report warning events for ingress and ingressclass reconciliation failures

Author: piyush-tiwari

go.mod

@@ -35,6 +35,7 @@ require (
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.6.0 // indirect

go.sum

@@ -38,6 +38,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

helm/oci-native-ingress-controller/templates/deployment.yaml

@@ -69,6 +69,7 @@ spec:
           - --metrics-port={{.Values.metrics.port}}
           - --v=4
           - --use-lb-compartment-for-certificates={{ .Values.useLbCompartmentForCertificates }}
+          - --emit-events={{ .Values.emitEvents }}
           env:
             - name: OCI_RESOURCE_PRINCIPAL_VERSION
               value: "2.2"

helm/oci-native-ingress-controller/templates/rbac.yaml

@@ -12,9 +12,9 @@ metadata:
   labels:
     {{- include "oci-native-ingress-controller.labels" . | nindent 4 }}
 rules:
-- apiGroups: [""]
+- apiGroups: ["", "events.k8s.io"]
   resources: [events]
-  verbs: [create, patch]
+  verbs: [create, patch, update]
 - apiGroups: [""]
   resources: [pods]
   verbs: [get, list, watch]

helm/oci-native-ingress-controller/values.yaml

@@ -124,5 +124,9 @@ metrics:
   backend: prometheus
   port: 2223
 
-# Use the compartment supplied in IngressClassParam.spec.compartmentId for certificate management
+# Use the compartment supplied in IngressClassParameters.spec.compartmentId for certificate management.
+# If set to false, the default compartment_id specified in this file is used for this purpose instead.
 useLbCompartmentForCertificates: false
+
+# Emit kubernetes events for Ingress/IngressClass errors observed during reconciliation
+emitEvents: false

main.go

@@ -34,6 +34,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/cache"
+	events "k8s.io/client-go/tools/events"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 
@@ -61,6 +62,7 @@ func main() {
 	flag.IntVar(&opts.MetricsPort, "metrics-port", 2223, "Metrics port for metrics backend")
 	flag.BoolVar(&opts.UseLbCompartmentForCertificates, "use-lb-compartment-for-certificates", false,
 		"use the compartment supplied in IngressClassParam.spec.compartmentId for certificate management")
+	flag.BoolVar(&opts.EmitEvents, "emit-events", false, "emit kubernetes events for Ingress/IngressClass errors observed during reconciliation")
 
 	var logFile string
 	flag.StringVar(&logFile, "log-file", "", "absolute path to the file where application logs will be stored")
@@ -171,11 +173,19 @@ func main() {
 
 	ingressClassInformer, ingressInformer, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer := setupInformers(informerFactory, ctx, classParamInformer)
 
+	var eventRecorder events.EventRecorder
+	if opts.EmitEvents {
+		eventBroadcaster := events.NewBroadcaster(&events.EventSinkImpl{Interface: client.EventsV1()})
+		eventBroadcaster.StartStructuredLogging(5)
+		eventBroadcaster.StartRecordingToSink(make(chan struct{}))
+		eventRecorder = eventBroadcaster.NewRecorder(scheme.Scheme, opts.ControllerClass)
+	}
+
 	server.SetupWebhookServer(ingressInformer, serviceInformer, client, ctx)
 	mux := http.NewServeMux()
 	reg, err := server.SetupMetricsServer(opts.MetricsBackend, opts.MetricsPort, mux, ctx)
 
