Compare annotations before discarding CiliumNode updates. #25465
Conversation
|
Commit 0fc487f01be34f75bf5ae6ad24e2f4b8d6753821 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
dont-merge/needs-sign-off
github-actions
bot
added
the
kind/community-contribution
|
Hi @aojea, this is the fix for Wiregurad tunnel drop issue. The wireguard tunnel is broken when any node restart happens. After restart, the restarted node's public key got refreshed but not propagated to other nodes. The issue is caused by cilium dropping CiliumNode update events when the spec, status and labels between the old and new nodes are the same. Wireguard public key updates are transmitted through annotations. We want to confirm if this is a known issue since it can be reproduced by restarting any node easily. Thanks! |
| @@ -69,7 +69,8 @@ func (k *K8sWatcher) ciliumNodeInit(ciliumNPClient client.Clientset, asyncContro | |||
| valid = true | |||
| isLocal := k8s.IsLocalCiliumNode(ciliumNode) | |||
| if oldCN.DeepEqual(ciliumNode) && | |||
| comparator.MapStringEquals(oldCN.ObjectMeta.Labels, ciliumNode.ObjectMeta.Labels) { | |||
| comparator.MapStringEquals(oldCN.ObjectMeta.Labels, ciliumNode.ObjectMeta.Labels) && | |||
| comparator.MapStringEquals(oldCN.ObjectMeta.Annotations, ciliumNode.ObjectMeta.Annotations) { | |||
There was a problem hiding this comment.
This causes issue in case the wireguard key changes but the rest of the node object not
cilium/pkg/nodediscovery/nodediscovery.go
Lines 460 to 465 in e52fe1d
since, we don't compare Annotations the event is dropped and not processed
LynneD
force-pushed
the
pr/wireguard-publickey-propagation
branch
from
0fc487f
to
d7db202
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
LynneD
force-pushed
the
pr/wireguard-publickey-propagation
branch
from
d7db202
to
b495ea8
Compare
|
Thanks for the PR 😄 I wonder if instead of checking all annotation changes, it might make more sense to target the specific wireguard key annotation and just see if that's changed. It seems like the intention is to avoid unnecessary node updates. |
in the long term my experience is that new annotations got added but you never remember to update this comparison, it is also coherent with existing comparison with labels |
LynneD
force-pushed
the
pr/wireguard-publickey-propagation
branch
from
b495ea8
to
52942f6
Compare
Hi @tommyp1ckles, I agree with @aojea's point here. Is there a specific concern about checking all annotation changes? |
|
/test |
aanm
added
sig/k8s
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
aanm
added
dont-merge/needs-release-note-label
|
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2380/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
Thanks @christarazi |
There was a problem hiding this comment.
I agree with @aojea's point here. Is there a specific concern about checking all annotation changes?
Nothing specific - mostly just wondering if it would lead to unnecessary updates. This seems reasonable to me.
Hi @brb, I've updated the commit message, can you please take another look? |
|
/mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next |
|
Thanks @christarazi @brb @tommyp1ckles @aojea, I've got enough approvals, and the "k8s-1.26-kernel-net-next" test seems not related to this PR. Can you please take another look and see how I can unblock the merging? |
LynneD
force-pushed
the
pr/wireguard-publickey-propagation
branch
from
1d614f3
to
d38b6b6
Compare
Currently we discard CiliumNode updates based on DeepEqual and labels. However DeepEqual is set to ignore Annotations, and the wg-pub-key annotation is used to exchange rotated Wireguard keys. The wireguard tunnel is broken when any node restart happens. After restart, the restarted node's public key got refreshed but not propagated to other nodes. The issue is caused by cilium dropping CiliumNode update events when the spec, status and labels between the old and new nodes are the same. Wireguard public key updates are transmitted through annotations. Signed-off-by: Lin Dong <lindongchn@gmail.com>
christarazi
force-pushed
the
pr/wireguard-publickey-propagation
branch
from
d38b6b6
to
975a0d4
Compare
|
/test |
|
I've rebased to re-run the tests. Please don't push unless the CI points out a failure and you need to push to address it. |
Got it. Thanks @christarazi! |
maintainer-s-little-helper
bot
added
the
ready-to-merge
|
Thanks for the PR and your patience! |
|
Thanks so much @christarazi! |
tklauser
added
backport-pending/1.13
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.13
in 1.13.3
tklauser
added
backport-done/1.13
maintainer-s-little-helper
bot
moved this from Backport pending to v1.13
to Backport done to v1.13
in 1.13.3
Currently we discard CiliumNode updates based on DeepEqual and labels. However DeepEqual is set to ignore Annotations, and the wg-pub-key annotation is used to exchange rotated Wireguard keys.