Speeding up inspection loop

Author: ewoutp

pkg/deployment/access_package.go

@@ -108,15 +108,15 @@ func (d *Deployment) ensureAccessPackage(apSecretName string) error {
 
 	// Fetch client authentication CA
 	clientAuthSecretName := spec.Sync.Authentication.GetClientCASecretName()
-	clientAuthCert, clientAuthKey, _, err := k8sutil.GetCASecret(d.deps.KubeCli.CoreV1(), clientAuthSecretName, ns, nil)
+	clientAuthCert, clientAuthKey, _, err := k8sutil.GetCASecret(secrets, clientAuthSecretName, nil)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get client-auth CA secret")
 		return maskAny(err)
 	}
 
 	// Fetch TLS CA public key
 	tlsCASecretName := spec.Sync.TLS.GetCASecretName()
-	tlsCACert, err := k8sutil.GetCACertficateSecret(d.deps.KubeCli.CoreV1(), tlsCASecretName, ns)
+	tlsCACert, err := k8sutil.GetCACertficateSecret(secrets, tlsCASecretName)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get TLS CA secret")
 		return maskAny(err)

pkg/deployment/context_impl.go

@@ -171,8 +171,9 @@ func (d *Deployment) GetSyncServerClient(ctx context.Context, group api.ServerGr
 	log := d.deps.Log
 	kubecli := d.deps.KubeCli
 	ns := d.apiObject.GetNamespace()
+	secrets := kubecli.CoreV1().Secrets(ns)
 	secretName := d.apiObject.Spec.Sync.Monitoring.GetTokenSecretName()
-	monitoringToken, err := k8sutil.GetTokenSecret(kubecli.CoreV1(), secretName, ns)
+	monitoringToken, err := k8sutil.GetTokenSecret(secrets, secretName)
 	if err != nil {
 		log.Debug().Err(err).Str("secret-name", secretName).Msg("Failed to get sync monitoring secret")
 		return nil, maskAny(err)
@@ -331,7 +332,8 @@ func (d *Deployment) GetPvc(pvcName string) (*v1.PersistentVolumeClaim, error) {
 func (d *Deployment) GetTLSKeyfile(group api.ServerGroup, member api.MemberStatus) (string, error) {
 	secretName := k8sutil.CreateTLSKeyfileSecretName(d.apiObject.GetName(), group.AsRole(), member.ID)
 	ns := d.apiObject.GetNamespace()
-	result, err := k8sutil.GetTLSKeyfileSecret(d.deps.KubeCli.CoreV1(), secretName, ns)
+	secrets := d.deps.KubeCli.CoreV1().Secrets(ns)
+	result, err := k8sutil.GetTLSKeyfileSecret(secrets, secretName)
 	if err != nil {
 		return "", maskAny(err)
 	}
@@ -353,8 +355,9 @@ func (d *Deployment) DeleteTLSKeyfile(group api.ServerGroup, member api.MemberSt
 // Returns: publicKey, privateKey, ownerByDeployment, error
 func (d *Deployment) GetTLSCA(secretName string) (string, string, bool, error) {
 	ns := d.apiObject.GetNamespace()
+	secrets := d.deps.KubeCli.CoreV1().Secrets(ns)
 	owner := d.apiObject.AsOwner()
-	cert, priv, isOwned, err := k8sutil.GetCASecret(d.deps.KubeCli.CoreV1(), secretName, ns, &owner)
+	cert, priv, isOwned, err := k8sutil.GetCASecret(secrets, secretName, &owner)
 	if err != nil {
 		return "", "", false, maskAny(err)
 	}

pkg/deployment/deployment.go

@@ -42,6 +42,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/deployment/resilience"
 	"github.com/arangodb/kube-arangodb/pkg/deployment/resources"
 	"github.com/arangodb/kube-arangodb/pkg/generated/clientset/versioned"
+	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
 	"github.com/arangodb/kube-arangodb/pkg/util/retry"
 	"github.com/arangodb/kube-arangodb/pkg/util/trigger"
@@ -78,8 +79,8 @@ type deploymentEvent struct {
 
 const (
 	deploymentEventQueueSize = 256
-	minInspectionInterval    = time.Second // Ensure we inspect the generated resources no less than with this interval
-	maxInspectionInterval    = time.Minute // Ensure we inspect the generated resources no less than with this interval
+	minInspectionInterval    = util.Interval(time.Second) // Ensure we inspect the generated resources no less than with this interval
+	maxInspectionInterval    = util.Interval(time.Minute) // Ensure we inspect the generated resources no less than with this interval
 )
 
