[release-1.27] multicluster collection cleanup (#57692)

* Cleanup resources when remote clusters are removed (#57361)

* Use cluster stop instead of global stop for multicluster ambient index

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Fix build and add release note

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Fixup

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Stash

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* reduce diff

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Add tests and comments for the goroutine leaks

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Fix typo

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Fixup

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Address PR comments

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

---------

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Fix flaky ambient multicluster leak test (#57670)

* Add some more flexibility in checks but disable the test while it's flaky

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

* Uncomment and use t.Skip

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

---------

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

---------

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

Author: keithmattix

pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go

@@ -179,11 +179,10 @@ func New(options Options) Index {
 
 	// TODO: Should this go ahead and transform the full ns into some intermediary with just the details we care about?
 	Namespaces := krt.NewInformer[*corev1.Namespace](options.Client, opts.With(
-		append(opts.WithName("informer/Namespaces"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/Namespaces"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 	authzPolicies := kclient.NewDelayedInformer[*securityclient.AuthorizationPolicy](options.Client,
 		gvr.AuthorizationPolicy, kubetypes.StandardInformer, configFilter)
@@ -195,11 +194,10 @@ func New(options Options) Index {
 
 	gatewayClient := kclient.NewDelayedInformer[*v1beta1.Gateway](options.Client, gvr.KubernetesGateway, kubetypes.StandardInformer, filter)
 	Gateways := krt.WrapClient[*v1beta1.Gateway](gatewayClient, opts.With(
-		append(opts.WithName("informer/Gateways"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/Gateways"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 
 	gatewayClassClient := kclient.NewDelayedInformer[*v1beta1.GatewayClass](options.Client, gvr.GatewayClass, kubetypes.StandardInformer, filter)
@@ -208,11 +206,10 @@ func New(options Options) Index {
 		ObjectFilter:    options.Client.ObjectFilter(),
 		ObjectTransform: kubeclient.StripPodUnusedFields,
 	}, opts.With(
-		append(opts.WithName("informer/Pods"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/Pods"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 
 	serviceEntries := kclient.NewDelayedInformer[*networkingclient.ServiceEntry](options.Client,
@@ -225,31 +222,28 @@ func New(options Options) Index {
 
 	servicesClient := kclient.NewFiltered[*corev1.Service](options.Client, filter)
 	Services := krt.WrapClient[*corev1.Service](servicesClient, opts.With(
-		append(opts.WithName("informer/Services"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/Services"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 	Nodes := krt.NewInformerFiltered[*corev1.Node](options.Client, kclient.Filter{
 		ObjectFilter:    options.Client.ObjectFilter(),
 		ObjectTransform: kubeclient.StripNodeUnusedFields,
 	}, opts.With(
-		append(opts.WithName("informer/Nodes"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/Nodes"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 
 	EndpointSlices := krt.NewInformerFiltered[*discovery.EndpointSlice](options.Client, kclient.Filter{
 		ObjectFilter: options.Client.ObjectFilter(),
 	}, opts.With(
-		append(opts.WithName("informer/EndpointSlices"),
-			krt.WithMetadata(krt.Metadata{
-				multicluster.ClusterKRTMetadataKey: options.ClusterID,
-			}),
-		)...,
+		krt.WithName("informer/EndpointSlices"),
+		krt.WithMetadata(krt.Metadata{
+			multicluster.ClusterKRTMetadataKey: options.ClusterID,
+		}),
 	)...)
 
 	// In the multicluster use-case, we populate the collections with global, dynamically changing data.

pilot/pkg/serviceregistry/kube/controller/ambient/multicluster.go

@@ -107,12 +107,21 @@ func (a *index) buildGlobalCollections(
 				log.Warnf("Failed to sync gateways informer for cluster %s", c.ID)
 				return nil
 			}
+
+			// N.B we're not using the opts.WithXXX pattern here since we want to be very obvious about which
+			// stop is being used to shutdown the collection (it should always be the cluster stop, NEVER
+			// the top-level stop associated with the ambient controller)
+			opts := []krt.CollectionOption{
+				krt.WithName(fmt.Sprintf("ambient/GatewaysWithCluster[%s]", c.ID)),
+				krt.WithDebugging(opts.Debugger()),
+				krt.WithStop(c.GetStop()),
+			}
 			return ptr.Of(krt.MapCollection(c.Gateways(), func(obj *v1beta1.Gateway) krt.ObjectWithCluster[*v1beta1.Gateway] {
 				return krt.ObjectWithCluster[*v1beta1.Gateway]{
 					ClusterID: c.ID,
 					Object:    &obj,
 				}
-			}, opts.WithName(fmt.Sprintf("GatewaysWithCluster[%s]", c.ID))...))
+			}, opts...))
 		}, "GatewaysWithCluster", opts)
 