-	run := server.SetUpControllers(opts, ingressClassInformer, ingressInformer, client, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer, c, reg)
+	run := server.SetUpControllers(opts, ingressClassInformer, ingressInformer, client, serviceInformer, secretInformer, endpointInformer, podInformer, nodeInformer, serviceAccountInformer, c, reg, eventRecorder)
 
 	metric.ServeMetrics(opts.MetricsPort, mux)
 	// we use the Lease lock type since edits to Leases are less common

pkg/certificate/certificate.go

@@ -122,12 +122,14 @@ func (certificatesClient *CertificatesClient) ListCertificates(ctx context.Conte
 func (certificatesClient *CertificatesClient) UpdateCertificate(ctx context.Context,
 	req certificatesmanagement.UpdateCertificateRequest) (*certificatesmanagement.Certificate, string, error) {
 	_, err := certificatesClient.ManagementClient.UpdateCertificate(ctx, req)
+
 	if err != nil {
-		if !util.IsServiceError(err, 409) {
-			klog.Errorf("Error updating certificate %s: %s", *req.CertificateId, err)
-		} else {
+		if util.IsServiceError(err, 409) {
 			klog.Errorf("Error updating certificate %s due to 409-Conflict", *req.CertificateId)
+		} else {
+			klog.Errorf("Error updating certificate %s: %s", *req.CertificateId, err)
 		}
+
 		return nil, "", err
 	}
 
@@ -223,12 +225,14 @@ func (certificatesClient *CertificatesClient) ListCaBundles(ctx context.Context,
 func (certificatesClient *CertificatesClient) UpdateCaBundle(ctx context.Context,
 	req certificatesmanagement.UpdateCaBundleRequest) (*certificatesmanagement.CaBundle, string, error) {
 	_, err := certificatesClient.ManagementClient.UpdateCaBundle(ctx, req)
+
 	if err != nil {
-		if !util.IsServiceError(err, 409) {
-			klog.Errorf("Error updating ca bundle %s: %s", *req.CaBundleId, err)
-		} else {
+		if util.IsServiceError(err, 409) {
 			klog.Errorf("Error updating ca bundle %s due to 409-Conflict", *req.CaBundleId)
+		} else {
+			klog.Errorf("Error updating ca bundle %s: %s", *req.CaBundleId, err)
 		}
+
 		return nil, "", err
 	}
 

pkg/controllers/backend/backend.go

@@ -14,6 +14,7 @@ import (
 	"encoding/json"
 	"fmt"
 	coreinformers "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/tools/events"
 	"time"
 
 	"github.com/oracle/oci-native-ingress-controller/pkg/client"
@@ -47,6 +48,7 @@ type Controller struct {
 	podLister          corelisters.PodLister
 	endpointLister     corelisters.EndpointsLister
 	saLister           corelisters.ServiceAccountLister
+	eventRecorder      events.EventRecorder
 
 	queue  workqueue.RateLimitingInterface
 	client *client.ClientProvider
@@ -61,6 +63,7 @@ func NewController(
 	endpointLister corelisters.EndpointsLister,
 	podLister corelisters.PodLister,
 	client *client.ClientProvider,
+	eventRecorder events.EventRecorder,
 ) *Controller {
 
 	c := &Controller{
@@ -72,6 +75,7 @@ func NewController(
 		podLister:          podLister,
 		saLister:           saInformer.Lister(),
 		client:             client,
+		eventRecorder:      eventRecorder,
 		queue:              workqueue.NewRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(10*time.Second, 5*time.Minute)),
 	}
 
@@ -93,7 +97,7 @@ func (c *Controller) processNextItem() bool {
 	err := c.sync(key.(string))
 
 	// Handle the error if something went wrong during the execution of the business logic
-	util.HandleErr(c.queue, err, "Error syncing backends for ingress class", key)
+	util.HandleErrForBackendController(c.eventRecorder, c.ingressClassLister, c.queue, err, "Error syncing backends for ingress class", key)
 	return true
 }
 