 // Deployment is the in process state of an ArangoDeployment.
@@ -247,21 +248,21 @@ func (d *Deployment) run() {
 			}
 
 		case <-d.inspectTrigger.Done():
+			log.Debug().Msg("Inspect deployment...")
 			inspectionInterval = d.inspectDeployment(inspectionInterval)
+			log.Debug().Str("interval", inspectionInterval.String()).Msg("...inspected deployment")
 
 		case <-d.updateDeploymentTrigger.Done():
+			inspectionInterval = minInspectionInterval
 			if err := d.handleArangoDeploymentUpdatedEvent(); err != nil {
 				d.CreateEvent(k8sutil.NewErrorEvent("Failed to handle deployment update", err, d.GetAPIObject()))
 			}
 
-		case <-time.After(inspectionInterval):
+		case <-inspectionInterval.After():
 			// Trigger inspection
 			d.inspectTrigger.Trigger()
 			// Backoff with next interval
-			inspectionInterval = time.Duration(float64(inspectionInterval) * 1.5)
-			if inspectionInterval > maxInspectionInterval {
-				inspectionInterval = maxInspectionInterval
-			}
+			inspectionInterval = inspectionInterval.Backoff(1.5, maxInspectionInterval)
 		}
 	}
 }

pkg/deployment/deployment_inspector.go

@@ -29,6 +29,7 @@ import (
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1alpha"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
+	"github.com/arangodb/kube-arangodb/pkg/util/profiler"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -39,7 +40,7 @@ import (
 // - any of the underlying resources has changed
 // - once in a while
 // Returns the delay until this function should be called again.
-func (d *Deployment) inspectDeployment(lastInterval time.Duration) time.Duration {
+func (d *Deployment) inspectDeployment(lastInterval util.Interval) util.Interval {
 	log := d.deps.Log
 
 	nextInterval := lastInterval
@@ -92,13 +93,13 @@ func (d *Deployment) inspectDeployment(lastInterval time.Duration) time.Duration
 			hasError = true
 			d.CreateEvent(k8sutil.NewErrorEvent("Pod inspection failed", err, d.apiObject))
 		} else {
-			nextInterval = util.MinDuration(nextInterval, x)
+			nextInterval = nextInterval.ReduceTo(x)
 		}
 		if x, err := d.resources.InspectPVCs(ctx); err != nil {
 			hasError = true
 			d.CreateEvent(k8sutil.NewErrorEvent("PVC inspection failed", err, d.apiObject))
 		} else {
-			nextInterval = util.MinDuration(nextInterval, x)
+			nextInterval = nextInterval.ReduceTo(x)
 		}
 
 		// Check members for resilience
@@ -108,43 +109,67 @@ func (d *Deployment) inspectDeployment(lastInterval time.Duration) time.Duration
 		}
 
 		// Create scale/update plan
-		if err := d.reconciler.CreatePlan(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("Plan creation failed", err, d.apiObject))
-		}
-
-		// Execute current step of scale/update plan
-		retrySoon, err := d.reconciler.ExecutePlan(ctx)
-		if err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("Plan execution failed", err, d.apiObject))
-		}
-		if retrySoon {
-			nextInterval = minInspectionInterval
+		{
+			ps := profiler.Start()
+			if err := d.reconciler.CreatePlan(); err != nil {
+				hasError = true
+				d.CreateEvent(k8sutil.NewErrorEvent("Plan creation failed", err, d.apiObject))
+			}
+
+			// Execute current step of scale/update plan
+			retrySoon, err := d.reconciler.ExecutePlan(ctx)
+			if err != nil {
+				hasError = true
+				d.CreateEvent(k8sutil.NewErrorEvent("Plan execution failed", err, d.apiObject))
+			}
+			if retrySoon {
+				nextInterval = minInspectionInterval
+			}
+			ps.Done(log, "plan")
 		}
 
 		// Ensure all resources are created
-		if err := d.resources.EnsureSecrets(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("Secret creation failed", err, d.apiObject))
-		}
-		if err := d.resources.EnsureServices(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("Service creation failed", err, d.apiObject))
-		}
-		if err := d.resources.EnsurePVCs(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("PVC creation failed", err, d.apiObject))
-		}
-		if err := d.resources.EnsurePods(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("Pod creation failed", err, d.apiObject))
+		{
+			ps := profiler.Start()
+			{
+				ps := profiler.Start()
+				if err := d.resources.EnsureSecrets(); err != nil {
+					hasError = true
+					d.CreateEvent(k8sutil.NewErrorEvent("Secret creation failed", err, d.apiObject))
+				}
+				ps.LogIf(log, time.Millisecond*10, "EnsureSecrets")
+			}
+			{
+				ps := profiler.Start()
+				if err := d.resources.EnsureServices(); err != nil {
+					hasError = true
+					d.CreateEvent(k8sutil.NewErrorEvent("Service creation failed", err, d.apiObject))
+				}
+				ps.LogIf(log, time.Millisecond*10, "EnsureServices")
+			}
+			if err := d.resources.EnsurePVCs(); err != nil {
+				hasError = true
+				d.CreateEvent(k8sutil.NewErrorEvent("PVC creation failed", err, d.apiObject))
+			}
+			{
+				ps := profiler.Start()
+				if err := d.resources.EnsurePods(); err != nil {
+					hasError = true
+					d.CreateEvent(k8sutil.NewErrorEvent("Pod creation failed", err, d.apiObject))
+				}
+				ps.LogIf(log, time.Millisecond*10, "EnsurePods")
+			}
+			ps.Done(log, "ensure resources")
 		}
 
 		// Create access packages
-		if err := d.createAccessPackages(); err != nil {
-			hasError = true
-			d.CreateEvent(k8sutil.NewErrorEvent("AccessPackage creation failed", err, d.apiObject))
+		{
+			ps := profiler.Start()
+			if err := d.createAccessPackages(); err != nil {
+				hasError = true
+				d.CreateEvent(k8sutil.NewErrorEvent("AccessPackage creation failed", err, d.apiObject))
+			}
+			ps.Done(log, "createAccessPackages")
 		}
 
 		// Inspect deployment for obsolete members
@@ -154,9 +179,11 @@ func (d *Deployment) inspectDeployment(lastInterval time.Duration) time.Duration
 		}
 
 		// At the end of the inspect, we cleanup terminated pods.
-		if err := d.resources.CleanupTerminatedPods(); err != nil {
+		if x, err := d.resources.CleanupTerminatedPods(); err != nil {
 			hasError = true
 			d.CreateEvent(k8sutil.NewErrorEvent("Pod cleanup failed", err, d.apiObject))
+		} else {
+			nextInterval = nextInterval.ReduceTo(x)
 		}
 	}
 
@@ -169,10 +196,7 @@ func (d *Deployment) inspectDeployment(lastInterval time.Duration) time.Duration
 	} else {
 		d.recentInspectionErrors = 0
 	}
-	if nextInterval > maxInspectionInterval {
-		nextInterval = maxInspectionInterval
-	}
-	return nextInterval
+	return nextInterval.ReduceTo(maxInspectionInterval)
 }
 
 // triggerInspection ensures that an inspection is run soon.

