feat: gracefully handle lack of connectivity with Konnect API (#3184)

Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com>

Author: pmalek

CHANGELOG.md

@@ -59,6 +59,11 @@
   For this reference to be allowed, a `KongReferenceGrant` resource must be created
   in the namespace of the `KongService`, allowing access for the `KongRoute`.
   [#3125](https://github.com/Kong/kong-operator/pull/3125)
+- Gracefully handle network errors when communicating with Konnect API.
+  When a network error occurs during Konnect API operations, the operator
+  will patch the resource status conditions to indicate the failure and
+  requeue the reconciliation for a later retry.
+  [#3184](https://github.com/Kong/kong-operator/pull/3184)
 
 ### Fixes
 

controller/konnect/konnectextension_controller.go

@@ -371,6 +371,14 @@ func (r *KonnectExtensionReconciler) Reconcile(ctx context.Context, req ctrl.Req
 				return res, err
 			}
 
+			if !cleanup {
+				// ControlPlane not found and we're not in cleanup mode.
+				// The controlPlaneRefValid condition has already been set to false in getGatewayKonnectControlPlane.
+				// We've done the necessary cleanup above, now wait for the CP to be created or the reference to be corrected.
+				log.Debug(logger, "ControlPlane not found, waiting for it to be available")
+				return res, nil
+			}
+
 		default:
 			log.Debug(logger, "ControlPlane not ready yet")
 			return res, nil

controller/konnect/reconciler_generic.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"time"
 
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -450,6 +451,14 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 
 		if controllerutil.RemoveFinalizer(ent, KonnectCleanupFinalizer) {
 			if err := ops.Delete(ctx, sdk, r.Client, r.MetricRecorder, ent); err != nil {
+				// If the error was a network error, handle it here, there's no need to proceed,
+				// as no state has changed.
+				// Status conditions are updated in handleOpsErr.
+				var errUrl *url.Error
+				if errors.As(err, &errUrl) {
+					return r.handleOpsErr(ctx, ent, errUrl)
+				}
+
 				// If the error is a rate limit error, requeue after the retry-after duration
 				// instead of returning an error.
 				if retryAfter, isRateLimited := ops.GetRetryAfterFromRateLimitError(err); isRateLimited {
@@ -485,7 +494,16 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 	// Handle type specific operations and stop reconciliation if needed.
 	// This can happen for instance when KongConsumer references credentials Secrets
 	// that do not exist or populate some Status fields based on Konnect API.
-	if stop, res, err := handleTypeSpecific(ctx, sdk, r.Client, ent); err != nil || !res.IsZero() || stop {
+	if stop, res, err := handleTypeSpecific(ctx, sdk, r.Client, ent); err != nil {
+		// If the error was a network error, handle it here, there's no need to proceed,
+		// as no state has changed.
+		// Status conditions are updated in handleOpsErr.
+		var errUrl *url.Error
+		if errors.As(err, &errUrl) {
+			return r.handleOpsErr(ctx, ent, errUrl)
+		}
+		return ctrl.Result{}, err
+	} else if !res.IsZero() || stop {
 		return res, err
 	}
 
@@ -530,22 +548,31 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 		// Regardless of the error, patch the status as it can contain the Konnect ID,
 		// Org ID, Server URL and status conditions.
 		// Konnect ID will be needed for the finalizer to work.
-		if res, err := patch.ApplyStatusPatchIfNotEmpty(ctx, r.Client, logger, any(ent).(client.Object), obj); err != nil {
+		if _, err := patch.ApplyStatusPatchIfNotEmpty(ctx, r.Client, logger, any(ent).(client.Object), obj); err != nil {
 			if k8serrors.IsConflict(err) {
 				return ctrl.Result{Requeue: true}, nil
 			}
 			return ctrl.Result{}, fmt.Errorf("failed to update status after creating object: %w", err)
-		} else if res != op.Noop {
-			return ctrl.Result{}, nil
 		}
 
 		if err != nil {
+			var (
+				errUrl       *url.Error
+				rateLimitErr ops.RateLimitError
+			)
+			switch {
+			// If the error was a network error, handle it here, there's no need to proceed,
+			// as no state has changed.
+			// Status conditions are updated in handleOpsErr.
+			case errors.As(err, &errUrl):
+				return r.handleOpsErr(ctx, ent, errUrl)
+
 			// If the error is a rate limit error, requeue after the retry-after duration
 			// instead of returning an error.
-			var rateLimitErr ops.RateLimitError
-			if errors.As(err, &rateLimitErr) {
+			case errors.As(err, &rateLimitErr):
 				return ctrl.Result{RequeueAfter: rateLimitErr.RetryAfter}, nil
 			}
+
 			return ctrl.Result{}, ops.FailedKonnectOpError[T]{
 				Op:  ops.CreateOp,
 				Err: err,
@@ -557,6 +584,7 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 	}
 
 	res, err = ops.Update(ctx, sdk, r.SyncPeriod, r.Client, r.MetricRecorder, ent)
+
 	// Set the server URL and org ID regardless of the error.
 	setStatusServerURLAndOrgID(ent, server, apiAuth.Status.OrganizationID)
 	// Update the status of the object regardless of the error.
@@ -567,13 +595,25 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 		return ctrl.Result{}, fmt.Errorf("failed to update in cluster resource after Konnect update: %w %w", errUpd, err)
 	}
 	if err != nil {
+		logger.Error(err, "failed to update")
+
+		var (
+			errUrl       *url.Error
+			rateLimitErr ops.RateLimitError
+		)
+		switch {
+		// If the error was a network error, handle it here, there's no need to proceed,
+		// as no state has changed.
+		// Status conditions are updated in handleOpsErr.
+		case errors.As(err, &errUrl):
+			return r.handleOpsErr(ctx, ent, errUrl)
+
 		// If the error is a rate limit error, requeue after the retry-after duration
 		// instead of returning an error.
-		var rateLimitErr ops.RateLimitError
-		if errors.As(err, &rateLimitErr) {
+		case errors.As(err, &rateLimitErr):
 			return ctrl.Result{RequeueAfter: rateLimitErr.RetryAfter}, nil
 		}
-		logger.Error(err, "failed to update")
+
 	} else if !res.IsZero() {
 		return res, nil
 	}

controller/konnect/reconciler_generic_error_handling.go

@@ -0,0 +1,36 @@
+package konnect
+
+import (
+	"context"
+	"net/url"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	konnectv1alpha1 "github.com/kong/kong-operator/api/konnect/v1alpha1"
+	"github.com/kong/kong-operator/controller/consts"
+	"github.com/kong/kong-operator/controller/pkg/patch"
+)
+
+// handleOpsErr handles network errors.
+// If the error is a network error, it patches the status condition
+// of the Konnect entity to reflect the failure to communicate with the Konnect API.
+func (r *KonnectEntityReconciler[T, TEnt]) handleOpsErr(
+	ctx context.Context, ent TEnt, errUrl *url.Error,
+) (ctrl.Result, error) {
+	if errUrl == nil {
+		return ctrl.Result{}, nil
+	}
+
+	if res, err := patch.StatusWithCondition(ctx, r.Client, ent,
+		konnectv1alpha1.KonnectEntityProgrammedConditionType,
+		metav1.ConditionFalse,
+		konnectv1alpha1.KonnectEntityProgrammedReasonKonnectAPIOpFailed,
+		errUrl.Error(),
+	); err != nil || !res.IsZero() {
+		return res, err
+	}
+
+	// After patching the condition, requeue without backoff to retry the network operation.
+	return ctrl.Result{RequeueAfter: consts.RequeueWithoutBackoff}, nil
+}

