Log events in build log during pod provisioning

[Vlatombe]

This listens to pod events during the agent launch and stream them in the build logs. Streaming stops once the agent is up and running.

Happy case

‘Jenkins’ doesn’t have label ‘pp_20-pm7l0’

Created Pod: kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww
[Normal][kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww][Scheduled] Successfully assigned kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww to docker-desktop
[Normal][kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww][Pulled] Container image "jenkins/jnlp-slave:4.0.1-1" already present on machine
[Normal][kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww][Created] Created container jnlp
[Normal][kubernetes-plugin-test/pp-20-pm7l0-chmxk-m4pww][Started] Started container jnlp

Agent pp-20-pm7l0-chmxk-m4pww is provisioned from template pp_20-pm7l0-chmxk

Unhappy case

Created Pod: kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Scheduled] Successfully assigned kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8 to docker-desktop

[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Pulling] Pulling image "invalid:image"

[Warning][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Failed] Failed to pull image "invalid:image": rpc error: code = Unknown desc = Error response from daemon: pull access denied for invalid, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[Warning][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Failed] Error: ErrImagePull
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Pulled] Container image "jenkins/jnlp-slave:4.0.1-1" already present on machine
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Created] Created container jnlp
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Started] Started container jnlp
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Pulled] Container image "maven:3.3.9-jdk-8-alpine" already present on machine
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Created] Created container maven

[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Started] Started container maven
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][BackOff] Back-off pulling image "invalid:image"
[Warning][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Failed] Error: ImagePullBackOff

[Warning][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][Failed] Error: ImagePullBackOff
ERROR: Unable to pull Docker image "invalid:image". Check if image tag name is spelled correctly.
[Normal][kubernetes-plugin-test/wrong-image-10-0x2gp-cqgzf-pdrq8][BackOff] Back-off pulling image "invalid:image"

ERROR: Unable to pull Docker image "invalid:image". Check if image tag name is spelled correctly.

[Vlatombe]

Need to gracefully degrade if jenkins sa is not able to watch pod events.

[Vlatombe]

Looks like SelfSubjectAccessReview is broken in kubernetes-client. Haven't been able to use it.

[jglick]

One thing that has long bothered me: the build log receives a dump of the YAML of the pod if and when the agent launches successfully, but if the launch fails you have to either enable fine logging or have kubectl access in order to see what pod definition Jenkins had tried to create. Is that still true here; and where does the YAML appear relative to these other messages?

[jglick]

Is this special case still needed? I am not really sure what it was doing to begin with; looks suspicious.

[Vlatombe]

It fails the build if one of the docker images is invalid (#497). Ideally I think it would deserve a rework but it works.

[jglick]

But the build would fail anyway, without this clause; the exception would be thrown up out of launch. Right? And with this PR, you would see the appropriate diagnostics right in the log. But the current code here does more, by canceling some queue items (which seem to be any node blocks associated with this build, which is wrong by the way—should only be canceling the node block associated with this pod). If that is needed in order to prevent the build from hanging, then it is needed in many other error cases too. So this does not add up for me.

[Vlatombe]

No, the launcher would just fail but this wouldn't affect the build so the build would wait forever.

should only be canceling the node block associated with this pod

probably.

[jglick]

I do not think this is anything blocking the current PR but it looks like something to revisit.

[Vlatombe]

@jglick I'm revisiting this, not sure how to find out item should be cancelled exactly.
The only correlation I can make seems to be based on label, since at this point the queue item is not yet assigned to the node. There could be several items waiting for a node if they are inside a parallel block or using a static pod template. So, cancel the first one only?

[jglick]

Not sure.

[Vlatombe]

Next build should be ok. https://ci.jenkins.io/job/Plugins/job/kubernetes-plugin/job/PR-742/8/display/redirect shows 3 failures without privilege to watch events, pretty much what I expected.

[Vlatombe]

One thing that has long bothered me: the build log receives a dump of the YAML of the pod if and when the agent launches successfully, but if the launch fails you have to either enable fine logging or have kubectl access in order to see what pod definition Jenkins had tried to create. Is that still true here; and where does the YAML appear relative to these other messages?

That part isn't touched by this PR, so the yaml is printed once you have an executor. But when using the podTemplate DSL, it could now be dumped before.

[lelandsindttouchnet]

Is is reasonable to ask that this log line be written more readily (less restricted than FINE) and include a note/link to instructions for the required level of access needed to watch pod events?

[jglick]

Yes, this seems like it could be at INFO.

[jglick]

Or printed to the runListener.

[jglick]

Vlatombe force-pushed

Broke incremental review, so I guess I will need to review from scratch.

[jglick]

Yes, this seems like it could be at INFO.

[jglick]

But the build would fail anyway, without this clause; the exception would be thrown up out of launch. Right? And with this PR, you would see the appropriate diagnostics right in the log. But the current code here does more, by canceling some queue items (which seem to be any node blocks associated with this build, which is wrong by the way—should only be canceling the node block associated with this pod). If that is needed in order to prevent the build from hanging, then it is needed in many other error cases too. So this does not add up for me.

[jglick]

Still have some questions but looks good.

[jglick]

How could it be null? You just assigned it via a constructor. Does SpotBugs not reject this?

[Vlatombe]

I guess Spotbugs thinks eventWatch could have a side-effect.

[jglick]

AFAICT the watcher field is only written to in the one place above, so it should be definitely non-null here. You can always

Suggested change

	if (watcher != null) {
	assert watcher != null;

to make it behave.

[Vlatombe]

🤷‍♂

[jglick]

Or printed to the runListener.

[mickaelistria]

Thank you so much!