pkg/deployment/resources/certificates_client_auth.go

@@ -42,7 +42,7 @@ const (
 
 // createClientAuthCACertificate creates a client authentication CA certificate and stores it in a secret with name
 // specified in the given spec.
-func createClientAuthCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api.SyncAuthenticationSpec, deploymentName, namespace string, ownerRef *metav1.OwnerReference) error {
+func createClientAuthCACertificate(log zerolog.Logger, secrets k8sutil.SecretInterface, spec api.SyncAuthenticationSpec, deploymentName string, ownerRef *metav1.OwnerReference) error {
 	log = log.With().Str("secret", spec.GetClientCASecretName()).Logger()
 	options := certificates.CreateCertificateOptions{
 		CommonName:   fmt.Sprintf("%s Client Authentication Root Certificate", deploymentName),
@@ -57,7 +57,7 @@ func createClientAuthCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, s
 		log.Debug().Err(err).Msg("Failed to create CA certificate")
 		return maskAny(err)
 	}
-	if err := k8sutil.CreateCASecret(cli, spec.GetClientCASecretName(), namespace, cert, priv, ownerRef); err != nil {
+	if err := k8sutil.CreateCASecret(secrets, spec.GetClientCASecretName(), cert, priv, ownerRef); err != nil {
 		if k8sutil.IsAlreadyExists(err) {
 			log.Debug().Msg("CA Secret already exists")
 		} else {
@@ -71,10 +71,10 @@ func createClientAuthCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, s
 
 // createClientAuthCertificateKeyfile creates a client authentication certificate for a specific user and stores
 // it in a secret with the given name.
-func createClientAuthCertificateKeyfile(log zerolog.Logger, cli v1.CoreV1Interface, commonName string, ttl time.Duration, spec api.SyncAuthenticationSpec, secretName, namespace string, ownerRef *metav1.OwnerReference) error {
+func createClientAuthCertificateKeyfile(log zerolog.Logger, secrets v1.SecretInterface, commonName string, ttl time.Duration, spec api.SyncAuthenticationSpec, secretName string, ownerRef *metav1.OwnerReference) error {
 	log = log.With().Str("secret", secretName).Logger()
 	// Load CA certificate
-	caCert, caKey, _, err := k8sutil.GetCASecret(cli, spec.GetClientCASecretName(), namespace, nil)
+	caCert, caKey, _, err := k8sutil.GetCASecret(secrets, spec.GetClientCASecretName(), nil)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to load CA certificate")
 		return maskAny(err)
@@ -100,7 +100,7 @@ func createClientAuthCertificateKeyfile(log zerolog.Logger, cli v1.CoreV1Interfa
 	}
 	keyfile := strings.TrimSpace(cert) + "\n" +
 		strings.TrimSpace(priv)
-	if err := k8sutil.CreateTLSKeyfileSecret(cli, secretName, namespace, keyfile, ownerRef); err != nil {
+	if err := k8sutil.CreateTLSKeyfileSecret(secrets, secretName, keyfile, ownerRef); err != nil {
 		if k8sutil.IsAlreadyExists(err) {
 			log.Debug().Msg("Server Secret already exists")
 		} else {

pkg/deployment/resources/certificates_tls.go

@@ -43,7 +43,7 @@ const (
 
 // createTLSCACertificate creates a CA certificate and stores it in a secret with name
 // specified in the given spec.
-func createTLSCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api.TLSSpec, deploymentName, namespace string, ownerRef *metav1.OwnerReference) error {
+func createTLSCACertificate(log zerolog.Logger, secrets k8sutil.SecretInterface, spec api.TLSSpec, deploymentName string, ownerRef *metav1.OwnerReference) error {
 	log = log.With().Str("secret", spec.GetCASecretName()).Logger()
 
 	options := certificates.CreateCertificateOptions{
@@ -58,7 +58,7 @@ func createTLSCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api
 		log.Debug().Err(err).Msg("Failed to create CA certificate")
 		return maskAny(err)
 	}
-	if err := k8sutil.CreateCASecret(cli, spec.GetCASecretName(), namespace, cert, priv, ownerRef); err != nil {
+	if err := k8sutil.CreateCASecret(secrets, spec.GetCASecretName(), cert, priv, ownerRef); err != nil {
 		if k8sutil.IsAlreadyExists(err) {
 			log.Debug().Msg("CA Secret already exists")
 		} else {
@@ -72,7 +72,7 @@ func createTLSCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api
 
