I believe this is race-y... many apply fns for different nodes can run concurrently by default, and this set_status operation doesn't include Kube's resourceVersion to perform optimistic locking

as a result, you could have:

1. Node A has the EIP and is marked Unknown
2. Node B spins up and the reconciler runs set_status_should_attach to attach it to B
3. The reconciler for Node A runs set_status_detached and removes it from B
4. Both reconcilers finish and the EIP is not marked as attached to either node 😱

a Kube replace_status would add in some optimistic locking so the two reconcilers cannot overwrite each other, though I haven't thought much about how hard the error cases would be to reason about

This is now in place per use replace_status on set_status_detached

do we not need to do anything for the other (true, true, "Unknown") | (true, false, "Unknown") | (false, true, "Unknown") cases?

Worked with Justin on the cases and refactoring of the node controller. I think this is simplified / covered now.

if for any reason the eip-operator crashed between executing disassociate_eip and set_status_detached, would we be able to reconcile and clear the status correctly?

@pH14 Good thought! We should probably remove the resource-id label first! This would allow the EIP to be reclaimed by another node (or potentially the same node).

We might also want to swap the order in the node controller.
In the node controller, if the node is ready, it should see if it has an EIP already claimed and ensure it's attached to that eip. If no eip it's not attached to an EIP it should attempt to find one, and claim it, then it should attempt to associate and update the other status fields. (this can probably be done in a second PR, but if we do it this way it may remove where we can't fix the resource ID of the eip if it got removed, but the EIP is still associated.

I like this idea! Leaving for a separate PR as discussed.

hm I'd think we'd want to watch Eip resources rather than Node, since we set the Eip's status each time the Eip is associated or disassociated. it's not clear to me that this fires if we associate an Eip right now

separately, this watcher is also self-triggering, where setting the egress gateway status will trigger another reconciliation. not a correctness issue if it converges, but could create some read/write amplification or hard-to-debug issues if it does anything unexpected

Good find! The watcher is now correctly configured on Eip resources.

probably enough to say that it will soon be archived or will soon be archived and is no longer under active development.

Cleaned up the wording per node improvements. I left in the warning portion as I found that in another MZ public archive as a practice.

Why is this changing here?

After updating Rust I ran in to a clippy error. This change fixes:

assigning the result of Clone::clone() may be inefficient

I don't think this agress with

    // We immediately disassociate EIPs from egress nodes that are in an
    // unresponsive state in the eip node controller.

If the EIP has been disassociated from a node it should not be serving traffic, we shouldn't wait to remove the status.

I'm not saying we want to do this, but if this is the behavior we're looking for I think we'd have to do something like adding a label to the EIP that says it can be reclaimed (or removing the eip resource id), but not actually detach it when a node becomes unresponsive.

Discussed over slack and covered by the egress labeling and node controller refactors. We agreed to set the status of the EIP to detached to free the claim. Egress will continue to attempt to go out the unresponsive node on the EIP as it will still be attached to the instance.

We probably don't want to get all egress nodes, just the nodes that would match the EIP being reconciled.

I think the following should work.

let egress_nodes = node_api.list(&eip.get_resource_list_params()).await?.items;

This will break if the the eip is a pod filtering eip, we could return early if we see that.

I didn't realize this function existed - much cleaner!. Covered in egress improvements

If we want to return early if there isn't an attachment that's ready we can return early if there isn't an attachment here, then I think we can just check if the attachment for the current eip is ready, if so we ensure it's marked as egress_ready, and everything else is marked as egress_unready. If it's not ready we do nothing.

https://github.com/MaterializeInc/k8s-eip-operator/pull/474/files#diff-d5b1eb5e62a747acb5112f073726318730e004f6ce190d0e2f1c11b3868cf8ffR108-R116

This is covered by the refactoring of the egress labeler.

https://github.com/MaterializeInc/k8s-eip-operator/pull/474/files#diff-d5b1eb5e62a747acb5112f073726318730e004f6ce190d0e2f1c11b3868cf8ffR50

Makes sense. Covered in egress improvements

you already have a for each here, you may as well just

            for other_node in egress_nodes {
                // skip the node we just set to ready
                if other_node.name_unchecked() != node.name_unchecked()) {
                    add_gateway_status_label(node_api, other_node.name_unchecked().as_str(), "false")
                        .await?;
                } 
            }

I see now I already have the current node name. Adjusted as part of egress improvements

We probably don't need this if we're using the node selector on the eip.

Much cleaner and removed the need for some CONST labels in egress improvements

This comment is confusing..

If an EIP has a resource id label pointing to this node, remove that label releasing this nodes claim to the EIP

I agree. I changed the wording as part of node improvements

If we moved this return out of the if and into the match block (with an appropriate comment/debug message) we could could avoid having to later check if the node is ready in line 134.

https://github.com/MaterializeInc/k8s-eip-operator/pull/474/files#diff-48a05fa05e5fac935d49f8d16c17290587389f1821d5e5d237c624224763fc7fR134

Much cleaner. I was glad to be able to remove the ready_status check from further on in the code. I simplified it in node improvements

should this be debug!

You're right! Just pushed up a fix.