@@ -157,50 +161,69 @@ func (c *Controller) ensureBackends(ctx context.Context, ingressClass *networkin
 	}
 
 	for _, ingress := range ingresses {
-		for _, rule := range ingress.Spec.Rules {
-			for _, path := range rule.HTTP.Paths {
-				pSvc, svc, err := util.ExtractServices(path, c.serviceLister, ingress)
-				if err != nil {
-					return err
-				}
-				svcName, svcPort, targetPort, err := util.PathToServiceAndTargetPort(c.endpointLister, svc, pSvc, ingress.Namespace, false)
-				if err != nil {
-					return err
-				}
-				epAddrs, err := util.GetEndpoints(c.endpointLister, ingress.Namespace, svcName)
-				if err != nil {
-					return fmt.Errorf("unable to fetch endpoints for %s/%s/%d: %w", ingress.Namespace, svcName, targetPort, err)
-				}
-				backends := []ociloadbalancer.BackendDetails{}
-				for _, epAddr := range epAddrs {
-					backends = append(backends, util.NewBackend(epAddr.IP, targetPort))
-				}
-				backendSetName := util.GenerateBackendSetName(ingress.Namespace, svcName, svcPort)
-				err = wrapperClient.GetLbClient().UpdateBackends(context.TODO(), lbID, backendSetName, backends)
+		err := c.ensureBackendsForIngress(ctx, ingress, ingressClass, lbID, wrapperClient)
+		if err != nil {
+			return fmt.Errorf("for ingress %s, encountered error: %w", klog.KObj(ingress), err)
+		}
+	}
+
+	// Sync default backends
+	c.syncDefaultBackend(ctx, lbID, ingresses)
+	return nil
+}
+
+func (c *Controller) ensureBackendsForIngress(ctx context.Context, ingress *networkingv1.Ingress, ingressClass *networkingv1.IngressClass,
+	lbID string, wrapperClient *client.WrapperClient) error {
+
+	for _, rule := range ingress.Spec.Rules {
+		for _, path := range rule.HTTP.Paths {
+			pSvc, svc, err := util.ExtractServices(path, c.serviceLister, ingress)
+			if err != nil {
+				return err
+			}
+			svcName, svcPort, targetPort, err := util.PathToServiceAndTargetPort(c.endpointLister, svc, pSvc, ingress.Namespace, false)
+			if err != nil {
+				return err
+			}
+
+			epAddrs, err := util.GetEndpoints(c.endpointLister, ingress.Namespace, svcName)
+			if err != nil {
+				return fmt.Errorf("unable to fetch endpoints for %s/%s/%d: %w", ingress.Namespace, svcName, targetPort, err)
+			}
+
+			backends := []ociloadbalancer.BackendDetails{}
+			for _, epAddr := range epAddrs {
+				backends = append(backends, util.NewBackend(epAddr.IP, targetPort))
+			}
+
+			backendSetName := util.GenerateBackendSetName(ingress.Namespace, svcName, svcPort)
+			err = wrapperClient.GetLbClient().UpdateBackends(context.TODO(), lbID, backendSetName, backends)
+			if err != nil {
+				return fmt.Errorf("unable to update backends for %s/%s: %w", ingressClass.Name, backendSetName, err)
+			}
+
+			backendSetHealth, err := wrapperClient.GetLbClient().GetBackendSetHealth(context.TODO(), lbID, backendSetName)
+			if err != nil {
+				return fmt.Errorf("unable to fetch backendset health: %w", err)
+			}
+
+			for _, epAddr := range epAddrs {
+				pod, err := c.podLister.Pods(ingress.Namespace).Get(epAddr.TargetRef.Name)
 				if err != nil {
-					return fmt.Errorf("unable to update backends for %s/%s: %w", ingressClass.Name, backendSetName, err)
+					return fmt.Errorf("failed to fetch pod %s/%s: %w", ingress.Namespace, epAddr.TargetRef.Name, err)
 				}
-				backendSetHealth, err := wrapperClient.GetLbClient().GetBackendSetHealth(context.TODO(), lbID, backendSetName)
+
+				backendName := fmt.Sprintf("%s:%d", epAddr.IP, targetPort)
+				readinessCondition := util.GetPodReadinessCondition(ingress.Name, rule.Host, path)
+
+				err = c.ensurePodReadinessCondition(ctx, pod, readinessCondition, backendSetHealth, backendName)
 				if err != nil {
-					return fmt.Errorf("unable to fetch backendset health: %w", err)
-				}
-				for _, epAddr := range epAddrs {
-					pod, err := c.podLister.Pods(ingress.Namespace).Get(epAddr.TargetRef.Name)
-					if err != nil {
-						return fmt.Errorf("failed to fetch pod %s/%s: %w", ingress.Namespace, epAddr.TargetRef.Name, err)
-					}
-					backendName := fmt.Sprintf("%s:%d", epAddr.IP, targetPort)
-					readinessCondition := util.GetPodReadinessCondition(ingress.Name, rule.Host, path)
-					err = c.ensurePodReadinessCondition(ctx, pod, readinessCondition, backendSetHealth, backendName)
-					if err != nil {
-						return fmt.Errorf("%w", err)
-					}
+					return fmt.Errorf("%w", err)
 				}
 			}
 		}
 	}
-	// Sync default backends
-	c.syncDefaultBackend(ctx, lbID, ingresses)
+
 	return nil
 }
 

