-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Reading stale RabbitmqCluster information can lead to undesired statefulset deletion #648
Comments
I think using type DeleteOptions struct {
unversioned.TypeMeta `json:",inline"`
// Optional duration in seconds before the object should be deleted. Value must be non-negative integer.
// The value zero indicates delete immediately. If this value is nil, the default grace period for the
// specified type will be used.
GracePeriodSeconds *int64 `json:"gracePeriodSeconds,omitempty"`
// Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
// returned.
Preconditions *Preconditions `json:"preconditions,omitempty"`
// Should the dependent objects be orphaned. If true/false, the "orphan"
// finalizer will be added to/removed from the object's finalizers list.
OrphanDependents *bool `json:"orphanDependents,omitempty"`
} |
@embano1 Thanks for the pointer! |
Thank you @srteam2020 for reporting this and for submitting a PR to fix it. We discussed this issue yesterday in our internal sync up and we will have a look at your PR, likely tomorrow. |
…error msg in statefulSetUID
fix #648: delete the statefulset with precondition set to the correct…
Describe the bug
We find that rabbitmq-cluster-operator could accidentally delete the statefulset when the controller experiences a restart and talks to one stale apiserver in an HA k8s cluster. After some inspection, we find that the root cause is the staleness populated from the apiserver that makes the controller think the RabbitmqCluster is going to be deleted (with a non-zero
DeletionTimestamp
), while it is actually not. One potential approach to handle this issue is to label each statefulset the UID of the RabbitmqCluster, and check the label before deleting the statefulset.To Reproduce
Steps to reproduce the behavior:
rabbitmq-cluster1
in a HA k8s cluster. The controller is talking to apiserver1 and the reconcile() will create a statefulset forrabbitmq-cluster1
.rabbitmq-cluster1
. Apiserver1 will send the update events with a non-zeroDeletionTimestamp
to the controller and the controller will delete the statefulset ofrabbitmq-cluster1
inprepareForDeletion
. Meanwhile, apiserver2 is partitioned so its watch cache stops at the moment thatrabbitmq-cluster1
is tagged with a non-zeroDeletionTimestamp
.rabbitmq-cluster1
and its statefulset get back. However, apiserver2 still holds the stale view thatrabbitmq-cluster1
has a non-zeroDeletionTimestamp
and is about to be deleted.rabbitmq-cluster1
from apiserver2 thatrabbitmq-cluster1
has a non-zeroDeletionTimestamp
. Since the controller identifies the statefulset only with the name of the RabbitmqCluster, the statefulset belonging to the newly created RabbitmqCluster will be deleted inprepareForDeletion
.Expected behavior
The controller should be able to differentiate the statefulsets belonging to different RabbitmqCluster instances with the same name (in history). When reading the stale information about (previously deleted) RabbitmqCluster, the controller should be able to check whether the existing statefulset really belongs to that RabbitmqCluster (e.g., by using the UID) before perform any deletion.
Version and environment information
Additional context
We are willing to issue a PR to help fix this issue.
As mentioned above, we can label each statefulset with the UID of the RabbitmqCluster, and check the label before deleting the statefulset to ensure we are deleting the correct statefulset.
The text was updated successfully, but these errors were encountered: