Harden against disruptive loss of apiserver

[sanchezl]

This fixes the flaky e2e tests. Loss of the apiserver at inopportune moments left the combined StorageState and StorageVersionMigration resources out of sync with regards to the migration trigger.

[k8s-ci-robot]

Hi @sanchezl. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

/ok-to-test

[sanchezl]

/test pull-kube-storage-version-migrator-fully-automated-e2e

[caesarxuchao]

@sanchezl can you say more on how did the storageState and the storageVersionMigration ended to be inconsistent?

[caesarxuchao]

The storage-version-migration-migrator gives the migrator the ability to get, list, update all resources, is that not enough?

[deads2k]

The storage-version-migration-migrator gives the migrator the ability to get, list, update all resources, is that not enough?

@sanchezl fix

[sanchezl]

From https://storage.googleapis.com/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_kube-storage-version-migrator/47/pull-kube-storage-version-migrator-manually-launched-e2e/1222290262227685376/build-log.txt

I0128 23:00:56.303078       1 round_trippers.go:443] PUT https://10.0.0.1:443/apis/rbac.authorization.k8s.io/v1/clusterroles/edit 403 Forbidden in 39 milliseconds
I0128 23:00:56.303160       1 round_trippers.go:449] Response Headers:
I0128 23:00:56.303170       1 round_trippers.go:452]     Audit-Id: aed0307a-49ed-4e0b-9514-92ed370669b7
I0128 23:00:56.303176       1 round_trippers.go:452]     Content-Type: application/json
I0128 23:00:56.303182       1 round_trippers.go:452]     Date: Tue, 28 Jan 2020 23:00:56 GMT
I0128 23:00:56.303455       1 request.go:1017] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"clusterroles.rbac.authorization.k8s.io \"edit\" is forbidden: user \"system:serviceaccount:kube-system:default\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:kube-system\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:

[caesarxuchao]

Can you remove the storage-version-migration-migrator role and fix the storage-version-migration-migrator role binding?

I agree that the migrator does need the cluster-admin power. Otherwise it can hit the pasted error when migrating roles/clusterroles due to priviledge escalation.

[caesarxuchao]

nit: Can you move this log line to before line 127? I feel that's easier to read.

[sanchezl]

Done

[caesarxuchao]

This should happen only if the resource is deleted, e.g., the CRD is deleted when the migrator is migrating the CR. This should not be counted as a migration failure. I suggest that we log the error, but return nil.

(The current code isn't handling this correctly either.)

[sanchezl]

If someone creates a StorageVersionMigration for a CRD that does not exist, the migrator will be stuck here (unable to proceed due to its serial nature) unless we fail the migration.

[caesarxuchao]

Got it. Can put this in a comment?

[caesarxuchao]

if storageVersionChanged is false, why do we need to relaunch the migration?

[sanchezl]

@caesarxuchao StorageState created, but migration creation failed due to disruption.

[caesarxuchao]

Got it. I think #58 (comment) is more readable.

[caesarxuchao]

Can you describe what leads to this situation? The kubemigrator does not give up easily.

[sanchezl]

See https://storage.googleapis.com/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_kube-storage-version-migrator/47/pull-kube-storage-version-migrator-disruptive/1224770718261055490/build-log.txt

Feb  4 19:44:47.629: INFO: resource {migration.k8s.io storagestates} has persisted hashes [Unknown], and current hash 7abAo0yHdNM=
Feb  4 19:44:47.629: INFO: timed out waiting for the condition

- apiVersion: migration.k8s.io/v1alpha1
  kind: StorageVersionMigration
  metadata:
    creationTimestamp: "2020-02-04T19:26:54Z"
    generateName: storagestates.migration.k8s.io-
    generation: 1
    name: storagestates.migration.k8s.io-kk589
    resourceVersion: "3574"
    selfLink: /apis/migration.k8s.io/v1alpha1/storageversionmigrations/storagestates.migration.k8s.io-kk589
    uid: 7dc9f088-aeac-49f8-bbf7-a31a25b55fdb
  spec:
    resource:
      group: migration.k8s.io
      resource: storagestates
      version: v1alpha1
  status:
    conditions:
    - lastUpdateTime: "2020-02-04T19:30:49Z"
      message: '[Put https://10.0.0.1:443/apis/migration.k8s.io/v1alpha1/storagestates/jobs.batch:
        unexpected EOF, Put https://10.0.0.1:443/apis/migration.k8s.io/v1alpha1/storagestates/statefulsets.apps:
        unexpected EOF]'
      status: "True"
      type: Failed

- apiVersion: migration.k8s.io/v1alpha1
  kind: StorageState
  metadata:
    creationTimestamp: "2020-02-04T19:26:54Z"
    generation: 1
    name: storagestates.migration.k8s.io
    resourceVersion: "5683"
    selfLink: /apis/migration.k8s.io/v1alpha1/storagestates/storagestates.migration.k8s.io
    uid: 4301aff1-bb56-4a9f-8562-cac09ce5031a
  spec:
    resource:
      group: migration.k8s.io
      resource: storagestates
  status:
    currentStorageVersionHash: 7abAo0yHdNM=
    lastHeartbeatTime: "2020-02-04T19:44:11Z"
    persistedStorageVersionHashes:
    - Unknown

[caesarxuchao]

Got it. I think the "Put https://10.0.0.1:443/apis/migration.k8s.io/v1alpha1/storagestates/jobs.batch: unexpected EOF" message means that the apiserver restarts in the middle of handling the PUT request from the migrator/core. We should let the migrator/core retry in that case, to avoid re-migrating the entire list of Batches.

Apart from that, I agree that we should launch a migration if ss.Status.PersistedSotrageVersionHashes!=ss.Status.CurrentStoragteVersionHash && (there is no pending or running storageMigration). Instead of a switch block nested in the else clause, I would make another variable to capture this state, something like this:

func (mt *MigrationTrigger) processDiscoveryResource(r metav1.APIResource) {
        ...
	stale := (getErr == nil && mt.staleStorageState(ss))
        notFound := (getErr != nil && errors.IsNotFound(getErr))
        // migrated checks if currentStorageVersionHash==persistedStorageVersionHashes, 
        needMigration := !migrated(ss) && !pendingOrRuningMigrations(ss)
        // If storage version has changed, we need to restart any running storageMigration.
	storageVersionChanged := (getErr == nil && ss.Status.CurrentStorageVersionHash != r.StorageVersionHash)
	if stale {
            ....
        }
        if stale || needMigration || storageVersionChanged || notFound {
             relaunch...
        }
}
        

[sanchezl]

@caesarxuchao Done. PTAL.

[deads2k]

return err

[deads2k]

if this is non-nil, utilruntime.HandleError

[sanchezl]

/test pull-kube-storage-version-migrator-disruptive

[caesarxuchao]

Some nits, otherwise lgtm.

[caesarxuchao]

Can you remove the "|| !errors.IsNotFound(getErr)"? That case is handled by the return above and it's weird to call this condition "found" if it contains error.

[sanchezl]

@caesarxuchao Done

[caesarxuchao]

This test doesn't launch the initializer, right?

[sanchezl]

@caesarxuchao Done

[caesarxuchao]

remove the empty line.

[sanchezl]

@caesarxuchao Done

[caesarxuchao]

/approve

LGTM. Please fix one more nit and squash. Feel free to get others to lgtm if I don't get to it soon.

[caesarxuchao]

nits:
s/fail/Fail
s/)/.

[sanchezl]

@caesarxuchao done

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, sanchezl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [caesarxuchao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deads2k]

/lgtm

[caesarxuchao]

Great fix! Thanks.