 	globalGatewaysByCluster := nestedCollectionIndexByCluster(GlobalGatewaysWithCluster)
@@ -142,12 +151,17 @@ func (a *index) buildGlobalCollections(
 				log.Warnf("Failed to sync nodes informer for cluster %s", c.ID)
 				return nil
 			}
+			opts := []krt.CollectionOption{
+				krt.WithName(fmt.Sprintf("ambient/NodesWithCluster[%s]", c.ID)),
+				krt.WithDebugging(opts.Debugger()),
+				krt.WithStop(c.GetStop()),
+			}
 			return ptr.Of(krt.MapCollection(c.Nodes(), func(obj *v1.Node) krt.ObjectWithCluster[*v1.Node] {
 				return krt.ObjectWithCluster[*v1.Node]{
 					ClusterID: c.ID,
 					Object:    &obj,
 				}
-			}, opts.WithName(fmt.Sprintf("NodesWithCluster[%s]", c.ID))...))
+			}, opts...))
 		}, "NodesWithCluster", opts)
 	// Set up collections for remote clusters
 	GlobalNetworks := buildGlobalNetworkCollections(
@@ -699,7 +713,10 @@ func mergeServiceInfosWithCluster(
 				return nil
 			}
 			// otherwise, skip merging
-			return &base
+			return &krt.ObjectWithCluster[model.ServiceInfo]{
+				ClusterID: base.ClusterID,
+				Object:    precomputeServicePtr(base.Object),
+			}
 		}
 
 		vips := sets.NewWithLength[simpleNetworkAddress](svcInfosLen)

pilot/pkg/serviceregistry/kube/controller/ambient/multicluster/cluster.go

@@ -162,6 +162,10 @@ func (c *Cluster) ResourceName() string {
 	return c.ID.String()
 }
 
+func (c *Cluster) GetStop() <-chan struct{} {
+	return c.stop
+}
+
 func (c *Cluster) Run(localMeshConfig meshwatcher.WatcherCollection, debugger *krt.DebugHandler) {
 	// Check and see if this is a local cluster or not
 	if c.RemoteClusterCollections != nil {
@@ -207,59 +211,53 @@ func (c *Cluster) Run(localMeshConfig meshwatcher.WatcherCollection, debugger *k
 	}
 
 	Namespaces := krt.WrapClient(namespaces, opts.With(
-		append(opts.WithName("informer/Namespaces"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/Namespaces"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 	Pods := krt.NewInformerFiltered[*corev1.Pod](c.Client, kclient.Filter{
 		ObjectFilter:    c.Client.ObjectFilter(),
 		ObjectTransform: kube.StripPodUnusedFields,
 	}, opts.With(
-		append(opts.WithName("informer/Pods"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/Pods"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 
 	gatewayClient := kclient.NewDelayedInformer[*v1beta1.Gateway](c.Client, gvr.KubernetesGateway, kubetypes.StandardInformer, defaultFilter)
 	Gateways := krt.WrapClient[*v1beta1.Gateway](gatewayClient, opts.With(
-		append(opts.WithName("informer/Gateways"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/Gateways"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 	servicesClient := kclient.NewFiltered[*corev1.Service](c.Client, defaultFilter)
 	Services := krt.WrapClient[*corev1.Service](servicesClient, opts.With(
-		append(opts.WithName("informer/Services"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/Services"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 
 	Nodes := krt.NewInformerFiltered[*corev1.Node](c.Client, kclient.Filter{
 		ObjectFilter:    c.Client.ObjectFilter(),
 		ObjectTransform: kube.StripNodeUnusedFields,
 	}, opts.With(
-		append(opts.WithName("informer/Nodes"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/Nodes"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 
 	EndpointSlices := krt.NewInformerFiltered[*discovery.EndpointSlice](c.Client, kclient.Filter{
 		ObjectFilter: c.Client.ObjectFilter(),
 	}, opts.With(
-		append(opts.WithName("informer/EndpointSlices"),
-			krt.WithMetadata(krt.Metadata{
-				ClusterKRTMetadataKey: c.ID,
-			}),
-		)...,
+		krt.WithName("informer/EndpointSlices"),
+		krt.WithMetadata(krt.Metadata{
+			ClusterKRTMetadataKey: c.ID,
+		}),
 	)...)
 
