Fix issue 6294 - "All pods simultaneously restart during worker scaling"

[holmesb]

If no_proxy_exclude_workers is true, workers will be excluded from the no_proxy variable.  This prevents docker engine restarting when scaling workers.

/kind bug

What this PR does / why we need it:
See issue #6294

Which issue(s) this PR fixes:
Fixes #6294

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Hi @holmesb. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hafe]

Can you use a wildcard.domain in the no_proxy config? That won't change when scaling thus no restart

[holmesb]

Can you use a wildcard.domain in the no_proxy config? That won't change when scaling thus no restart

no_proxy contains nodes' single-label name ({{ hostvars[item]['ansible_hostname'] }}) and FQDN ({{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }}). Adding wildcard domain will fix this without disrupting FQDN traffic, but you'd still have a list of node single-label names, unless you are willing to make the assumption they are not used and can be removed? A risky breaking change if you're not sure.

Regardless, the wildcard domain should be in no_proxy, but I think this is a seperate issue.

[hafe]

I was thinking you override the no_proxy var with a wildcard value and that's it. Just reconfig and no code changes. But I might be completely erong...

[holmesb]

In addition to the single-label names assumption, the generated no_proxy contains IPs too:
{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }}

So you'd have to hope connections aren't established to these as well. If they are, they'll go via the proxy and fail. In which case, your suggestion would mean proxy users end-up micro-managing their no_proxy var to keep single-label name and IP connections working. This PR is non-breaking and changes nothing unless the user opts-in (changes no_proxy_exclude_workers to true).

We've scaled our production cluster without downtime with this fix.

[EppO]

hi @holmesb, can you sign the CLA please?
/ok-to-test

[EppO]

some markdown issues have been flagged by the CI:

docs/proxy.md:20:115 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1]
docs/proxy.md:21:118 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1]

[hafe]

You don't add a commit to fix an unmerged commit. Amend and force push instead

[holmesb]

No markdown erros now @EppO, but is there any option now to correct the author of the first commit? Or should I create a fresh PR?

[EppO]

you can rebase your branch on top of master and change the commit message/author. In your branch, run these commands:

git fetch origin/master
git rebase -i master

this will show you the list of commits, select reword for the first commit at the top and then squash or fixup for the second one.

[EppO]

author info is still messed up:

brendan authored and holmesb committed

you can now just do git commit --amend --author="your name " now and git push force again

[holmesb]

Thanks @EppO, hopefully fixed the author\committer now. CI failed because
"Failed to download metadata for repo 'updates-modular". Is this a glitch with the CI rather than this PR?

[floryut]

Thanks @EppO, hopefully fixed the author\committer now. CI failed because
"Failed to download metadata for repo 'updates-modular". Is this a glitch with the CI rather than this PR?

CI issue indeed, I've retried the job.

[EppO]

/lgtm

[floryut]

Fine with the change, but can't we have something simpler ?
I mean the code is the same except groups['k8s-cluster']/groups['kube-master']

[holmesb]

I've removed the second for loop @floryut

[holmesb]

Do we need to give the CI another kick @floryut ?

[holmesb]

CI looks good now @floryut, be great to get this merged.
/assign @Atoms

[Atoms]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Atoms, holmesb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Atoms]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[floryut]

/lgtm
🎉

[hafe]

Looks like you add a file with weird line (windows?) Line endings. Can you please fix that?