Resource exporter/importer and unit test

[luolanzone]

This PR is mainly for resource exporter/importer:

1. exporter
   serviceexport_controller is responsible to reconcile ServiceExport resource in member cluster and write
   wrapped ResourceExport into leader cluster, meanwhile it will watch Service and Endpoints change via
   event mapping and update ResourceExport when exported Service/Endpoints are updated.

resourceexport_controller is responsible to reconcile ResourceExport resources and computes all ResourceExports
from different member clusters into one ResourceExport in leader cluster if the resources are exported
with the same namespaced name and the same kind, for this moment, we only support Service, Endpoints kind.

2. importer
   remote_resourceimport_controller watches leader cluster's ResourceImport events and create corresponding
   ServiceImport, Service and Endpoints with AntreaMCServiceAnnotation in member cluster. ServiceImport name will
   be the same as exported Service, new created Service and Endpoints will have an antrea multicluster prefix.

3. stale controller
   stale controller is mainly for special cases when resource is deleted during controller restarting
   in leader or member cluster, it will be triggered once only when controller starts.

Notes: serviceexport_controller, stale_controller and
resourceimport_controller will run only in member cluster,
resourceexport_controller will run only in leader cluster.

4. add unit test codes.

This PR is based on #3111, please kindly review top commit.
Signed-off-by: Lan Luo [email protected]

[jianjuns]

A general question - why we need to label the exported service? Could not we just identify the Services based on ServiceExport?

[jianjuns]

Please add comments to indicate this is for unit tests.

[luolanzone]

done

[jianjuns]

Nit: we -> We

only have -> have only

[jianjuns]

Why we have "demo" in the comments? If it is a temporary status, say "temporarily" or "at this moment", etc.

[luolanzone]

done

[jianjuns]

I feel not necessary to add a separate file for this func. Can we move it to service_controller.go?

[luolanzone]

sure, both service_controller.go and serviceexport_controller.go will call it, so I move it into utils.go. let me it move back.

[luolanzone]

done

[jianjuns]

If we follow our convention to use upper cases for abbrs, then "Mcs" should be "MCS".

[jianjuns]

Why we use label but not annotation?

[luolanzone]

the main reason is there is no annotation selector, so I use label.

[jianjuns]

Sorry, how we use label selectors?

[luolanzone]

we use labelselector to filter resource export in resourceexport_controller.go, eg https://github.com/antrea-io/antrea/pull/3024/files#diff-4a5af6131176d9b4bd232b0185161872343c0f501be3f061e07a555cc3b2dcb8R168
and
https://github.com/antrea-io/antrea/pull/3024/files#diff-4a5af6131176d9b4bd232b0185161872343c0f501be3f061e07a555cc3b2dcb8R318 etc. I feel in some cases we can use annotation, and some other cases we need label so we can use label selector. for service controller part, I will check if possible to use annotation instead.

[jianjuns]

I feel ideally we should not add labels in user created resources. It is redundant data, and more importantly we cannot prevent users from removing the labels. If example, they can just apply a yaml to update an existing Services and that will remove labels added by us.

[luolanzone]

indeed, that make sense, thanks to point out, I will check how to achieve the same feature in a different way.

[luolanzone]

hi @jianjuns I updated it with an annotation instead of a label, the main purpose of this info is to reduce the service/endpoint update events and watch those exported resource event only https://github.com/antrea-io/antrea/pull/3024/files#diff-1e1d6e2558b5bb86a952c580e877a8a072c499a0c278194afb4d0948ae459d10R407-R443, we can skip adding any annotation and watch all services/endpoints, but I feel it will be a big effort to handle unnecessary services/endpoints change in ServiceExport reconciler. let me know what's your thought. thanks.

[jianjuns]

But annotation is the same as label that can be removed by users (sorry if my previous comments are not clear). I feel watching all Services and Endpoints is ok, as it is just by one controller in the cluster. AntreaProxy watches all Services and Endpoints in all hosts.

[jianjuns]

. eg -> , e.g.

[luolanzone]

done

[jianjuns]

Do we need a func for this?

[luolanzone]

yes, it help us to build up a new types.NamespacedName with given strings, not from K8s object directly, so we construct it by ourself, mainly purpose is to avoid duplicate codes, only remote_resourceimport_controller.go use it for now, let me move it from helper to remote_resourceimport_controller.go

[jianjuns]

But types.NamespacedName{namespace, name} is very simple and just one line.