pkg/controllers/backend/backend_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	coreinformers "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/tools/events"
 	"sync"
 	"testing"
 	"time"
@@ -223,7 +224,8 @@ func inits(ctx context.Context, ingressClassList *networkingv1.IngressClassList,
 		DefaultConfigGetter: &MockConfigGetter{},
 		Cache:               NewMockCacheStore(wrapperClient),
 	}
-	c := NewController("oci.oraclecloud.com/native-ingress-controller", ingressClassInformer, ingressInformer, saInformer, serviceLister, endpointLister, podLister, client)
+	fakeRecorder := events.NewFakeRecorder(10)
+	c := NewController("oci.oraclecloud.com/native-ingress-controller", ingressClassInformer, ingressInformer, saInformer, serviceLister, endpointLister, podLister, client, fakeRecorder)
 	return c
 }
 

pkg/controllers/ingress/certificate_util.go

@@ -15,6 +15,7 @@ import (
 	"github.com/oracle/oci-go-sdk/v65/certificatesmanagement"
 	"github.com/oracle/oci-go-sdk/v65/common"
 	"github.com/oracle/oci-native-ingress-controller/pkg/certificate"
+	"github.com/oracle/oci-native-ingress-controller/pkg/exception"
 	"github.com/oracle/oci-native-ingress-controller/pkg/util"
 	"k8s.io/klog/v2"
 	"time"
@@ -152,7 +153,7 @@ func UpdateImportedTypeCertificate(certificateId *string, tlsSecretData *TLSSecr
 	if util.IsServiceError(err, 409) {
 		klog.Infof("Update certificate returned code %d for certificate %s. Refreshing cache.", 409, *certificateId)
 		getCertificateBustCache(*certificateId, certificatesClient)
-		return nil, fmt.Errorf("unable to update certificate %s due to conflict, controller will retry later", *certificateId)
+		return nil, exception.NewTransientError(fmt.Errorf("unable to update certificate %s due to conflict, controller will retry later", *certificateId))
 	}
 
 	if err != nil {
@@ -353,7 +354,7 @@ func UpdateCaBundle(caBundleId string, certificatesClient *certificate.Certifica
 	if util.IsServiceError(err, 409) {
 		klog.Infof("Update ca bundle returned code %d for ca bundle %s. Refreshing cache.", 409, caBundleId)
 		getCaBundleBustCache(caBundleId, certificatesClient)
-		return nil, fmt.Errorf("unable to update ca bundle %s due to conflict, controller will retry later", caBundleId)
+		return nil, exception.NewTransientError(fmt.Errorf("unable to update ca bundle %s due to conflict, controller will retry later", caBundleId))
 	}
 
 	if err != nil {