Merge pull request #285 from snyk/fix/k8s-api-requests

Amir Moualem · web-flow · commit f27f17249845 · 2020-01-08T17:14:59.000+02:00
fix: retry and throttle requests to k8s-api
diff --git a/package.json b/package.json
@@ -5,15 +5,15 @@
   "scripts": {
     "pretest": "./scripts/build-image.sh",
     "test": "npm run lint && npm run build && npm run test:unit && npm run test:integration",
-    "test:unit": "NODE_ENV=test tap test/unit -R spec",
-    "test:integration": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts -R spec --timeout=1200",
-    "test:integration:kind": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts -R spec --timeout=1200",
-    "test:integration:eks": "TEST_PLATFORM=eks CREATE_CLUSTER=false tap test/integration/kubernetes.test.ts -R spec --timeout=1200",
+    "test:unit": "NODE_ENV=test tap test/unit",
+    "test:integration": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts --timeout=1200",
+    "test:integration:kind": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts --timeout=1200",
+    "test:integration:eks": "TEST_PLATFORM=eks CREATE_CLUSTER=false tap test/integration/kubernetes.test.ts --timeout=1200",
     "test:coverage": "npm run test:unit -- --coverage",
     "test:watch": "tsc-watch --onSuccess 'npm run test:unit'",
-    "test:apk": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=apk tap test/integration/package-manager.test.ts -R spec --timeout=7200",
-    "test:apt": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=apt tap test/integration/package-manager.test.ts -R spec --timeout=7200",
-    "test:rpm": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=rpm tap test/integration/package-manager.test.ts -R spec --timeout=7200",
+    "test:apk": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=apk tap test/integration/package-manager.test.ts --timeout=7200",
+    "test:apt": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=apt tap test/integration/package-manager.test.ts --timeout=7200",
+    "test:rpm": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=rpm tap test/integration/package-manager.test.ts --timeout=7200",
     "start": "bin/start",
     "prepare": "npm run build",
     "build": "tsc",
diff --git a/src/supervisor/kuberenetes-api-wrappers.ts b/src/supervisor/kuberenetes-api-wrappers.ts
@@ -0,0 +1,43 @@
+import * as http from 'http';
+import * as sleep from 'sleep-promise';
+
+export const ATTEMPTS_MAX = 3;
+export const DEFAULT_SLEEP_SEC = 1;
+export const MAX_SLEEP_SEC = 5;
+type IKubernetesApiFunction = () => Promise<any>;
+
+export async function retryKubernetesApiRequest(func: IKubernetesApiFunction) {
+
+  for (let attempt = 1; attempt <= ATTEMPTS_MAX; attempt++) {
+    try {
+      return await func();
+    } catch (err) {
+      const response = err.response;
+      if (response.statusCode !== 429) {
+        throw err;
+      }
+
+      if (attempt === ATTEMPTS_MAX) {
+        throw err;
+      }
+
+      const sleepSeconds = calculateSleepSeconds(response);
+      await sleep(sleepSeconds * 1000);
+    }
+  }
+}
+
+export function calculateSleepSeconds(httpResponse: http.IncomingMessage): number {
+  let sleepSeconds = DEFAULT_SLEEP_SEC;
+  if (httpResponse && httpResponse.headers && httpResponse.headers['Retry-After']) {
+    try {
+      sleepSeconds = Number(httpResponse.headers['Retry-After']);
+      if (isNaN(sleepSeconds) || sleepSeconds <= 0) {
+        sleepSeconds = DEFAULT_SLEEP_SEC;
+      }
+    } catch (err) {
+      sleepSeconds = DEFAULT_SLEEP_SEC;
+    }
+  }
+  return Math.min(sleepSeconds, MAX_SLEEP_SEC);
+}
diff --git a/src/supervisor/workload-reader.ts b/src/supervisor/workload-reader.ts
@@ -1,4 +1,6 @@
 import { V1OwnerReference } from '@kubernetes/client-node';
+
+import * as kubernetesApiWrappers from './kuberenetes-api-wrappers';
 import { k8sApi } from './cluster';
 import { IKubeObjectMetadata, WorkloadKind } from './types';
 
@@ -8,8 +10,8 @@ type IWorkloadReaderFunc = (
 ) => Promise<IKubeObjectMetadata | undefined>;
 
 const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const deploymentResult = await k8sApi.appsClient.readNamespacedDeployment(
-    workloadName, namespace);
+  const deploymentResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.appsClient.readNamespacedDeployment(workloadName, namespace));
   const deployment = deploymentResult.body;
 
   if (!deployment.metadata || !deployment.spec || !deployment.spec.template.metadata ||
@@ -29,8 +31,8 @@ const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
 };
 
 const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const replicaSetResult = await k8sApi.appsClient.readNamespacedReplicaSet(
-    workloadName, namespace);
+  const replicaSetResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.appsClient.readNamespacedReplicaSet(workloadName, namespace));
   const replicaSet = replicaSetResult.body;
 
   if (!replicaSet.metadata || !replicaSet.spec || !replicaSet.spec.template ||
@@ -50,8 +52,8 @@ const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
 };
 
 const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const statefulSetResult = await k8sApi.appsClient.readNamespacedStatefulSet(
-    workloadName, namespace);
+  const statefulSetResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.appsClient.readNamespacedStatefulSet(workloadName, namespace));
   const statefulSet = statefulSetResult.body;
 
   if (!statefulSet.metadata || !statefulSet.spec || !statefulSet.spec.template.metadata ||
@@ -71,8 +73,8 @@ const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =
 };
 
 const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const daemonSetResult = await k8sApi.appsClient.readNamespacedDaemonSet(
-    workloadName, namespace);
+  const daemonSetResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.appsClient.readNamespacedDaemonSet(workloadName, namespace));
   const daemonSet = daemonSetResult.body;
 
   if (!daemonSet.metadata || !daemonSet.spec || !daemonSet.spec.template.spec ||
@@ -92,8 +94,8 @@ const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
 };
 
 const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const jobResult = await k8sApi.batchClient.readNamespacedJob(
-    workloadName, namespace);
+  const jobResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.batchClient.readNamespacedJob(workloadName, namespace));
   const job = jobResult.body;
 
   if (!job.metadata || !job.spec || !job.spec.template.spec || !job.spec.template.metadata) {
@@ -114,8 +116,8 @@ const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
 // https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning
 // CronJobs will appear in v2 API, but for now there' only v2alpha1, so it's a bad idea to use it.
 const cronJobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const cronJobResult = await k8sApi.batchUnstableClient.readNamespacedCronJob(
-    workloadName, namespace);
+  const cronJobResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.batchUnstableClient.readNamespacedCronJob(workloadName, namespace));
   const cronJob = cronJobResult.body;
 
   if (!cronJob.metadata || !cronJob.spec || !cronJob.spec.jobTemplate.metadata ||
@@ -134,8 +136,8 @@ const cronJobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
 };
 
 const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
-  const replicationControllerResult = await k8sApi.coreClient.readNamespacedReplicationController(
-    workloadName, namespace);
+  const replicationControllerResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
+    () => k8sApi.coreClient.readNamespacedReplicationController(workloadName, namespace));
   const replicationController = replicationControllerResult.body;
 
   if (!replicationController.metadata || !replicationController.spec || !replicationController.spec.template ||
diff --git a/test/unit/supervisor/kubernetes-api-wrappers.test.ts b/test/unit/supervisor/kubernetes-api-wrappers.test.ts
@@ -0,0 +1,102 @@
+import * as tap from 'tap';
+import * as http from 'http';
+import * as kubernetesApiWrappers from '../../../src/supervisor/kuberenetes-api-wrappers';
+
+tap.test('calculateSleepSeconds', async (t) => {
+  const responseWithoutHeaders = {};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithoutHeaders as http.IncomingMessage),
+    kubernetesApiWrappers.DEFAULT_SLEEP_SEC,
+    'returns the default value for a response without headers',
+  );
+
+  const responseWithNegativeSeconds = {headers: {'Retry-After': -3}};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithNegativeSeconds as unknown as http.IncomingMessage),
+    kubernetesApiWrappers.DEFAULT_SLEEP_SEC,
+    'returns the default value for a response with negative retry',
+  );
+
+  const responseWithZeroSeconds = {headers: {'Retry-After': 0}};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithZeroSeconds as unknown as http.IncomingMessage),
+    kubernetesApiWrappers.DEFAULT_SLEEP_SEC,
+    'returns the default value for a response with zero retry',
+  );
+
+  const responseWithDate = {headers: {'Retry-After': 'Fri, 31 Dec 1999 23:59:59 GMT'}};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithDate as unknown as http.IncomingMessage),
+    kubernetesApiWrappers.DEFAULT_SLEEP_SEC,
+    'returns the default value for a response with a date',
+  );
+
+  const responseWithHighSecondsMock = {headers: {'Retry-After': 55}};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithHighSecondsMock as unknown as http.IncomingMessage),
+    kubernetesApiWrappers.MAX_SLEEP_SEC,
+    'returns a value limited for high retry values',
+  );
+
+  const responseWithSecondsMock = {headers: {'Retry-After': 4}};
+  t.equals(
+    kubernetesApiWrappers.calculateSleepSeconds(responseWithSecondsMock as unknown as http.IncomingMessage),
+    4,
+    'returns the retry-after value if numeric, positive and not too high',
+  );
+});
+
+tap.test('retryKubernetesApiRequest for retryable errors', async (t) => {
+  const retryableErrorResponse = {response: {statusCode: 429}};
+
+  t.rejects(
+    () => kubernetesApiWrappers.retryKubernetesApiRequest(() => Promise.reject(retryableErrorResponse)),
+    'eventually throws on repeated retryable error responses',
+  );
+
+  let failures = 0;
+  const functionThatFailsJustEnoughTimes = () => {
+    if (failures < kubernetesApiWrappers.ATTEMPTS_MAX - 1) {
+      failures +=1;
+      return Promise.reject(retryableErrorResponse);
+    }
+    return Promise.resolve('egg');
+  };
+
+  const successfulResponse = await kubernetesApiWrappers.retryKubernetesApiRequest(functionThatFailsJustEnoughTimes);
+  t.equals(
+    successfulResponse,
+    'egg',
+    'keeps retrying on 429 as long as we don\'t cross max attempts',
+  );
+
+  failures = 0;
+  const functionThatFailsOneTooManyTimes = () => {
+    if (failures < kubernetesApiWrappers.ATTEMPTS_MAX) {
+      failures +=1;
+      return Promise.reject(retryableErrorResponse);
+    }
+    return Promise.resolve('egg');
+  };
+
+  t.rejects(
+    () => kubernetesApiWrappers.retryKubernetesApiRequest(functionThatFailsOneTooManyTimes),
+    'failure more than the maximum, rejects, even for a retryable error response',
+  );
+});
+
+tap.test('retryKubernetesApiRequest for non-retryable errors', async (t) => {
+  const nonRetryableErrorResponse = {response: {statusCode: 500}};
+
+  let failures = 0;
+  const functionThatFails = () => {
+    failures +=1;
+    return Promise.reject(nonRetryableErrorResponse);
+  };
+
+  t.rejects(
+    () => kubernetesApiWrappers.retryKubernetesApiRequest(functionThatFails),
+    'failure more than the maximum, rejects, even for a retryable error response',
+  );
+  t.equals(failures, 1, 'did not retry even once for non-retryable error code');
+});
diff --git a/test/unit/supervisor/metadata-extractor.test.ts b/test/unit/supervisor/metadata-extractor.test.ts
@@ -3,9 +3,9 @@ import * as fs from 'fs';
 import * as YAML from 'yaml';
 
 import { V1OwnerReference, V1Pod, V1Deployment } from '@kubernetes/client-node';
-import * as supervisorTypes from '../../src/supervisor/types';
+import * as supervisorTypes from '../../../src/supervisor/types';
 
-import * as metadataExtractor from '../../src/supervisor/metadata-extractor';
+import * as metadataExtractor from '../../../src/supervisor/metadata-extractor';
 
 tap.test('isPodAssociatedWithParent', async (t) => {
   const mockPodWithoutMetadata = {};
diff --git a/test/unit/supervisor/pod-watch-handler-caches.test.ts b/test/unit/supervisor/pod-watch-handler-caches.test.ts
@@ -6,13 +6,13 @@ import * as YAML from 'yaml';
 import async = require('async');
 
 import { V1PodSpec, V1Pod } from '@kubernetes/client-node';
-import transmitterTypes = require('../../src/transmitter/types');
-import * as metadataExtractor from '../../src/supervisor/metadata-extractor';
+import transmitterTypes = require('../../../src/transmitter/types');
+import * as metadataExtractor from '../../../src/supervisor/metadata-extractor';
 
 let pushCallCount = 0;
 sinon.stub(async, 'queue').returns({ error: () => { }, push: () => pushCallCount++ } as any);
 
-import * as pod from '../../src/supervisor/watchers/handlers/pod';
+import * as pod from '../../../src/supervisor/watchers/handlers/pod';
 
 tap.test('image and workload image cache', async (t) => {
   const podSpecFixture = fs.readFileSync('./test/fixtures/pod-spec.json', 'utf8');
diff --git a/test/unit/supervisor/watchers.test.ts b/test/unit/supervisor/watchers.test.ts
@@ -1,7 +1,7 @@
 import * as tap from 'tap';
 import { V1Namespace } from '@kubernetes/client-node';
 
-import watchers = require('../../src/supervisor/watchers');
+import watchers = require('../../../src/supervisor/watchers');
 
 tap.test('extractNamespaceName', async (t) => {
   const namespaceEmpty = {} as V1Namespace;
diff --git a/test/unit/supervisor/workload-reader.test.ts b/test/unit/supervisor/workload-reader.test.ts
@@ -1,6 +1,6 @@
 import * as tap from 'tap';
 
-import { SupportedWorkloadTypes, getSupportedWorkload } from '../../src/supervisor/workload-reader';
+import { SupportedWorkloadTypes, getSupportedWorkload } from '../../../src/supervisor/workload-reader';
 import { V1OwnerReference } from '@kubernetes/client-node';
 
 tap.test('SupportedWorkloadTypes', async (t) => {