[luolanzone]

yeah, we can use types.NamespacedName{namespace, name} but it will give us a warning about k8s.io/apimachinery/pkg/types.NamespacedName composite literal uses unkeyed fieldscomposites, so I feel it's a little bit long to have both key and name.

[luolanzone]

let me change it back to struct directly, so we have less function

[luolanzone]

done

[jianjuns]

Why we need a func?

[luolanzone]

there are a few fields requires string pointer,https://github.com/antrea-io/antrea/pull/3024/files#diff-1e1d6e2558b5bb86a952c580e877a8a072c499a0c278194afb4d0948ae459d10R362-R371, I added this to avoid define a string and get its pointer repeatedly, but looks like only serviceexporter_controller.go use this function, I will move it and name it as getPointer

[luolanzone]

done

[codecov-commenter]

Codecov Report

Merging #3024 (faafaf9) into feature/multi-cluster (d36c406) will increase coverage by 1.15%.
The diff coverage is 65.93%.

@@                    Coverage Diff                    @@
##           feature/multi-cluster    #3024      +/-   ##
=========================================================
+ Coverage                  39.76%   40.92%   +1.15%     
=========================================================
  Files                        189      188       -1     
  Lines                      21880    22568     +688     
=========================================================
+ Hits                        8701     9236     +535     
- Misses                     12324    12392      +68     
- Partials                     855      940      +85     

Flag	Coverage Δ
unit-tests	40.92% <65.93%> (+1.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...icluster/cmd/multicluster-controller/controller.go	4.68% <ø> (ø)
multicluster/cmd/multicluster-controller/member.go	0.00% <0.00%> (ø)
...ulticluster/cmd/multicluster-controller/options.go	8.33% <0.00%> (ø)
...llers/multicluster/member_clusterset_controller.go	0.00% <0.00%> (ø)
...s/multicluster/memberclusterannounce_controller.go	66.96% <ø> (ø)
...uster/controllers/multicluster/stale_controller.go	47.19% <47.19%> (ø)
...llers/multicluster/core/fake_remote_common_area.go	61.53% <61.53%> (ø)
...ntrollers/multicluster/serviceexport_controller.go	67.61% <68.15%> (+67.61%)	⬆️
...ers/multicluster/core/resourceimport_controller.go	68.39% <68.39%> (ø)
...trollers/multicluster/resourceexport_controller.go	70.16% <70.61%> (+70.16%)	⬆️
... and 11 more

[luolanzone]

Hi @jianjuns , I am wondering if it's OK to copy serviceexports CRD definition from mcs api repo? or we should move it as own one API group? if we move it to our own group, I think we need to define ServiceExport and ServiceImport objects.

[jianjuns]

I feel ok to copy the yaml. Let us see if @tnqn has an opinion.

[jianjuns]

Is it possible to put these copied yamls in a separate directory?

[jianjuns]

Reminder for the question.

Is it possible to put these copied yamls in a separate directory?

[luolanzone]

yes, I was thinking to move it in a separate PR when we rename the core package.

[jianjuns]

What you think about "multicluster.antrea.io/imported-service" and "multicluster.antrea.io/resource-import-name"?

[luolanzone]

ok, will do.

[jianjuns]

Have you done the change to switch from label to annotation, and remove the "multi-cluster" label on exported Services?

[luolanzone]

yes, @jianjuns , this is a multi-cluster service created by our own codes, so I suppose it should be ok to add a label?

[jianjuns]

That is ok, but I think you plan to change from label to annotation?

[jianjuns]

Maybe you like to use label selector for imported services? But you changed the constant name to AntreaMCSAutoGenAnnotation

[luolanzone]

yeah, my mistake, I think both label or annotation should work, I will check and move it as annotation if it can filter event based on annotation.

[jianjuns]

Do you watch with filters? I remember watch can have the apiserver side filter the updates with labels. Not sure about annotation.

