ipam/crd: Fix spurious CiliumNode update status failures

[gandro]

When running in CRD-based IPAM modes (Alibaba, Azure, ENI, CRD), it is
possible to observe spurious "Unable to update CiliumNode custom
resource" failures in the cilium-agent.

The full error message is as follows: "Operation cannot be fulfilled on
ciliumnodes.cilium.io : the object has been modified; please apply
your changes to the latest version and try again".

It means that the Kubernetes UpdateStatus call has failed because the
local ObjectMeta.ResourceVersion of submitted CiliumNode version is
out of date. In the presence of races, this error is expected and will
resolve itself once the agent receives a more recent version of the
object with the new resource version.

However, it is possible that the resource version of a CiliumNode
object is bumped even though the Spec or Status of the CiliumNode
remains the same. This for examples happens when
ObjectMeta.ManagedFields is updated by the Kubernetes apiserver.

Unfortunately, CiliumNode.DeepEqual does not consider any
ObjectMeta fields (including the resource version). Therefore two
objects with different resource versions are considered the same by the
CiliumNode watcher used by IPAM.

But to be able to successfully call UpdateStatus we need to know the
most recent resource version. Otherwise, UpdateStatus will always fail
until the CiliumNode object is updated externally for some reason.

Therefore, this commit modifies the logic to always store the most
recent version of the CiliumNode object, even if Spec or Status
has not changed. This in turn allows nodeStore.refreshNode (which
invokes UpdateStatus) to always work on the most recently observed
resource version.

ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent

[twpayne]

It looks like there was another bug in the old code here: valid was only set to true if oldNode and newNode were not equal. This PR looks like it fixes that.

[twpayne]

This is great, thanks!

[gandro]

/test

Job 'Cilium-PR-K8s-1.20-kernel-5.4' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDatapathConfig AutoDirectNodeRoutes Check connectivity with sockops and direct routing

Failure Output

FAIL: Error creating resource /home/jenkins/workspace/Cilium-PR-K8s-1.20-kernel-5.4/src/github.com/cilium/cilium/test/k8sT/manifests/l3-policy-demo.yaml: Cannot retrieve cilium pod cilium-9w7lg policy revision: cannot get revision from json output '': could not parse JSON from command "kubectl exec -n kube-system cilium-9w7lg -- cilium policy get -o json"

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.20-kernel-5.4 so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with direct routing Tests NodePort

Failure Output

FAIL: Request from testclient-jn7zz pod to service tftp://[fd03::218b]:10069/hello failed

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-4.19 so I can create a new GitHub issue to track it.

[gandro]

ConformanceEKS (the only CI where the code modified here is enabled) failed with the connectivity check with IPSec, which is a known flake: #16938 https://github.com/cilium/cilium/actions/runs/1475670758

[gandro]

/ci-eks

[gandro]

• https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-5.4/195/ hit CI: K8sDatapathConfig AutoDirectNodeRoutes Check connectivity with sockops and direct routing #16852
• https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.19/196 and https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.9/186/hit a variants of CI: K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with direct routing Tests NodePort with Maglev Tests NodePort #13839 (which is currently known to affect many tests in that test suite)

The modified code is only active in ENI mode (i.e. ConformanceEKS, which passed). The failures are therefore unrelated. Marking as ready-to-merge.

[qmonnet]

@gandro Can you also have a look at the failure on k8s-1.22-kernel-4.9 please?
[Please re-label if you find the failure is unrelated.]

[gandro]

@qmonnet Apologies, on first glance it looked like a variant of #13839 as mentioned above, but might be a new flake since the symptoms are different (the affected tests are the same).

Will take a closer look and open an issue and then mark this again, but I'm very confident that this is unrelated to the PR since the code modified by this PR is not active in our Jenkins suite at all.

[gandro]

The link for https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.9/186/ just expired (it was still valid a few hours ago) 😬 Making it impossible to triage it again. Will restart it.

[gandro]

/test-1.22-4.9

[qmonnet]

Based on Sebastian's previous analysis & confidence and on the fact that the new run passed, I'll go ahead and merge. Thanks!

[gandro]

Marking this for backport to v1.10. Seems like users are hitting this on v1.10, and the backport should be rather trivial.