Add validation to only start updaters if they're configured properly.

[bmoyles0117]

No description provided.

[supriyagarg]

Minor comments.

[supriyagarg]

It would be useful to minimize output by using fieldSelector (or limit=0 if that works)

https://v1-8.docs.kubernetes.io/docs/api-reference/v1.8/#list-474

[bmoyles0117]

I've limited it to just the node we're running on.

[supriyagarg]

It would be useful to minimize output by using limit / filter options:
https://docs.docker.com/engine/api/v1.24/#31-containers

[igorpeshansky]

There's a DockerContainerFilter config option — you should probably be checking that...

[bmoyles0117]

Updated.

[igorpeshansky]

Do we need to verify the InstanceUpdater as well?

[igorpeshansky]

There's a DockerContainerFilter config option — you should probably be checking that...

[igorpeshansky]

const bool is redundant. Just use bool.

[igorpeshansky]

I'd call this ValidateConfiguration.

[bmoyles0117]

Updated.

[igorpeshansky]

Let's define a virtual VerifyConfiguration function in PollingMetadataUpdater, make it return true by default, call it from start in the superclass, and override it here. We might also have to give each updater object a name, so we can identify it in the logs.

[bmoyles0117]

Updated.

[igorpeshansky]

config()

[igorpeshansky]

There's no reason to have a superclass for all readers, actually. I would keep this independently in KubernetesReader and DockerReader. Let's just revert 89d6cf8.

[bmoyles0117]

The reader is the thing that's actually interacting with the endpoints. I'll talk with you offline about this to build additional context together with you, but when I tried implementing the validation in the updater it just resulted in transferred responsibility down to the reader.

[igorpeshansky]

It's ok for each updater to pass the responsibility down to individual readers — that's why I suggested having a ValidateConfiguration function in each reader that needs it. I'm simply saying that it's not necessary to have the validation in the reader, and we should abstract that away. However, the polling updater needs to perform the validation before starting the polling threads, so let's document that in a virtual function.
Happy to discuss offline.

[bmoyles0117]

Discussed and addressed offline.

[igorpeshansky]

How about just:

// Validates the relevant configuration and returns true if it's correct.

? Also in other files.

[bmoyles0117]

Updated.

[igorpeshansky]

Careful -- config_.DockerContainerFilter() may already include a limit. Should investigate which one takes precedence -- you may have to move your &limit=1 to the end.

[bmoyles0117]

Great catch, I did some local testing and it appears that the docker server discards the second value, when two limits are sent in the URL. We'll leave it as-is for now.

[igorpeshansky]

Let's add a comment here...

[bmoyles0117]

Done.

[igorpeshansky]

Should also validate config_.KubernetesPodLabelSelector().

[bmoyles0117]

This interaction is just validating that we can communicate with the master, adding a secondary request for pods is redundant, and would be more symptomatic of a failure inside of kubernetes, or a transient failure between requests.

[igorpeshansky]

If so, then this is redundant, since CurrentNode issues two QueryMaster calls. So just calling CurrentNode is more than enough. Or you can call QueryMaster with a filter for one (random) node...

[bmoyles0117]

I think we should continue to query for something like nodes, as the node name can be overridden by configuration, which would prevent the master interaction at all.

[igorpeshansky]

Right, as discussed, it makes sense to issue a QueryMaster on something that doesn't depend on the CurrentNode value, and keep CurrentNode as a secondary check.

[bmoyles0117]

Done.

[igorpeshansky]

CurrentNode() may be empty if, e.g., the API token is invalid (so you'd get 403s). Should we check that as well?

[bmoyles0117]

Great point, done.

[igorpeshansky]

Let's just make ValidateConfiguration a virtual method in PollingMetadataUpdater.

[bmoyles0117]

Will address as a part of the conversation for the reader above.

[igorpeshansky]

Why bool? If the configuration is invalid, a start is a no-op, isn't it?

[bmoyles0117]

I needed a signal for the KubernetesUpdater to know that the parent updater had started successfully, before firing off the watch threads. The two options I thought of were return a bool or raise an exception in the PollingMetadataUpdater start. Thoughts?

[igorpeshansky]

If it weren't for the desire to share a reader object, and the possible need to validate the watch and polling options together, I would have been considering splitting the watch and the poller into separate updaters.
I've already suggested using composition over inheritance here. But we could also have a StartThreads virtual function that actually starts the poller thread and is called from the (non-virtual) start after validation succeeds.
Thoughts?

[bmoyles0117]

Discussed and addressed offline.

[igorpeshansky]

You can put all of these on one line.

[bmoyles0117]

Done.

[igorpeshansky]

const std::string& name.

[bmoyles0117]

Done.

