Optimize identity allocation with CRD backend. #23064

alan-kut · 2023-01-12T13:40:32Z

Introduce by key indexer to prevent going through all the identities all the time.
GlobalIdentity is moved to a separate packet so it can be imported without cyclic dependency.

Signed-off-by: Alan Kutniewski kutniewski@google.com
Fixes: #22984

Optimize getting identity by key with CRD Backend by introducing indexer.

pkg/k8s/identitybackend/identity_test.go

alan-kut · 2023-01-13T15:12:09Z

Travic CI - Pull Request - Build Errored:
It first failed with

The command "sudo -E apt-get -yq --no-install-suggests --no-install-recommends $(travis_apt_get_options) install kernel-package gnupg libncurses5" failed and exited with 100 during .

and then succeeded.

Gateway API Conformance Test failed with:

Error from server (NotFound): pods "coredns-565d847f94-g6mkl" not found

I don't think it is related to changes in the PR.

squeed · 2023-01-16T13:40:29Z

Kicked travis; if it fails again, then something is wrong (obviously not caused by this PR).

pkg/identity/cache/allocation_test.go

pkg/identity/key/global_identity.go

pkg/k8s/identitybackend/identity.go

squeed

This looks like a nice easy win, thanks!

A few nits, a few possible broader refactors, but I don't want to bikeshed :-)

alan-kut · 2023-01-16T15:27:18Z

I replied/fixed everything except for the indexing function. I'll try to determine whether it is safe to return error if the object is not a CiliumIdentity - it should be but I don't want to risk the store to panic

aditighag · 2023-01-19T01:21:04Z

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Unable to download helm chart v1.12 from GitHub

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

aditighag · 2023-01-19T01:21:58Z

I triggered tests just to be sure there are no regressions.

alan-kut · 2023-01-19T09:40:21Z

Cilium Datapath (ci-datapath) — Datapath tests failed

📋 Test Report
❌ 5/31 tests failed (12/237 actions), 0 tests skipped, 0 scenarios skipped:
connectivity test failed: 5 tests failed
Test [no-policies]:
  ❌ no-policies/pod-to-world/http-to-one.one.one.one-0: cilium-test/client-755fb678bd-76fh5 (10.244.3.33) -> one.one.one.one-http (one.one.one.one:80)
  ❌ no-policies/pod-to-world/https-to-one.one.one.one-0: cilium-test/client-755fb678bd-76fh5 (10.244.3.33) -> one.one.one.one-https (one.one.one.one:443)
  ❌ no-policies/pod-to-world/https-to-one.one.one.one-index-0: cilium-test/client-755fb678bd-76fh5 (10.244.3.33) -> one.one.one.one-https-index (one.one.one.one:443)
  ❌ no-policies/pod-to-world/http-to-one.one.one.one-1: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-http (one.one.one.one:80)
  ❌ no-policies/pod-to-world/https-to-one.one.one.one-1: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-https (one.one.one.one:443)
  ❌ no-policies/pod-to-world/https-to-one.one.one.one-index-1: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-https-index (one.one.one.one:443)
Test [to-entities-world]:
  ❌ to-entities-world/pod-to-world/http-to-one.one.one.one-0: cilium-test/client-755fb678bd-76fh5 (10.244.3.33) -> one.one.one.one-http (one.one.one.one:80)
  ❌ to-entities-world/pod-to-world/http-to-one.one.one.one-1: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-http (one.one.one.one:80)
Test [client-egress-l7]:
  ❌ client-egress-l7/pod-to-world/http-to-one.one.one.one-0: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-http (one.one.one.one:80)
Test [client-egress-l7-named-port]:
  ❌ client-egress-l7-named-port/pod-to-world/http-to-one.one.one.one-0: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-http (one.one.one.one:80)
Test [to-fqdns]:
  ❌ to-fqdns/pod-to-world/http-to-one.one.one.one-0: cilium-test/client-755fb678bd-76fh5 (10.244.3.33) -> one.one.one.one-http (one.one.one.one:80)
  ❌ to-fqdns/pod-to-world/http-to-one.one.one.one-1: cilium-test/client2-5b97d7bc66-t4nb4 (10.244.3.66) -> one.one.one.one-http (one.one.one.one:80)
Error: Process completed with exit code 1.

alan-kut · 2023-01-19T09:43:26Z

All those curls terminated with exit code 28 which is time out.