[luolanzone]

yes, there is a standalone service_controller.go to do clean up job in case ResourceImport in leader have been removed but member cluster fail to watch the event eg: mcs controller is down accidentally.
controller-runtime provides a predicate to do the filter. I used it like below in service_controller.go, I think annotation should also work with custom predicate funcs, I will try locally first.

func (r *ServiceReconciler) SetupWithManager(mgr ctrl.Manager) error {
	instance, _ := predicate.LabelSelectorPredicate(metav1.LabelSelector{
		MatchLabels: map[string]string{
			common.AntreaMCSAutoGenAnnotation: "true",
		},
	})
	return ctrl.NewControllerManagedBy(mgr).
		For(&corev1.Service{}).WithEventFilter(instance).
		WithOptions(controller.Options{
			MaxConcurrentReconciles: common.DefaultWorkerCount,
		}).
		Complete(r)
}

[jianjuns]

In commit message:

remote_resourceimport_controller watches leader cluster's ResourceImport events and create corresponding

create -> creates

[jianjuns]

namesapce -> Namespace

[luolanzone]

sure, there are some codes from Aravinda's common area, I will leave it to her to address, then I will do a rebase after that. cc @aravindakidambi

[aravindakidambi]

Sure, Ill address this

[jianjuns]

Question - what will happen if a cluster is both leader and member?

[luolanzone]

we will provide Namespace based manifests for leader and member, which mean a cluster can run MCS controller both as leader and member at the same time in different Namespace.

[jianjuns]

@tnqn once asked about using klog. What is the conclusion for that?

[luolanzone]

sure,we will remove this one @aravindakidambi

[aravindakidambi]

Ok, done.

[jianjuns]

We typically do not long if we return the error (which will be logged by the caller too). Could you check if the error logs are necessary?

[aravindakidambi]

Sure, will remove them

[jianjuns]

I feel it might be better not to call env.GetPodNamespace() everywhere, and so wonder can we call it once in run(), and pass it as a parameter to getCAConfig() and getValidationWebhooks() rather than passing isLeader. No strong opinion. Just for you to consider.

[aravindakidambi]

Sure, done.

[jianjuns]

If Service is created in this func, but ServiceImport was created earlier, we should return here too, and not check changes?

[luolanzone]

fixed

[jianjuns]

This is when users manually created a Service with MCS prefix, or they removed the annotation on an imported Service? Should we return an error and retry for either case?

[luolanzone]

sure, I will check this.

[luolanzone]

I add a step to check conflicts and skip creation if there is the same Service with MCS prefix, are you suggesting that we should always return error if this is a service with MCS prefix but no annotation, so admin can correct it manually?

[jianjuns]

How MCSAPI handles this?

[luolanzone]

they didn't handle this case, MCSAPI repo only create a sample for Service creation.

[jianjuns]

What you think we return an error and let controller retry (until conflict is resolved)?

[luolanzone]

I think this kind conflict can only be handled manually, do you mean this kind of situation should be corrected by admin when they do service export, so we can let controller retry after admin resolve conflict?

[luolanzone]

done, I leave the logic to update ResourceImport when there is only one ResourceExport and for other cases, it will return error. let me know if it's suitable or not.

[jianjuns]

Today we support exporting only the Endpoints directly, but not externalIP of LB type Services? When later we use externalIP or ClusterIP as the Endpoints, ResourceExportReconciler in the leader cluster should create EndpointImport based on the exported Service spec, or ResourceImportReconciler of member clusters should handle that?

[luolanzone]

I think ResourceExportReconciler should do this part, I will revisit this later how to minimize the change. thanks.

[jianjuns]

Nit - what you think about "name.kind" or even "nk".

[luolanzone]

done, rename indexer as name.kind

[jianjuns]

Humm - how long it takes for the retry? Thinking whether we should optimize by watching Services to get the IP faster but I know it is much complexer.

[luolanzone]

I checked the codes, it seems using the default rate limit here https://github.com/kubernetes/client-go/blob/master/util/workqueue/default_rate_limiters.go#L39, interval should be from 5ms to 10s. if multiple failures happened, the interval will be like baseDelay*2^<num-failures>, baseDelay is 5ms, not sure if this kind of interval is enough or not, I will check if I can add more logic in service_controller to watch Service change, then update the IP

[jianjuns]

I am still trying to understand if we need a Service controller or not. If not, could we think about a simpler solution to handle this, like some way to requeue the event after a short interval?

[luolanzone]

service controller only watch those service with mcs annotation, so I suppose it should be OK to have one? I haven't found a valid new way to handle the case when ResourceImport is deleted but event is not handled because of crashed controller in member cluster. I will check if reconciler can run like RunOnce().

[luolanzone]

@jianjuns about requeue for ClusterSetIP setting, when we return empty result with error, the event will actually be requeued, do you mean the interval controlled by default rate limit is not short enough?