[igorpeshansky]

const std::string& name

[bmoyles0117]

Done.

[bmoyles0117]

Thanks for the feedback, PTAL.

[bmoyles0117]

Done.

[bmoyles0117]

I think it makes sense to choose one or the other, but then I'm not sure if the contract of the KubernetesUpdater gets a little blurred, as it extends a PolliingMetadataUpdater, but only acts on that functionality conditionally. It's almost as though there should be a KubernetesPollingUpdater, and a KubernetesWatchUpdater which is controlled by configuration when the updaters are all started. WDYT?

[bmoyles0117]

Updated.

[bmoyles0117]

Done.

[bmoyles0117]

Will address as a part of the conversation for the reader above.

[bmoyles0117]

Done.

[bmoyles0117]

Done.

[bmoyles0117]

Great point, done.

[bmoyles0117]

Great catch, I did some local testing and it appears that the docker server discards the second value, when two limits are sent in the URL. We'll leave it as-is for now.

[igorpeshansky]

FWIW, I'm happy to do the proposed refactoring in a separate PR if you're willing to deal with merge conflicts.

[igorpeshansky]

It's ok for each updater to pass the responsibility down to individual readers — that's why I suggested having a ValidateConfiguration function in each reader that needs it. I'm simply saying that it's not necessary to have the validation in the reader, and we should abstract that away. However, the polling updater needs to perform the validation before starting the polling threads, so let's document that in a virtual function.
Happy to discuss offline.

[igorpeshansky]

If it weren't for the desire to share a reader object, and the possible need to validate the watch and polling options together, I would have been considering splitting the watch and the poller into separate updaters.
I've already suggested using composition over inheritance here. But we could also have a StartThreads virtual function that actually starts the poller thread and is called from the (non-virtual) start after validation succeeds.
Thoughts?

[igorpeshansky]

If so, then this is redundant, since CurrentNode issues two QueryMaster calls. So just calling CurrentNode is more than enough. Or you can call QueryMaster with a filter for one (random) node...

[igorpeshansky]

I've considered it, but there's an advantage of sharing a reader.
Perhaps the right approach is to factor out a poller that takes a callback, rather than embedding the contract into the hierarchy (i.e., composition over inheritance).

[igorpeshansky]

Let's add a comment here...

[igorpeshansky]

Right, as discussed, it makes sense to issue a QueryMaster on something that doesn't depend on the CurrentNode value, and keep CurrentNode as a secondary check.

[igorpeshansky]

Of course.

[igorpeshansky]

Let's add a comment that polling and watch are mutually exclusive (with watch taking precedence).

[bmoyles0117]

Done.

[igorpeshansky]

[Optional] How about putting it right above this line? Just say something like // Only try to poll if watch is disabled..

[bmoyles0117]

Done.

[igorpeshansky]

We might also fail if both KubernetesUseWatch and KubernetesUpdaterIntervalSeconds are enabled.

[bmoyles0117]

I agree and disagree with this. Being that the other polling updaters are not considered valid / invalid based on the polling interval, I think we should consolidate this to whether or not the pollers are able to communicate with endpoints, not whether or not you have a poll interval > 0.

[igorpeshansky]

I think this depends on whether you want to get an error message when poll interval < 0 or just silently avoid polling. Personally, I prefer the former (and reserve poll interval == 0 for "do not poll").

Perhaps we should implement ValidateConfiguration in PollingMetadataUpdater to verify the polling interval for all polling updaters, and invoke PollingMetadataUpdater::ValidateConfiguraiton here before doing updater-specific validation?..

[bmoyles0117]

Totally on board with this, updated.

[igorpeshansky]

This implicitly validates the KubernetesEndpointHost configuration option. We could also make it use KubernetesPodLabelSelector.

[bmoyles0117]

I'm concerned about using the pod selector, as we do this same "just check for a single thing" for nodes. I don't think this function should turn into a unit test, strictly validating that we're able to get "any" pods and nodes should suffice as a sanity check that this updater is configured properly.

[igorpeshansky]

I was proposing doing the same thing as for Docker, namely adding the pod selector here to have the API check the syntax, but also overriding the limit to 1. Otherwise a user misconfiguration (a bad pod selector) could result in failing queries on every poll, which is exactly what we want to avoid.

[bmoyles0117]

Good point, if we're doing this for docker we might as well do it here. It's not completely the same as how we actually invoke this later, as it's combined with the node name later on, but at least we can validate the label selector itself. Done.

[igorpeshansky]

[Optional] You can put this on the previous line.

[bmoyles0117]

Done.

[igorpeshansky]

[Optional] You can put this on the previous line.

[bmoyles0117]

Done.

[igorpeshansky]

Comments?