 // createTLSServerCertificate creates a TLS certificate for a specific server and stores
 // it in a secret with the given name.
-func createTLSServerCertificate(log zerolog.Logger, cli v1.CoreV1Interface, serverNames []string, spec api.TLSSpec, secretName, namespace string, ownerRef *metav1.OwnerReference) error {
+func createTLSServerCertificate(log zerolog.Logger, secrets v1.SecretInterface, serverNames []string, spec api.TLSSpec, secretName string, ownerRef *metav1.OwnerReference) error {
 	log = log.With().Str("secret", secretName).Logger()
 	// Load alt names
 	dnsNames, ipAddresses, emailAddress, err := spec.GetParsedAltNames()
@@ -82,7 +82,7 @@ func createTLSServerCertificate(log zerolog.Logger, cli v1.CoreV1Interface, serv
 	}
 
 	// Load CA certificate
-	caCert, caKey, _, err := k8sutil.GetCASecret(cli, spec.GetCASecretName(), namespace, nil)
+	caCert, caKey, _, err := k8sutil.GetCASecret(secrets, spec.GetCASecretName(), nil)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to load CA certificate")
 		return maskAny(err)
@@ -109,7 +109,7 @@ func createTLSServerCertificate(log zerolog.Logger, cli v1.CoreV1Interface, serv
 	}
 	keyfile := strings.TrimSpace(cert) + "\n" +
 		strings.TrimSpace(priv)
-	if err := k8sutil.CreateTLSKeyfileSecret(cli, secretName, namespace, keyfile, ownerRef); err != nil {
+	if err := k8sutil.CreateTLSKeyfileSecret(secrets, secretName, keyfile, ownerRef); err != nil {
 		if k8sutil.IsAlreadyExists(err) {
 			log.Debug().Msg("Server Secret already exists")
 		} else {

pkg/deployment/resources/pod_cleanup.go

@@ -25,23 +25,27 @@ package resources
 import (
 	"time"
 
+	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
 
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1alpha"
 )
 
 const (
-	statelessTerminationPeriod = time.Minute // We wait this long for a stateless server to terminate on it's own. Afterwards we kill it.
+	statelessTerminationPeriod         = time.Minute                    // We wait this long for a stateless server to terminate on it's own. Afterwards we kill it.
+	recheckStatefullPodCleanupInterval = util.Interval(time.Second * 2) // Interval used when Pod finalizers need to be rechecked soon
 )
 
 // CleanupTerminatedPods removes all pods in Terminated state that belong to a member in Created state.
-func (r *Resources) CleanupTerminatedPods() error {
+// Returns: Interval_till_next_inspection, error
+func (r *Resources) CleanupTerminatedPods() (util.Interval, error) {
 	log := r.log
+	nextInterval := maxPodInspectorInterval // Large by default, will be made smaller if needed in the rest of the function
 
 	pods, err := r.context.GetOwnedPods()
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get owned pods")
-		return maskAny(err)
+		return 0, maskAny(err)
 	}
 
 	// Update member status from all pods found
@@ -66,12 +70,15 @@ func (r *Resources) CleanupTerminatedPods() error {
 			if !memberStatus.Conditions.IsTrue(api.ConditionTypeTerminated) {
 				if !group.IsStateless() {
 					// For statefull members, we have to wait for confirmed termination
+					log.Debug().Str("pod", p.GetName()).Msg("Cannot cleanup pod yet, waiting for it to reach terminated state")
+					nextInterval = nextInterval.ReduceTo(recheckStatefullPodCleanupInterval)
 					continue
 				} else {
 					// If a stateless server does not terminate within a reasonable amount or time, we kill it.
 					t := p.GetDeletionTimestamp()
 					if t == nil || t.Add(statelessTerminationPeriod).After(time.Now()) {
 						// Either delete timestamp is not set, or not yet waiting long enough
+						nextInterval = nextInterval.ReduceTo(util.Interval(statelessTerminationPeriod))
 						continue
 					}
 				}
@@ -84,5 +91,5 @@ func (r *Resources) CleanupTerminatedPods() error {
 			log.Warn().Err(err).Str("pod-name", p.GetName()).Msg("Failed to cleanup pod")
 		}
 	}
-	return nil
+	return nextInterval, nil
 }