[release-1.8] Periodically refresh APIServer CR in memory #2131
Conversation
If not explicitly set on its CR, HCO webhook is consuming TLS configuration from Openshift cluster-wide APIServer CR. For performance reason it's not reading it on each request to the HCO CR but it's consuming a cached representation. The cache was only refreshed by a controller based on an informer. We got reports that due to the nature of changes in the APIServer CR, the connection to the APIserver itself could become stuck: ``` W1025 13:50:16.898592 1 reflector.go:424] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:262: failed to list *v1.APIServer: Get "https://172.30.0.1:443/apis/config.openshift.io/v1/apiservers?resourceVersion=1572273": dial tcp 172.30.0.1:443: connect: connection refused E1025 13:50:16.898683 1 reflector.go:140] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:262: Failed to watch *v1.APIServer: failed to list *v1.APIServer: Get "https://172.30.0.1:443/apis/config.openshift.io/v1/apiservers?resourceVersion=1572273": dial tcp 172.30.0.1:443: connect: connection refused I1025 13:50:43.182360 1 trace.go:205] Trace[621733159]: "Reflector ListAndWatch" name:sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:262 (25-Oct-2022 13:50:19.338) (total time: 23843ms): Trace[621733159]: ---"Objects listed" error:<nil> 23843ms (13:50:43.182) Trace[621733159]: [23.843677488s] [23.843677488s] END I1025 13:50:43.716723 1 trace.go:205] Trace[255710357]: "Reflector ListAndWatch" name:sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:262 (25-Oct-2022 13:50:12.260) (total time: 31456ms): Trace[255710357]: ---"Objects listed" error:<nil> 31456ms (13:50:43.716) Trace[255710357]: [31.45666834s] [31.45666834s] END I1025 13:50:43.968506 1 trace.go:205] Trace[2001360213]: "Reflector ListAndWatch" name:sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:262 (25-Oct-2022 13:50:11.520) (total time: 32447ms): Trace[2001360213]: ---"Objects listed" error:<nil> 32447ms (13:50:43.968) Trace[2001360213]: [32.44785055s] [32.44785055s] END ``` On controller runtime the default SyncPeriod when all the watched resources are refreshed is 10 hourse ( see kubernetes-sigs/controller-runtime#521 for its reasons) but it appears too long for this specific use case. Let's ensure we read the APIServer CR at least once every minute. Make the logs less verbose. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2137896 Remove this once kubernetes-sigs/controller-runtime#2032 is properly addressed Signed-off-by: Simone Tiraboschi <[email protected]>
kubevirt-bot
added
release-note
|
Kudos, SonarCloud Quality Gate passed!
|
|
hco-e2e-upgrade-index-sno-aws lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
hco-e2e-upgrade-prev-index-sno-aws lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-azure, ci/prow/hco-e2e-upgrade-prev-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
hco-e2e-upgrade-prev-index-aws lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-azure, ci/prow/hco-e2e-upgrade-prev-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test hco-e2e-image-index-azure |
|
@tiraboschi: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
hco-e2e-kv-smoke-gcp lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tiraboschi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/override-bot |
|
/retest |
|
/test hco-e2e-image-index-azure |
|
@tiraboschi: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
1 similar comment
|
/retest |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
@kubevirt-bot: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
hco-e2e-image-index-aws and hco-e2e-image-index-gcp passed, ignoring hco-e2e-image-index-azure |
|
@tiraboschi: Overrode contexts on behalf of tiraboschi: ci/prow/hco-e2e-image-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is an automated cherry-pick of #2128
/assign tiraboschi