kubeadm etcd modifying recovery steps

[sbezverk]

Closes #56499

Modifying etcd recovery steps for the case of failed upgrade

[sbezverk]

/assign @luxas

[sbezverk]

/test pull-kubernetes-e2e-gce

[luxas]

As discussed in the SIG meeting, we won't downgrade etcd (as etcd doesn't support that) so the line should look sth like this instead:

return true, fmt.Errorf("the requested etcd version (%s) for Kubernetes v(%s) is lower than the currently running version (%s)", desiredEtcdVersion.String(), cfg.KubernetesVersion, currentEtcdVersion.String())

return false, fmt.Errorf("the requested etcd version (%s) for Kubernetes v(%s) is lower than the currently running version (%s). Proceeding with the Kubernetes downgrade but won't downgrade etcd", desiredEtcdVersion.String(), cfg.KubernetesVersion, currentEtcdVersion.String())

Also, we concluded to not try to automatically restore the etcd data, so you should remove the rollbackEtcdData function.

[luxas]

As discussed in the meeting, we'll just skip the etcd downgrade procedure when downgrading from v1.9 to v1.8

[sbezverk]

done

[luxas]

nit: change the cfg parameter to just nodeName string as that is the only thing used in cfg
I'd prefer if you parameterized the rollback function to call here instead of baking in this recoverEtcd logic... can you do that please?

[sbezverk]

here is the thing, if a separate function used for etcd manifest rollback then:

1. We just end up duplicating the code
2. componentUpgrade will needs to be changed and checked everytime when roll back is called to see which rollback needs to be called, normal or etcd specific, I think it will bring more confusion than gain from separating. Please let me know if you still wants me to change it.

[luxas]

ok, no need to change it

[luxas]

let's consider this a fatal error (quit the general upgrade as the etcd version would be wrong if we can't upgrade it)
The purpose of the rollback here and re-check is to avoid disruption for the user (the upgrade failed but the state was preserved)

[luxas]

s/non-fatal error upgrading local etcd cluster/fatal error when trying to upgrade the etcd cluster: %v. Rolled the state back to pre-upgrade state./

[sbezverk]

done, but then we will not have any non-fatal cases unless the complete upgrade is successful, now the question is why do we need fatal/non-fatal return?

[luxas]

the first case is non-fatal

[luxas]

write you own rollback func for etcd instead for passing this extra flag for better readability?

[sbezverk]

see previous comment. with the current way upgrade is coded, having a separate rollback for etcd will make things more complex. Please re-consider. Please ping me on slack to discuss.

[luxas]

/lgtm

[timothysc]

why does this exist? If it started up you can't roll it back safely, without restoring the snapshot.

[sbezverk]

Here is I address situation when upgradeComponent was successful, but upgradeComponent check ONLY if POD is running and its sha got changed. This additional check verifies if ETCD process is responsive. If it is not the case then we try to roll back.

[timothysc]

see comment.

[timothysc]

When upgrading etcd we will need to do the following:

• backup the etcd data (cp -r) and force a snapshot for good measure
• roll the upgrade
• if for any reason the upgrade is not smooth,
  • data must be restored
  • restore original manifests

[sbezverk]

@luxas @timothysc Gents, please sync up between each other I get contradicting reviews. From one side we do not restore data, from the other we do. Could you please agree on one?

[timothysc]

@sbezverk sorry about that. We've been chatting on slack about this, I'm a belt and suspenders person when it comes to etcd transitions... take all precautions.

[sbezverk]

@luxas @timothysc I will restore Etcd Data restore func and call it before each rollback.

[timothysc]

minor comments about the messages at the end of the block.

[timothysc]

Isn't this a successful rollback point here? Am I missing something?

[sbezverk]

you are right, fixed..

[timothysc]

same comment.

[sbezverk]

fixed

[timothysc]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: luxas, sbezverk, timothysc

Associated issue: 56499

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [luxas,timothysc]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Current

@dmmcquay @fabriziopandini @luxas @sbezverk @timothysc

Note: This pull request is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required

Pull Request Labels

• sig/cluster-lifecycle: Pull Request will be escalated to these SIGs if needed.
• priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
• kind/bug: Fixes a bug discovered during the current release.

Help

• Additional instructions
• Commands for setting labels

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 56497, 56500, 55018, 56544, 56425). If you want to cherry-pick this change to another branch, please follow the instructions here.