Service LoadBalancer kube-controller

[MichalFupso]

Description

Related issues/PRs

Todos

• Tests
• Documentation
• Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[caseydavenport]

@MichalFupso first pass done - there are some structural changes we need to make to the LB controller in kube-controllers but I don't think they are going to be difficult.

Mostly a matter of aligning patterns to get rid of the ResourceCache and instead consistently use SharedIndexInformer for Services and a common DataFeed for Calico resources.

I'm going to keep reviewing in more detail, but wanted to get the larger changes back to yoru ASAP.

[caseydavenport]

I think something is off here - it doesn't make sense to check if the address of a variable is nil.

[caseydavenport]

Comment needs updating here as well

[caseydavenport]

I think we should define this as a constant.

[caseydavenport]

I don't think this quite solves the problem - we're still effectively keying off the hostname in order to determine this.

So, someone can still make a Kubernetes node in their cluster that triggers this code.

I think we need to plumb this knowledge down through the IPAM code from the caller somehow, so that we can make sure that only the LB controller is ever generating affinities in this way.

[caseydavenport]

For example, we could:

• use the IntendedUse field of the AutoAssignArgs (and add it to AssignIPArgs)
• infer this from the provided Attrs map on AutoAssignArgs / AssignIPArgs
• add a new AffinityType: Host | Virtual option to those XArgs structs.

I think my preference is the first of those three (at least for now, while we only have a single scenario where it's possible for have a non-host affinity).

If we ever end up making this more flexible, then option #3 might be better - but until then best not to enable combinations that we don't want.

[caseydavenport]

I think you will also need to look into these references to "host:" and see what the correct resolution is:

• https://github.com/caseydavenport/calico/blob/09903342c9c9927065afad5cbd5503947fbd29e7/libcalico-go/lib/ipam/ipam_block.go#L191-L194
• https://github.com/caseydavenport/calico/blob/09903342c9c9927065afad5cbd5503947fbd29e7/libcalico-go/lib/ipam/ipam_block.go#L196-L201
• https://github.com/caseydavenport/calico/blob/09903342c9c9927065afad5cbd5503947fbd29e7/libcalico-go/lib/ipam/ipam_block_reader_writer.go#L323-L330

[caseydavenport]

One thing to consider might be to replace all of the host string arguments passed around to something more generic - e.g.,

type affinityConfig struct {
  type affinityType

  // The affinity value - a hostname for "host" type affinities. 
  value string
}

func (c ipamClient) ensureBlock(ctx context.Context, rsvdAttr *HostReservedAttr, requestedPools []net.IPNet, version int, host string) (*net.IPNet, error) {

Would become

func (c ipamClient) ensureBlock(ctx context.Context, rsvdAttr *HostReservedAttr, requestedPools []net.IPNet, version int, affinityCfg affinityConfig) (*net.IPNet, error) {

This would at least help ensure we're passing the necessary context wherever it might be needed.

[caseydavenport]

syncerUpdates implies that the updates are coming from the syncer, but these are actually coming from the informer

[caseydavenport]

I think it's going to be a lot cleaner to keep all of the logic about whether or not we should act on updates within the reconcile loop - when we get an update, let's just send it through as an update. The other side of the channel should be doing all of the processing.

So basically, this branch should look something like this:

UpdateFunc: func(oldObj, newObj interface{}) {
  // Tell the main loop that this service has changed.
  lbc.serviceUpdates <- NamespacedName{Name: newObj.Name, Namespace: newObj.Namespace}
}

The main loop can decide if it cares about this update, it can decide to batch actions, etc., etc.

It doesn't even need to cache the object - the informer already has a backing cache that is accessible and updated at this point, so we just need to tell the main loop "something changed, here's the context"

[MichalFupso]

@caseydavenport I think that we should do a check here to see if we care about the update. It's mostly because we want to update any IPs if the annotations have changed. If we just trigger an update here without checking if the annotations are different it will be harder for us to know if we should re-assign the IP or the change was not relevant to us. I agree that we do not need to pass the service, but rather just use the informer

[caseydavenport]

It might work - I need to think about this one a little bit more. My fear is that comparing the annotations between the "new" and the "old" version of the Service isn't strictly speaking the thing this controller cares about.

The controller wants to compare the annotations, the LoadBalancer.Ingress values, and the actual IPAM allocation database to determine whether we need to allocate or release IP addresses.

Comparing the annotations is a proxy for that, and probably catches most cases but isn't guaranteed to catch all of the edge cases we care about.

For example, what happens if another controller modifies the Service and overwrites the status.LoadBalancer values that were previously written by this controller? We could try to write special logic to catch that here, but we may not be able to foresee every scenario that requires an update on the channel.

[caseydavenport]

Multiple controllers are going to call Start() - we either need to make sure that the dataFeed.Start() function is idempotent and can be called multiple times, or we need to call dataFeed.Start() only once - one level up where the controllers are initialized.

[caseydavenport]

Suggested change

	log.WithError(err).Fatal("Failed to add event handle for Service LoadBalancer")
	log.WithError(err).Fatal("Failed to add event handler for Service LoadBalancer")

[caseydavenport]

Suggested change

	host := kvp.Value.(*model.AllocationBlock).Affinity
	affinity := kvp.Value.(*model.AllocationBlock).Affinity

[caseydavenport]

Suggested change

	if host != nil && *host == fmt.Sprintf("virtual:%s", api.VirtualLoadBalancer) {
	if affinity != nil && *affinity == fmt.Sprintf("virtual:%s", api.VirtualLoadBalancer) {

[caseydavenport]

The goal is to make the reconcile loop completely unaware of HOW it got to the state it is in. The type of update shouldn't matter at this point - all that the loop should know is what the current state of the cluster is, and what the desired state is.

