From 7481149a61a51fe3b8f76e8d949ff13ea6eab13c Mon Sep 17 00:00:00 2001 From: Ondrej Blazek Date: Wed, 10 Jan 2024 09:11:14 +0100 Subject: [PATCH] endpoint: set labels outside NewEndpointFromChange When endpoint API is used to create an endpoint and `EndpointChangeRequest` contains labels, it will not allocate an identity to the endpoint. During `NewEndpointFromChangeModel()` labels are stored in the endpoint model, causing the followup call `ep.UpdateLabels()` to not bump revision during this single `createEndpoint()` call. This means the folloup call to `e.runIdentityResolver()` never happens and the endpoint ends up without identity and with state waiting-for-identity. ``` ENDPOINT IDENTITY LABELS (source:key[=value]) IPv4 STATUS 3236 k8s:app=incubator-mynetns3 10.247.1.1 waiting-for-identity k8s:io.cilium.k8s.policy.cluster=default k8s:io.kubernetes.pod.namespace=default ``` This should be allowed, otherwise user can only not set the labels during `createEndpoint()` call and do a followup call `patchEndpoint()` where labels will be set which then triggers regeneration to be triggered and identity allocated. This commit fixes the above issue by letting the caller handle the setting of the endpoint labels and remove them from `NewEndpointFromChangeModel()`. ``` ENDPOINT IDENTITY LABELS (source:key[=value]) IPv4 STATUS 331 21864 k8s:app=incubator-mynetns3 10.247.1.1 ready k8s:io.cilium.k8s.policy.cluster=default k8s:io.kubernetes.pod.namespace=default ``` Fixes: #29776 Signed-off-by: Ondrej Blazek --- daemon/cmd/endpoint.go | 7 +++++++ pkg/endpoint/api.go | 8 -------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go index 268619a485d7f..03d149d2a6cb1 100644 --- a/daemon/cmd/endpoint.go +++ b/daemon/cmd/endpoint.go @@ -627,6 +627,13 @@ func patchEndpointIDHandler(d *Daemon, params PatchEndpointIDParams) middleware. return api.Error(PutEndpointIDInvalidCode, err2) } + if epTemplate.Labels != nil { + lbls := labels.NewLabelsFromModel(epTemplate.Labels) + identityLabels, infoLabels := labelsfilter.Filter(lbls) + newEp.OpLabels.OrchestrationIdentity = identityLabels + newEp.OpLabels.OrchestrationInfo = infoLabels + } + var validStateTransition bool // Log invalid state transitions, but do not error out for backwards diff --git a/pkg/endpoint/api.go b/pkg/endpoint/api.go index 4ce1a242ff816..0848f27cf0caa 100644 --- a/pkg/endpoint/api.go +++ b/pkg/endpoint/api.go @@ -18,7 +18,6 @@ import ( identitymodel "github.com/cilium/cilium/pkg/identity/model" "github.com/cilium/cilium/pkg/labels" "github.com/cilium/cilium/pkg/labels/model" - "github.com/cilium/cilium/pkg/labelsfilter" "github.com/cilium/cilium/pkg/mac" "github.com/cilium/cilium/pkg/option" "github.com/cilium/cilium/pkg/policy" @@ -129,13 +128,6 @@ func NewEndpointFromChangeModel(ctx context.Context, owner regeneration.Owner, p } } - if base.Labels != nil { - lbls := labels.NewLabelsFromModel(base.Labels) - identityLabels, infoLabels := labelsfilter.Filter(lbls) - ep.OpLabels.OrchestrationIdentity = identityLabels - ep.OpLabels.OrchestrationInfo = infoLabels - } - if base.State != nil { ep.setState(State(*base.State), "Endpoint creation") }