controller/konnect/reconciler_generic_error_handling_test.go

@@ -0,0 +1,148 @@
+package konnect
+
+import (
+	"context"
+	"errors"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
+
+	configurationv1alpha1 "github.com/kong/kong-operator/api/configuration/v1alpha1"
+	konnectv1alpha1 "github.com/kong/kong-operator/api/konnect/v1alpha1"
+	"github.com/kong/kong-operator/controller/consts"
+	"github.com/kong/kong-operator/modules/manager/scheme"
+	k8sutils "github.com/kong/kong-operator/pkg/utils/kubernetes"
+)
+
+func TestHandleOpsErr(t *testing.T) {
+	tests := []struct {
+		name                   string
+		inputErr               *url.Error
+		expectedResult         ctrl.Result
+		expectedErr            bool
+		expectedErrMsg         string
+		expectConditionPatched bool
+		interceptorFunc        interceptor.Funcs
+	}{
+		{
+			name:           "nil error returns empty result",
+			inputErr:       nil,
+			expectedResult: ctrl.Result{},
+			expectedErr:    false,
+		},
+		{
+			name: "url.Error patches status condition and returns nil error",
+			inputErr: &url.Error{
+				Op:  "Get",
+				URL: "https://api.konghq.com",
+				Err: errors.New("connection refused"),
+			},
+			expectedResult:         ctrl.Result{RequeueAfter: consts.RequeueWithoutBackoff},
+			expectedErr:            false,
+			expectConditionPatched: true,
+		},
+		{
+			name: "url.Error with patch conflict returns requeue",
+			inputErr: &url.Error{
+				Op:  "Post",
+				URL: "https://api.konghq.com",
+				Err: errors.New("timeout"),
+			},
+			expectedResult: ctrl.Result{Requeue: true},
+			expectedErr:    false,
+			interceptorFunc: interceptor.Funcs{
+				SubResourcePatch: func(
+					ctx context.Context,
+					client client.Client,
+					subResourceName string,
+					obj client.Object,
+					patch client.Patch,
+					opts ...client.SubResourcePatchOption,
+				) error {
+					return &k8serrors.StatusError{
+						ErrStatus: metav1.Status{
+							Status: metav1.StatusFailure,
+							Reason: metav1.StatusReasonConflict,
+						},
+					}
+				},
+			},
+		},
+		{
+			name: "wrapped url.Error is handled correctly",
+			inputErr: &url.Error{
+				Op:  "Get",
+				URL: "https://api.konghq.com",
+				Err: errors.New("no such host"),
+			},
+			expectedResult:         ctrl.Result{RequeueAfter: consts.RequeueWithoutBackoff},
+			expectedErr:            false,
+			expectConditionPatched: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+
+			ent := &configurationv1alpha1.KongService{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "test-service",
+					Namespace:  "default",
+					Generation: 1,
+				},
+			}
+
+			clientBuilder := fake.NewClientBuilder().
+				WithObjects(ent).
+				WithStatusSubresource(ent).
+				WithScheme(scheme.Get())
+
+			if tt.interceptorFunc.SubResourcePatch != nil {
+				clientBuilder = clientBuilder.WithInterceptorFuncs(tt.interceptorFunc)
+			}
+
+			cl := clientBuilder.Build()
+
+			r := &KonnectEntityReconciler[
+				configurationv1alpha1.KongService, *configurationv1alpha1.KongService,
+			]{
+				Client: cl,
+			}
+
+			result, err := r.handleOpsErr(ctx, ent, tt.inputErr)
+
+			assert.Equal(t, tt.expectedResult, result)
+
+			if tt.expectedErr {
+				require.Error(t, err)
+				if tt.expectedErrMsg != "" {
+					assert.Contains(t, err.Error(), tt.expectedErrMsg)
+				}
+				return
+			}
+
+			require.NoError(t, err)
+
+			if tt.expectConditionPatched {
+				cond, ok := k8sutils.GetCondition(
+					konnectv1alpha1.KonnectEntityProgrammedConditionType, ent,
+				)
+				require.True(t, ok, "expected condition to be set")
+				assert.Equal(t, metav1.ConditionFalse, cond.Status)
+				assert.Equal(t,
+					string(konnectv1alpha1.KonnectEntityProgrammedReasonKonnectAPIOpFailed),
+					cond.Reason,
+				)
+			}
+		})
+	}
+}

controller/pkg/patch/patch.go

@@ -66,6 +66,13 @@ func ApplyStatusPatchIfNotEmpty[
 ) (res op.Result, err error) {
 	// Check if the patch to be applied is empty.
 	patch := client.MergeFrom(oldExisting)
+
+	// NOTE: Code below is not 100% correct as it generates a diff for whole object,
+	// not only for status subresource. However, controller-runtime does not provide
+	// an easy way to do that, so for now we rely on the fact that only status is
+	// being modified before calling this function.
+	// In future we might want to implement a custom patcher that would only
+	// consider status field.
 	b, err := patch.Data(existing)
 	if err != nil {
 		return op.Noop, fmt.Errorf("failed to generate patch for %T %s: %w",