squeed · 2023-01-19T12:31:15Z

test failures should be fixed by #23171

alan-kut · 2023-01-19T13:11:06Z

I'll wait for it then and then rebase once it's merged.

squeed · 2023-01-23T11:07:16Z

/test

aditighag · 2023-01-23T15:39:34Z

🚢

[ Backporter's notes: Ignoring changes from cilium#23064 ] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode In CRD mode, the Cilium agent uses CRD to create identities. After an identity is created, the agent acquires a reference for that key. This involves fetching the CRD from the local Kubernetes cache and checking for an annotation applied by cilium-operator to mark the identity for deletion. However, there may be a delay before the Cilium Identity is cached locally, leading to the 'Key allocation attempt failed' error. This patch ensures that we fallback to the newly allocated Cilium Identity if it's not found in the Kubernetes cache. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>

[ Backporter's notes: Ignoring changes from cilium#23064, replaced maps.Clone() with Go 1.19 compatible code ] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode In CRD mode, the Cilium agent uses CRD to create identities. After an identity is created, the agent acquires a reference for that key. This involves fetching the CRD from the local Kubernetes cache and checking for an annotation applied by cilium-operator to mark the identity for deletion. However, there may be a delay before the Cilium Identity is cached locally, leading to the 'Key allocation attempt failed' error. This patch ensures that we fallback to the newly allocated Cilium Identity if it's not found in the Kubernetes cache. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>

…RD mode [ upstream commit e39fcae ] [ Backporter's notes: Ignoring changes from cilium#23064, replaced maps.Clone() with Go 1.19 compatible code ] In CRD mode, the Cilium agent uses CRD to create identities. After an identity is created, the agent acquires a reference for that key. This involves fetching the CRD from the local Kubernetes cache and checking for an annotation applied by cilium-operator to mark the identity for deletion. However, there may be a delay before the Cilium Identity is cached locally, leading to the 'Key allocation attempt failed' error. This patch ensures that we fallback to the newly allocated Cilium Identity if it's not found in the Kubernetes cache. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>

…RD mode [ upstream commit e39fcae ] [ Backporter's notes: Ignoring changes from #23064, replaced maps.Clone() with Go 1.19 compatible code ] In CRD mode, the Cilium agent uses CRD to create identities. After an identity is created, the agent acquires a reference for that key. This involves fetching the CRD from the local Kubernetes cache and checking for an annotation applied by cilium-operator to mark the identity for deletion. However, there may be a delay before the Cilium Identity is cached locally, leading to the 'Key allocation attempt failed' error. This patch ensures that we fallback to the newly allocated Cilium Identity if it's not found in the Kubernetes cache. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>

[Backport, DROP on v1.14.0+] cilium#23064 Introduce by key indexer to prevent going through all the identities all the time. Removed the unit test since it's not compatible with v1.12. Fixes: cilium#22984 Change-Id: I7fb93276d5c899a4b49385f9bbee6a57148fd376 Signed-off-by: Alan Kutniewski <kutniewski@google.com> Reviewed-on: https://gke-internal-review.googlesource.com/c/third_party/cilium/+/654747 Reviewed-by: Dorde Lapcevic <dordel@google.com> Unit-Verified: Prow_Bot_V2 <425329972751-compute@developer.gserviceaccount.com> Reviewed-on: https://gke-internal-review.googlesource.com/c/third_party/cilium/+/771428 Reviewed-by: Prow_Bot_V2 <425329972751-compute@developer.gserviceaccount.com>

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 12, 2023

github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jan 12, 2023

alan-kut force-pushed the ids-opt branch from ad54f16 to 59f0529 Compare January 12, 2023 13:44

dlapcevic approved these changes Jan 12, 2023

View reviewed changes

pkg/k8s/identitybackend/identity_test.go Show resolved Hide resolved

alan-kut force-pushed the ids-opt branch from 59f0529 to 7072b76 Compare January 12, 2023 14:50

alan-kut marked this pull request as ready for review January 12, 2023 14:51

alan-kut requested review from a team as code owners January 12, 2023 14:51

alan-kut requested review from squeed and aditighag January 12, 2023 14:51

alan-kut force-pushed the ids-opt branch 2 times, most recently from 7e75539 to 59cd5d8 Compare January 13, 2023 09:17