Surface service-controller LB provisioning failures through status

[ironcladlou]

When an LB is determined to be pending, try and surface more detail by analyzing
events in the operand namespace related to the LB service, and if an LB creation
failure event is detected, propagate the message into IngressController status
and provide a more specific reason.

Replace the use of indexers with simpler inline cache lookups now that the
manager cache is available.

TODO

• Rebase on Bug 1717494: Refactor client and cache handling #244
• Make a decision on whether this can be tested in the e2e suite (e.g. synthesize the service-controller event?)

[ironcladlou]

Perhaps these should be sorted by time, descending?

[Miciah]

This would be useful once we check for more than 1 event type, but otherwise it is not strictly necessary since we ignore events once the LB is provisioned.

[ironcladlou]

I threw this in for discussion. Reflecting on the k8s API guidelines I wonder if this condition type should have been "LoadBalancerUnmanaged=True" — too late!

[ironcladlou]

Condition types should indicate state in the “abnormal-true” polarity. For example, if the condition indicates when a policy is invalid, the “is valid” case is probably the norm, so the condition should be called “Invalid”.

[Miciah]

Condition types should indicate state in the “abnormal-true” polarity.

We already violate that guideline with Available.

[ironcladlou]

Any thoughts on the Reason I'm proposing here? I can revert if the old one is better (and am open to new suggestions).

[Miciah]

No preference. I'm not sure a reason is strictly necessary for the "normal" state, but what you have is fine.

[ironcladlou]

Given the difficulty of testing this, I propose we:

1. Merge since it might work (the theory is based on actual event data), and introduces no regressions
2. Right away, fix our stuff so IngressControllers appear in must-gather
3. Monitor CI for evidence of the new condition details in failed clusters (and fix bugs if we find cases where the condition should be there but isn't)
4. Separately, figure out how to automate testing

[Miciah]

"openshift-ingress"→lbService.Namespace.

[ironcladlou]

Okay, so this is really subtle and dangerous, but lbService can be nil. Would love to separately take some action on our prior discussions about:

1. result types vs. nil for dealing with things that are not found
2. coming up with a strategy for dealing with references that doesn't involve hard-coded namespaces or inferring from random resources

Basically I wonder if there's any local fix right here (where's the canonical place to discover the operand namespace in this context?).

[Miciah]

Oh, snap, good point! Well, does it make sense to look for events if the service does not exist?

[ironcladlou]

The lookup isn't dependent on the service, and the lookup is from a cache, so we could choose to provide whatever context we can (consistent with the other possibly-nil inputs).

[Miciah]

If the service doesn't exist, then computeLoadBalancerStatus won't even look at the events, and logically, why would it? Do we anticipate that we might with future changes care about events that are not related to the service?

[ironcladlou]

If the service doesn't exist, then computeLoadBalancerStatus won't even look at the events

computeLoadBalancerStatus won't, but this function doesn't know that. This function just knows computeLoadBalancerStatus wants events in a namespace. I propose this contract:

// syncIngressControllerStatus takes whatever you give it and updates status.
// Give it whatever you have and it will do its best.
func (r *reconciler) syncIngressControllerStatus(ic *operatorv1.IngressController, deployment *appsv1.Deployment, service *corev1.Service, operandEvents []corev1.Event) error {

😁

[Miciah]

That seems reasonable... or would it be simpler for syncIngressControllerStatus to look up events itself?

[ironcladlou]

could perhaps ask the same question regarding all the other arguments... for now unless there's a logic error maybe we can continue the style the discussion on subsequent PRs?

[Miciah]

could perhaps ask the same question regarding all the other arguments...

No, syncIngressControllerStatus needs to know the ingress controller for which it is updating status, and ensureIngressController just created or got the deployment and service, which are sound reasons for ensureIngressController to pass those values to syncIngressControllerStatus, whereas listing events in ensureIngressController instead of in syncIngressControllerStatus gratuitously separates the logic of listing events from the logic that determines whether the events need to be listed.

That is not to say that your current approach is unacceptable; the above is only responding to the above-quoted assertion.

That said, if ensureIngressController does handling listing events but gets an error, how about passing a nil slice to syncIngressControllerStatus?

for now unless there's a logic error maybe we can continue the style the discussion on subsequent PRs?

That's fine.

[Miciah]

Why should failure to list events inhibit status updating? We update status even if getting the service fails.

[ironcladlou]

Seems related to the stuff we've talked about in the area of #245 (comment) — I do agree with you. The status function should be able to function without the event set in this case.

However, there is a subtle difference between an empty event list from a successful API call and one that's empty because the API call failed. In the latter case, the downstream consumer (status function) has a reduced trust level in the input. Like, if the status function relies on the absence of a value to decide there's a serious problem, should we choose to call the status function with an "undefined" input?

In this case the decision won't affect something serious like availability...

[ironcladlou]

I fixed what I think is the core complaint (event lookup failure no longer prevents status sync).

[Miciah]

Condition types should indicate state in the “abnormal-true” polarity.

We already violate that guideline with Available.

[Miciah]

How about "LoadBalancer"→"Service" since "LoadBalancer" could refer to either the service or the cloud LB?

[ironcladlou]

fixed

[Miciah]

Why not make this the default case?

[danehans]

@Miciah if "Pending" is the default case, does the current default ConditionUnknown get removed?

[Miciah]

Yes. It is dead code anyway.

[ironcladlou]

I went ahead and removed the default case as it's unreachable, but I left isProvisioned and isPending. I believe isProvisioned and default (replacing isPending) would be a functional alternative, but even so I guessed having explicitly named cases would aid readability. What do you think?

[Miciah]

It's fine. I wonder whether the compiler is smart enough (and the language semantics are flexible enough) to optimize the isPending call out.

[Miciah]

Is "quotaof" a typo?

[ironcladlou]

Yes, fixed

[Miciah]

Can this be "no events for current lb" with events: []corev1.Event{schedulerEvent(), failedCreateLBEvent("secondary")}?

[ironcladlou]

Great improvement, fixed

[danehans]

I found a typo. Otherwise, lgtm.

[danehans]

s/quot aof/quota of/

[ironcladlou]

Fixed... again (my fix for the original had a typo 🤦‍♀️)

[ironcladlou]

Went ahead and squashed.

[Miciah]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ironcladlou, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah,ironcladlou]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment