[backport-v1.13] ipcache: don't short-circuit InjectLabels if source differs

[squeed]

Backporting

• ipcache don't short-circuit InjectLabels if source differs #24875

InjectLabels is one of the functions responsible for synchronizing the ipcache metadata store and ip store. As such, it shouldn't shortcut when the numeric identity is the same, but the source is different; this means that an update to the ipcache isn't complete.

This can happen, for example, when there are two identities for the same IP, which can happen on daemon restart whenever a CIDR is referenced.

Signed-off-by: Casey Callendrello cdc@isovalent.com

Once this PR is merged, you can update the PR labels via:

for pr in 24875; do contrib/backporting/set-labels.py $pr done 1.13; done

[squeed]

This code has been tested by a few end-users via a hotfix branch, and they reported that it fixed the bug in question.

[michi-covalent]

/test-backport-1.13

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 15 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1837/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 14 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/1851/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 14 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/1087/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 10 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.19/13/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.23-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 13 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.23-kernel-4.19/737/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.23-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.22-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 14 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.19/1632/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.22-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.18-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 18 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.18-kernel-4.19/13/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.18-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.20-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 14 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.19/1906/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.20-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.19-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 14 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.19/12/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.19-kernel-4.19 so I can create one.

Job 'Cilium-PR-K8s-1.24-kernel-4.19' has 1 failure but they might be new flake since it also hit 1 known flake: #20723 (87.00% similarity)

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathConfig Etcd Check connectivity

Failure Output

FAIL: Found 7 k8s-app=cilium logs matching list of errors that must be investigated:

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1914/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

[joestringer]

Please use the standard scripts for backporting. The PR description is missing the ```upstream-prs ... ``` section which is used for tracking backports for PRs in main and for generating the release notes.

[joestringer]

Backport commits look identical to upstream which is good, but CI is failing in etcd cases due to this concerning log message:

⚠️  Found "2023-04-24T15:54:51.485343980Z level=error msg=\"Failed to replace ipcache entry with new identity after label removal. Traffic may be disrupted.\" error=\"unable to overwrite source \\\"kvstore\\\" with source \\\"custom-resource\\\"\" identity=\"{remote-node custom-resource false}\" ipAddr=10.0.1.49/32 subsys=ipcache" in logs 1 times

It looks like there was some other internal change between v1.13 and main that prevents main CI from bubbling this error up.

[squeed]

Please use the standard scripts for backporting. The PR description is missing the ```upstream-prs ... ``` section which is used for tracking backports for PRs in main and for generating the release notes.

I mostly did, except for forgetting to do start-backport. Shall I close this PR?

[squeed]

This is outputting warning messages in the etcd check, I'm investigating.

We had this issue in main, and I added a conditional to prevent this error message. Clearly that is not working here.

[squeed]

Aha, found the issue - the semantics of previouslyAllocatedIdentities changed between v1.13 and main. I can't use it to reliably silence the error message. I have a (slightly) ugly fix:

--- a/pkg/ipcache/metadata.go
+++ b/pkg/ipcache/metadata.go
@@ -176,6 +176,9 @@ func (ipc *IPCache) InjectLabels(ctx context.Context, modifiedPrefixes []netip.P
                entriesToReplace   = make(map[netip.Prefix]Identity)
                entriesToDelete    = make(map[netip.Prefix]Identity)
                forceIPCacheUpdate = make(map[netip.Prefix]bool) // prefix => force
+
+               // Just used to silence a warning where it is safe
+               oldIDs = make(map[netip.Prefix]Identity)
        )
 
        ipc.metadata.RLock()
@@ -189,6 +192,7 @@ func (ipc *IPCache) InjectLabels(ctx context.Context, modifiedPrefixes []netip.P
                                continue
                        } // else continue below to remove the old entry
                } else {
+                       oldIDs[prefix] = id
                        var newID *identity.Identity
 
                        lbls := prefixInfo.ToLabels()
@@ -283,7 +287,7 @@ func (ipc *IPCache) InjectLabels(ctx context.Context, modifiedPrefixes []netip.P
                        // upsert was rejected due to source precedence, but the
                        // identity is unchanged, then we can safely ignore the
                        // error message.
-                       oldID, ok := previouslyAllocatedIdentities[p]
+                       oldID, ok := oldIDs[p]
                        if !(ok && oldID.ID == id.ID && errors.Is(err2, &ErrOverwrite{
                                ExistingSrc: oldID.Source,
                                NewSrc:      id.Source,

[joestringer]

Shall I close this PR?

It should be enough to just update the PR description as per the guide here.

[joestringer]

Latest diff LGTM.

[joestringer]

/test-backport-1.13

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathServicesTest Checks N/S loadbalancing with L7 policy Tests NodePort with L7 Policy from outside

Failure Output

FAIL: Can not connect to service "http://192.168.56.11:31049" from outside cluster (2/10)

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1921/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

Then please upload the Jenkins artifacts to that issue.

[squeed]

PR description fixed, sorry for the oversight.

[michi-covalent]

• ci-multicluster-1.13: unrelated to this change: [v1.13] datapath: Remove 2005 route table for IPv4 #25086 (comment)

• test-1.17-4.19: vm provisioning error similar to CI: Cilium-PR-K8s-1.26-kernel-net-next Build K8s vm provisioning fail #24964.

• test-1.26-net-next: i haven't see this failure before. not sure what to make of it 🤔 i'll defer to @squeed and @joestringer to decide whether the failure could be related to this change.

  Stacktrace
  
  /home/jenkins/workspace/Cilium-PR-K8s-1.26-kernel-net-next/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:453
  Failed waiting for egress policy map entries
  Expected
      <*errors.errorString | 0xc000621600>: {
          s: "could not ensure egress policy entries count is equal to 6: 4m0s timeout expired",
      }
  to be nil
  /home/jenkins/workspace/Cilium-PR-K8s-1.26-kernel-net-next/src/github.com/cilium/cilium/test/k8s/egress.go:329
  

[michi-covalent]

/test-1.17-4.19

[squeed]

This code doesn't directly touch egress gateways, though I make no promises that they're unrelated. I'm investigating.

[squeed]

marking as do-not-merge and triggering test again, I want to run the test again and get some more signal

[squeed]

/test-1.26-net-next

Result: vagrant failure to boot.

[squeed]

/test-1.26-net-next

Result: Failed: K8sDatapathServicesTest Checks N/S loadbalancing with L7 policy Tests NodePort with L7 Policy from outside

[squeed]

/test-only --focus="K8sDatapathEgressGatewayTest" --kernel_version=net-next --k8s_version=1.26

Result: Passed. That's a good sign.

[squeed]

Dug in to the failed sysdump with @jibi, and we found that, for some unknown reason, a pod was missing from the set of pods to which egress policy applied:

Source IP   Destination CIDR   Egress IP        Gateway IP
10.0.0.25   192.168.56.13/32   192.168.56.100   192.168.56.12
10.0.0.25   0.0.0.0/0          192.0.2.13       192.168.56.12
10.0.0.93   0.0.0.0/0          192.168.56.100   192.168.56.12
10.0.1.2    0.0.0.0/0          192.168.56.100   192.168.56.12

should have 6 lines, including two for 10.0.1.140. It doesn't. There are no error messages, and the datapath is directly from k8s -> egressgateway/manager.go; no detours through the ipcache or identity allocator.

At this point, I'm fairly convinced my PR didn't cause this:

1. It passed a retest
2. My PR doesn't touch the flow from CRD watcher -> egress gateway manager.
3. What my PR does touch, namely, the ipcache, is correct on the nodes.

[squeed]

Doing a quick scan of the Jenkins logs, it seems like this test has been failing somewhat frequently. I don't see a flake issue, but I we can safely say this is a flake.

[squeed]

At this point, I think this PR is OK to merge.

The failing tests:

• test-1.19-4.19: passed, somehow PR wasn't updated
• ci-multicluster: this job is broken, some kind configs are missing, CI: conformance-clustermesh-v1.13 broken #25118
• Focused-Test-Run: not needed, vagrant box failed to boot
• 1.26-net-next: failed K8sDatapathServicesTest Checks N/S loadbalancing with L7 policy Tests NodePort with L7 Policy from outside, which is also failing for another PR. CI: 1.13 flake: K8sDatapathServicesTest Checks N/S loadbalancing with L7 policy Tests NodePort with L7 Policy from outside #25119