 	c.RemoteClusterCollections = &RemoteClusterCollections{

pilot/pkg/serviceregistry/kube/controller/ambient/networks.go

@@ -129,6 +129,14 @@ func buildGlobalNetworkCollections(
 		localNetworkGateways,
 		clusters,
 		func(ctx krt.HandlerContext, c *multicluster.Cluster) *krt.Collection[krt.ObjectWithCluster[NetworkGateway]] {
+			opts := []krt.CollectionOption{
+				krt.WithName(fmt.Sprintf("NetworkGateways[%s]", c.ID)),
+				krt.WithDebugging(opts.Debugger()),
+				krt.WithStop(c.GetStop()),
+				krt.WithMetadata(krt.Metadata{
+					multicluster.ClusterKRTMetadataKey: c.ID,
+				}),
+			}
 			gatewaysPtr := krt.FetchOne(ctx, gateways, krt.FilterIndex(gatewaysByCluster, c.ID))
 			if gatewaysPtr == nil {
 				log.Warnf("No gateways found for cluster %s", c.ID)
@@ -146,12 +154,7 @@ func buildGlobalNetworkCollections(
 					}
 					return k8sGatewayToNetworkGatewaysWithCluster(c.ID, innerGw, options.ClusterID)
 				},
-				append(
-					opts.WithName(fmt.Sprintf("NetworkGateways[%s]", c.ID)),
-					krt.WithMetadata(krt.Metadata{
-						multicluster.ClusterKRTMetadataKey: c.ID,
-					}),
-				)...,
+				opts...,
 			)
 
 			return ptr.Of(nwGateways)

pilot/pkg/serviceregistry/kube/controller/ambient/remotesecrets.go

@@ -164,8 +164,7 @@ func (a *index) deleteCluster(secretKey string, cluster *multicluster.Cluster) {
 	cluster.Stop()
 	// The delete event will be processed within the ClusterStore
 	a.cs.Delete(secretKey, cluster.ID)
-
-	log.Infof("Number of remote clusters: %d", a.cs.Len())
+	cluster.Client.Shutdown() // Shutdown all of the informers so that the goroutines won't leak
 }
 
 func (a *index) processSecretEvent(key types.NamespacedName) error {

pilot/pkg/serviceregistry/kube/controller/ambient/remotesecrets_test.go

@@ -48,6 +48,7 @@ import (
 	"istio.io/istio/pkg/test/util/assert"
 	"istio.io/istio/pkg/test/util/retry"
 	"istio.io/istio/pkg/util/sets"
+	"istio.io/istio/tests/util/leak"
 )
 
 const secretNamespace string = "istio-system"
@@ -743,6 +744,61 @@ func TestSecretController(t *testing.T) {
 	}
 }
 