[jianjuns]

If it is always ms to seconds, that should be good enough.

[luolanzone]

@jianjuns I removed service_controller and add a standard controller named stale_controller without using kuberbuilder manager framework, it will run only once if no error happens during stale Service/ServiceImport clean up. no unit test code yet, let me know if you have more comments. thanks.

[jianjuns]

I think better to get @tnqn 's suggestion here. Could you check with him?

[luolanzone]

sure, I have pinged him directly, let's see if there is comment from @tnqn

[jianjuns]

Should we just check svc.Spec.ClusterIP?

[luolanzone]

done

[jianjuns]

Should we check both, or just svcImpCreated? At least for r.installedResImports.Add(*resImp) we should not care about svcCreated?

[luolanzone]

fix via check svcImpNotFound only

[jianjuns]

Is it to check if the Service exists or not? If so should we just check IsNotFound, or add a bool variable for that (which can replace svcCreated, svcImpCreated).

[luolanzone]

done via using svcImpNotFound

[jianjuns]

Just check the Endpoints exists or not?

[luolanzone]

yes, reuse epNotFound now

[jianjuns]

How about "assuming users can fix the conflicts"?

[luolanzone]

done

[jianjuns]

In the commit message of "More stale cleanup and remove unnecessary subset info"

1. add ResourceExport clean up in stale_controller which handle the case
   add -> Add, handle -> handles

when controller in member crashed and ServiceExport is deleted during
crash.

crached -> restarts?

[jianjuns]

But we should do clean up before other controllers start to run, no?

[luolanzone]

we only clean up those stale resources, eg, remove MC Service and ServiceImport when corresponding ResourceImport does not existing in leader cluster anymore, so it should be fine to no run before other controllers because other controllers will do nothing for a deleted resource which is already gone before reconciling and no delete event at all.

[jianjuns]

I am thinking about any possible race condition here, e.g. stalecontroller (as it is not atomic to get imports, services, and delete) deletes new Services?

[luolanzone]

stale controller will get ServiceList from local first, then ResourceImportList from leader, so it means if new derived Service being created but not in ServiceList, we either have new ResourceImport in ResourceImportList or not have it, in first case Service won't be deleted because there is corresponding ResourceImport, in second case, nothing will be done.

[jianjuns]

Mostly on formatting.

[jianjuns]

I feel we should rename this yml to antrea-multicluster-member.yml. Not necessarily in this PR though.

[luolanzone]

Sure, I think we can do this rename and move copied yaml to different directory in a new PR.

[jianjuns]

Is it possible to put these copied yamls in a separate directory?

[jianjuns]

is already exists -> already exists but is not

[luolanzone]

done

[jianjuns]

Reminder for the question.

Is it possible to put these copied yamls in a separate directory?

[jianjuns]

cleanupServiceImport

[luolanzone]

done

[jianjuns]

I feel common_area.go in commonarea pkg is not a problem. But would let you decide the appropriate naming here. "core" might be too general and not accurate here.

[jianjuns]

Ah, probably we can move the comment here, like "ResourceExportReconciler reconciles ResourceExports in leader cluster"?

[jianjuns]

Ok, thought we can just remove endpoints from the ResourceImport. Not sure that is a better strategy or not.

But could you add some comments?

[jianjuns]

Minor suggestion - might be simpler if getResourceImportName() returns a NamespacedName.

[luolanzone]

good point, refined it.

[jianjuns]

I do not mean we must create a new struct to hold these variables, but meant for OO better not to use global variables. I saw you change to pass clusterConfig as func arguments, but originally I was thinking can they be members of ServiceExportReconciler.

[jianjuns]

namespace -> Namespace

[luolanzone]

done

[jianjuns]

Sorry, this one is my mistake. It should be "namespace" indeed.

[luolanzone]

Hi @jianjuns @aravindakidambi I have created a separate PR #3153 to rename core package and move
ServiceExport and ServiceImport CRD manifest to a new forlder. please help to take a look. thanks

[jianjuns]

LGTM.

[jianjuns]

Sorry, this one is my mistake. It should be "namespace" indeed.

[luolanzone]

done

[luolanzone]

Hi @jianjuns I fixed the last comment in this PR, Could you help to approve this if it looks good to you? I will rebase the PR#3153 and address your comments on it.