-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable full push on scale from 1->0->1 #40866
Conversation
Skipping CI for Draft Pull Request. |
/test all |
Fixes istio#39652 This reverts istio#36882. At the time, that PR was needed because EDS ServiceAccounts and CDS ServiceAccounts were decoupled; Since istio#39133, this is no longer true, and the fix in 36882 is not needed any longer. This PR *removes* the test added in 36882 (since it tests low level details that are not relevant anymore). It improves the existing TestEndpointFlipFlops test -- while that test *would* have caught the regression, it didn't actually set any service accounts so it was missed. The update changes it to correctly detect the behavior (it now fails without this PR, passes with it).
89b3390
to
82095ed
Compare
cc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could not see how you diable full push.
before on delete we clean up the SAs, so it ends up empty. Then when the
pod comes back up, new SA is added, which is a change so it triggers a full
push.
Now we avoid changing the SA when it's removed so it doesn't change when
the new one comes back up
…On Thu, Sep 8, 2022, 7:30 PM Zhonghu Xu ***@***.***> wrote:
***@***.**** commented on this pull request.
Could not see how you diable full push.
—
Reply to this email directly, view it on GitHub
<#40866 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXITIZ4SXCHBG7YTG4TV5KOOFANCNFSM6AAAAAAQHG56VU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
it is fairly subtle... but we do have a test for it at least (and now it
works... before it didn't unfortunately)
…On Thu, Sep 8, 2022, 7:34 PM John Howard ***@***.***> wrote:
before on delete we clean up the SAs, so it ends up empty. Then when the
pod comes back up, new SA is added, which is a change so it triggers a full
push.
Now we avoid changing the SA when it's removed so it doesn't change when
the new one comes back up
On Thu, Sep 8, 2022, 7:30 PM Zhonghu Xu ***@***.***> wrote:
> ***@***.**** commented on this pull request.
>
> Could not see how you diable full push.
>
> —
> Reply to this email directly, view it on GitHub
> <#40866 (review)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAEYGXITIZ4SXCHBG7YTG4TV5KOOFANCNFSM6AAAAAAQHG56VU>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
In case all pods of a service is down, and at this time another event triggers a full push, we will result in having incorrect cluster. |
Why? the cluster is unchanged during 1 pod, 0 pod, and then back to 1 pod -
it always has the last service account when there is 0 pods to avoid a full
push the remove the SA when it doesn't matter (if there are no endpoints SA
is never used anyways)
…On Thu, Sep 8, 2022, 7:38 PM Zhonghu Xu ***@***.***> wrote:
In case all pods of a service is down, and at this time another event
triggers a full push, we will result in having incorrect cluster.
—
Reply to this email directly, view it on GitHub
<#40866 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXLNCQQN6CD6FVVYOEDV5KPJFANCNFSM6AAAAAAQHG56VU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
But the cluster upstream tls setting can have the sas of deleted pods, we could know whether they will come back |
I believe that when we scale back yo we will 'reset' the service accounts.
So typically we come back up with the same account and no update needed. If
it's a different account, however, it should clear the old one out and
trigger a full push.
Let me add a test for that case
…On Thu, Sep 8, 2022, 7:43 PM Zhonghu Xu ***@***.***> wrote:
But the cluster upstream tls setting can have the sas of deleted pods, we
could know whether they will come back
—
Reply to this email directly, view it on GitHub
<#40866 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXMOTEBFCGBS2Z3LR5TV5KP6NANCNFSM6AAAAAAQHG56VU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.13":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41001 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.14":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41002 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.13":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41003 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.15":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41004 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.14":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41005 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.13":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41006 |
In response to a cherrypick label: #40866 failed to apply on top of branch "release-1.15":
|
In response to a cherrypick label: new issue created for failed cherrypick: #41007 |
This should not be cherrypicked. |
Fixes #39652
This reverts #36882. At the time,
that PR was needed because EDS ServiceAccounts and CDS ServiceAccounts
were decoupled; Since #39133, this is
no longer true, and the fix in 36882 is not needed any longer.
This PR removes the test added in 36882 (since it tests low level
details that are not relevant anymore). It improves the existing
TestEndpointFlipFlops test -- while that test would have caught the
regression, it didn't actually set any service accounts so it was
missed. The update changes it to correctly detect the behavior (it now
fails without this PR, passes with it).