+func TestRemoteClusterCollectionCleanup(t *testing.T) {
+	t.Skip("https://github.com/istio/istio/issues/57269")
+	test.SetForTest(t, &features.EnableAmbientMultiNetwork, true)
+	fakeRestConfig := &rest.Config{}
+	client := kube.NewFakeClient()
+	opts := krt.NewOptionsBuilder(test.NewStop(t), "test", krt.GlobalDebugHandler)
+	builder := func(kubeConfig []byte, clusterId cluster.ID, configOverrides ...func(*rest.Config)) (kube.Client, error) {
+		for _, override := range configOverrides {
+			override(fakeRestConfig)
+		}
+		return kube.NewFakeClient(), nil
+	}
+	options := Options{
+		Client:        client,
+		ClusterID:     "local-cluster",
+		ClientBuilder: builder,
+	}
+
+	a := newAmbientTestServerFromOptions(t, testNW, options, true)
+	a.clientBuilder = builder
+	clusters := a.remoteClusters
+
+	assert.Equal(t, clusters.WaitUntilSynced(opts.Stop()), true)
+	secret0 := makeSecret(secretNamespace, "s0", clusterCredential{"c0", []byte("kubeconfig0-0")})
+	secrets := a.sec
+	assert.Equal(t, a.workloads.WaitUntilSynced(opts.Stop()), true)
+	assert.Equal(t, a.services.WaitUntilSynced(opts.Stop()), true)
+	assert.Equal(t, a.waypoints.WaitUntilSynced(opts.Stop()), true)
+	t.Run("test remote cluster cleanup", func(t *testing.T) {
+		// Verify that we only leak the expected number of goroutines.
+		// Currently for ambient, we leak several goroutines per cluster
+		// (see https://github.com/istio/istio/issues/57269#issuecomment-3203115068
+		// for more details). Most of the leaks we can't control at this point (e.g. Fetches)
+		// come from the processorListener so exclude those. We also allow 6 additional leaks
+		// for buffer since we see it occurring often.
+		// TODO: Figure out if we can minimize this.
+
+		// Filter all goroutines that existed before the test started
+		leak.Check(t, leak.WithExcludedLeaks([]string{
+			"krt.(*processorListener[...]).run",
+			"krt.(*processorListener[...]).pop",
+		}), leak.WithAllowedLeaks(6))
+		secrets.Create(secret0)
+		assert.EventuallyEqual(t, func() int {
+			return len(a.remoteClusters.List())
+		}, 1)
+		// Now remove the secret
+		secrets.Delete(secret0.Name, secret0.Namespace)
+		assert.EventuallyEqual(t, func() int {
+			return len(a.remoteClusters.List())
+		}, 0)
+		// There shouldn't be any goroutines left from that cluster
+	})
+}
+
 type testHandler struct {
 	ID     cluster.ID
 	Iter   int

pilot/pkg/serviceregistry/kube/controller/ambient/services.go

@@ -111,6 +111,10 @@ func GlobalMergedWorkloadServicesCollection(
 		LocalServiceInfosWithCluster,
 		clusters,
 		func(ctx krt.HandlerContext, cluster *multicluster.Cluster) *krt.Collection[krt.ObjectWithCluster[model.ServiceInfo]] {
+			opts := []krt.CollectionOption{
+				krt.WithDebugging(opts.Debugger()),
+				krt.WithStop(cluster.GetStop()),
+			}
 			services := cluster.Services()
 			waypointsPtr := krt.FetchOne(ctx, globalWaypoints, krt.FilterIndex(waypointsByCluster, cluster.ID))
 			if waypointsPtr == nil {
@@ -136,21 +140,24 @@ func GlobalMergedWorkloadServicesCollection(
 						return ""
 					}
 					return nw.Network
-				}), opts.With(
+				}),
 				append(
-					opts.WithName(fmt.Sprintf("ServiceServiceInfos[%s]", cluster.ID)),
+					opts,
+					krt.WithName(fmt.Sprintf("ambient/ServiceServiceInfos[%s]", cluster.ID)),
 					krt.WithMetadata(krt.Metadata{
 						multicluster.ClusterKRTMetadataKey: cluster.ID,
 					}),
-				)...,
-			)...)
+				)...)
 
 			servicesInfoWithCluster := krt.MapCollection(
 				servicesInfo,
 				func(o model.ServiceInfo) krt.ObjectWithCluster[model.ServiceInfo] {
 					return krt.ObjectWithCluster[model.ServiceInfo]{ClusterID: cluster.ID, Object: &o}
 				},
-				opts.WithName(fmt.Sprintf("ServiceServiceInfosWithCluster[%s]", cluster.ID))...,
+				append(
+					opts,
+					krt.WithName(fmt.Sprintf("ServiceServiceInfosWithCluster[%s]", cluster.ID)),
+				)...,
 			)
 			return ptr.Of(servicesInfoWithCluster)
 		},