhat.com/show_bug.cgi?id=1384629
https://bugzilla.redhat.com/show_bug.cgi?id=1371803

[enoodle]

@simon3z @moolitayer @ilackarms please review

[cben]

Sweet 👍

After the pod is ready, we'll still use the proxy URL to analyze the image, right? In one of the BZs conclusion was misconfigured proxy (?) - would this help there?

[ilackarms]

how are containerStatuses sorted by default? will [0] always be the most recent status? will [0] always exist (array len >= 1)?

[enoodle]

Its by containers. Each container has one status, so if a pod had two containers in it this list would be of length 2. because we only have one container we can safely use [0].

[ilackarms]

sounds good. i wasn't sure if it was an historical list of statuses; this makes more sense

[simon3z]

We should think to improve this using the kubernetes watch API (on the pod).

[enoodle]

@simon3z As far as I understand, the watch API will hang on the http response waiting for new updates. This means that the worker that is executing the job will hang until the image-inspector scan is complete. It means that parallel scans will be less "parallel" and the scaling will be damaged.
If there is a better way of using the watch API we should consider it but from what I have seen using curl and Kubeclient [1] we have to hang and wait on the connection.

[1]https://github.com/abonas/kubeclient/blob/master/lib/kubeclient/watch_stream.rb#L14

[simon3z]

@enoodle shouldn't we protect against possible nils here: [:status][:containerStatuses][0][:ready] ?

[enoodle]

@simon3z discussed this with Mooli: #14578 (comment)
The ready field is always there, I will add a check for containerStatuses and will log this before trying again (Assuming it is a temporary glitch from Openshift) instead of failing with a "method missing" cryptic error. I think this state is not possible for a running pod, but it might not be documented because I couldn't find it.

[enoodle]

@miq-bot add_label bug

[moolitayer]

Won't this keep queuing pod_wait if there is an error? (line 99)
Maybe you need:

return queue_signal(:abort_job, msg, "error")

Also do you mind adding brackets around e.message:

msg = "unknown access error to pod #{pod_full_name}: [#{e.message}]"

It makes nils really obvious

[enoodle]

👍 Good catch, Thanks

[enoodle]

@moolitayer If there was an error then ready won't be set, but I will add the "return" for clarity

[moolitayer]

Yes ready will not be set and you would schedule another check...

[enoodle]

@cben

After the pod is ready, we'll still use the proxy URL to analyze the image, right? In one of the BZs conclusion was misconfigured proxy (?) - would this help there?

Yes, I asked and seems to help with at least one of the mentioned BZs. The problem was that a "transparent" proxy was changing error messages, but now we are not based on error messages in our happy flow. If an error message from Kubernetes/Openshift is being switched then we will catch the exception and quit with the proxy's message, which is the best outcome IMO when we don't get the real message.

[moolitayer]

@enoodle should we expect the usual ephemeral missing method X for object nil that we get when k8s returns hashes that are missing elements? (what happens when you GET a pod right after creation, will it have containerStatuses?)

[enoodle]

@moolitayer Generally we should always have a containerStatus per container [1], if not then there is a problem (even if the pod is just creating). The ready flag is always present [2] so that too is kind of safe.

[1]https://github.com/kubernetes/kubernetes/blob/master/pkg/api/v1/types.go#L2504
[2]https://github.com/kubernetes/kubernetes/blob/master/pkg/api/v1/types.go#L1848

[moolitayer]

@enoodle BTW I think there is some code in openshift ansible we would be able to throw away in version that have this change. I'm referring to the code adding the pod/proxy * resource to management-infra-admin SA

[simon3z]

@ilackarms can give this a try and review?
There is a pending comment but overall LGTM.

[ilackarms]

i tested this locally and could not load Compute > Containers > Providers tab of the MIQ dashboard. Not sure if this is only my problem, maybe someone else can reproduce? Screenshot attached

[enoodle]

@ilackarms This is an unrelated error due to some changes done by the UI team (IIUC). make sure you have #14563

[ilackarms]

@enoodle problem solved; LTGM

[miq-bot]

Checked commit enoodle@4f5edf9 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
2 files checked, 0 offenses detected
Everything looks good. 👍

[simon3z]

LGTM 👍
@miq-bot assign roliveri

[simaishi]

@enoodle @roliveri should this be fine/yes?

[roliveri]

Sorry, not sure.

@simon3z should this be fine/yes?

[simon3z]

@simaishi @roliveri I would like to wait some more time to make sure everything is OK before backporting this to fine. I targeted the BZ to 5.8.1.

[simaishi]

@simon3z I'm backporting PRs for 5.8.1 now, please confirm this should now be fine/yes

[simon3z]

@miq-bot add_label fine/yes
cc @enoodle @simaishi

[simaishi]

Fine backport details:

$ git log -1
commit 4769a2390063743d227386fc963cc9fd1b5e77fa
Author: Richard Oliveri <oliveri.richard.github@gmail.com>
Date:   Mon Apr 17 11:12:11 2017 -0400

    Merge pull request #14578 from enoodle/container_ssa_use_readiness_probe
    
    container ssa: use readiness prob
    (cherry picked from commit 08c3090302d4c7fa747781dc3699e502194adb62)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1461558