This makes us much less prone to bugs where we encounter an unknown or unexpected ordering of events, which tends to happen in complex systems like Kubernetes.

[caseydavenport]

This is somewhat hastily written out, so may not be bulletproof, but just as something to run past you to see what you think - the following pseudocode is probably where I would start from if trying to figure out this logic myself.

---

The controller would have some internal state that it uses to efficiently track IP allocation state. It would probably need to initialize these maps on startup with IPAM state, and then make incremental changes to them as it allocates and releases IP addresses.

Could use a helper structure to encapsulate that logic, which might make it a bit tidier:

type allocationTracker struct {
  // Keep track of IP allocations by Service, as well as a 
  // reverse lookup of service by IP. These maps are populated based on the IPAM DB state 
  // and NOT by the Service objects.
  servicesByIP map[string]string
  ipsByService map[string]map[string]bool
}

func (t *allocationTracker) AssignAddress(svc *v1.Service, ip string)
func (t *allocationTracker) ReleaseAddress(svc *v1.Service, ip string)
func (t *allocationTracker) DeleteService(svc *v1.Service)

The syncIPAM function would have something like this:

// Go through each Service that we know about and make sure it is properly in sync.
for _, svc := range c.informer.List() {
  if err := c.syncService(svc); err != nil {
    logrus.WithError(err).Warn("warning")
  }
}

// syncService does the following:
// - Releases any IP addresses in the IPAM DB associated with the Service that are not in the Service status.
// - Allocates any addresses necessary to satisfy the Service LB request
// - Updates the controllers internal state tracking of which IP addresses are allocated.
// - Updates the IP addresses in the Service Status to match the IPAM DB.
func syncService(svc *v1.Service) error {
  // TODO
  return nil
}

you could even have "event driven" logic accept incoming service updates funneled into the same function, simply calling syncService when we get service updates:

select {
  case <-kickChan:
    syncIPAM();
  case <- syncerUpdates:
    handleUpdate(upd)
  case svcID <- serviceUpdates:
    svc := c.informer.Get(svcID)
    syncService(svc)
}

}

[caseydavenport]

This is fine, and no need to change I don't think - but what I was suggesting was that we only add the hash if the handle exceeds the name limit.

e.g.,

handle := strings.ToLower(fmt.Sprintf("%s-%s-%s", svc.Name, svc.Namespace, svc.UID))

if len(handle) > k8svalidation.DNS1123LabelMaxLength {
  // Handle is too long - trim off the end, leaving enough room for 8 bytes of hash.
  hash := generateHash(handle)
  handle = handle[:k8svalidation.DNS1123LabelMaxLength-8]
  handle = fmt.Sprintf("%s%s", handle, hash[:8])
}

This just makes the actual handle IDs human readable in most cases.

[caseydavenport]

It might work - I need to think about this one a little bit more. My fear is that comparing the annotations between the "new" and the "old" version of the Service isn't strictly speaking the thing this controller cares about.

The controller wants to compare the annotations, the LoadBalancer.Ingress values, and the actual IPAM allocation database to determine whether we need to allocate or release IP addresses.

Comparing the annotations is a proxy for that, and probably catches most cases but isn't guaranteed to catch all of the edge cases we care about.

For example, what happens if another controller modifies the Service and overwrites the status.LoadBalancer values that were previously written by this controller? We could try to write special logic to catch that here, but we may not be able to foresee every scenario that requires an update on the channel.

[caseydavenport]

Suggested change

	annotationIpv4Pools = "projectcalico.org/ipv4pools"
	annotationIPv4Pools = "projectcalico.org/ipv4pools"

[caseydavenport]

Suggested change

	annotationIpv6Pools = "projectcalico.org/ipv6pools"
	annotationIPv6Pools = "projectcalico.org/ipv6pools"

[caseydavenport]

Suggested change

	annotationLoadBalancerIp = "projectcalico.org/loadBalancerIPs"
	annotationLoadBalancerIP = "projectcalico.org/loadBalancerIPs"

[caseydavenport]

@MichalFupso About to go into meetings, but wanted to get another round in - only reviewed the libcalico-go changes in this one and didn't get to the controller yet.

[caseydavenport]

We probably want to augment these logs to include the affinityCfg type as well.

[caseydavenport]

Need to uncomment this bit?

[caseydavenport]

I'd probably suggest putting this in the interfaces file since it's used on the "user facing" interfaces.

[caseydavenport]

Given the number of places we're using it, might be worth using the constants for these to avoid potential for typos

[caseydavenport]

Should include the type in this context (and any other contexts where we're using an affinityConfig)

[caseydavenport]

I think we want to actually pass down the AffinityConfig to this function rather than base the check off of block's affinity.

Say for example a block is affine to host:load-balancer and we attempt to assign from that block for virtual:load-balancer - this function will return that the affinity matches even though it doesn't. It's a niche case, but not impossible I don't think.

I'd expect that most cases we want to replace the host string function with and AffinityConfig instead.

[caseydavenport]

I think this function needs to be adjusted to return an AffinityConfig object instead, so that the callers can properly distinguish the type of affinity.

[caseydavenport]

We should definitely add some tests that verify the correct behavior when using two affinities with the same hostname but different affinity types.

e.g.,

• Assigning IPs, Releasing IPs (both from the same block and different blocks)
• Releasing affinities in the various ways
• Claiming affinities in the various ways