[bmoyles0117]

Removed these helpers.

[igorpeshansky]

[Optional] I feel like making those into separate functions is overkill - we don't intend to reuse them. Can we not just have blocks within ValidateConfiguration that do this?

[bmoyles0117]

Done. I personally prefer smaller easily testable functions, but being that I'm not doing the relevant unit testing that goes with that statement, I'll streamline it.

[igorpeshansky]

Why make this protected?

[bmoyles0117]

Converted to private.

[igorpeshansky]

This should be lined up with std::string (after the opening parenthesis).

[bmoyles0117]

Done.

[igorpeshansky]

Fits on the previous line.

[bmoyles0117]

Column count hits 81 on previous line.

[igorpeshansky]

I'm confused -- I count 80:

    (void) QueryMaster(std::string(kKubernetesEndpointPath) + "/nodes?limit=1");

[igorpeshansky]

This will cause an early return, so the rest of the function is dead code. :-)

[bmoyles0117]

Done. Overly ambitious copy / paste :P

[igorpeshansky]

Ditto here, though this one is less of an issue. But since we return true at the end anyway, let's just get rid of this one (and the blank line) to avoid confusion.

[bmoyles0117]

Done.

[igorpeshansky]

Can we just call CurrentNode().empty() and avoid the node_name local?

[bmoyles0117]

Done.

[igorpeshansky]

We should try to use KubernetesPodLabelSelector to see if it gets rejected (bad syntax, etc).

[bmoyles0117]

I'm really not completely comfortable with this, as technically they could pass in garbage for a node name as well. I strongly feel the intention of this code should not be a unit test, but rather a confirmation that the endpoint is available under normal scenarios. What we have so far is better than nothing, and I would argue we're going too far down a path with too many assumptions by incorporating user-defined values as a part of this logic.

[igorpeshansky]

We should validate all user-supplied configuration. That said, I'm ok with this being done in a later PR.

[igorpeshansky]

[Optional] How about putting it right above this line? Just say something like // Only try to poll if watch is disabled..

[igorpeshansky]

We should validate all user-supplied configuration. That said, I'm ok with this being done in a later PR.

[igorpeshansky]

I'm confused -- I count 80:

    (void) QueryMaster(std::string(kKubernetesEndpointPath) + "/nodes?limit=1");

[igorpeshansky]

LGTM

[igorpeshansky]

For the future: by now this check is probably redundant, as CurrentNode() invokes this endpoint too. But we can fix that later.

[igorpeshansky]

On second thought, since you're waiting for a response from @supriyagarg anyway, can you just move this above the CurrentNode() check?

[bmoyles0117]

Done.

[igorpeshansky]

I'm only requesting that the CurrentNode change be done now. The other two (pod label selector and poll interval) can be done later, though if they're easy to make, I'd recommend doing them anyway while you're waiting for approval.

[igorpeshansky]

On second thought, since you're waiting for a response from @supriyagarg anyway, can you just move this above the CurrentNode() check?

[igorpeshansky]

I think this depends on whether you want to get an error message when poll interval < 0 or just silently avoid polling. Personally, I prefer the former (and reserve poll interval == 0 for "do not poll").

Perhaps we should implement ValidateConfiguration in PollingMetadataUpdater to verify the polling interval for all polling updaters, and invoke PollingMetadataUpdater::ValidateConfiguraiton here before doing updater-specific validation?..

[igorpeshansky]

I was proposing doing the same thing as for Docker, namely adding the pod selector here to have the API check the syntax, but also overriding the limit to 1. Otherwise a user misconfiguration (a bad pod selector) could result in failing queries on every poll, which is exactly what we want to avoid.

[supriyagarg]

LGTM!

[igorpeshansky]

Some issues with the newly added code.

[igorpeshansky]

Same question as for Docker -- can we confirm that the first limit=1 will take precedence over whatever is in the selector?

[bmoyles0117]

pod_label_selector does not imply passing a limit, it implies passing labels, if a user is passing a limit there, that's a hack, and should be validated elsewhere.

[igorpeshansky]

I agree that it's a hack, but a limit=500000 in the (user-specified) selector should not cause us to suddenly grab all the pods in the cluster. Hence I was just asking whether this limit=1 will override it where it is now, or whether it should be at the end.

That said, I've just verified that the first occurrence of limit takes precedence, so we're good.

[igorpeshansky]

Should this not also be in DockerUpdater and InstanceUpdater?

[bmoyles0117]

Forgot about DockerUpdater, InstanceUpdater does not override this method.

[igorpeshansky]

This should be >= -- 0 is a perfectly valid value (it means "don't poll")

[bmoyles0117]

I think in the future when we use composition, this statement isn't true, but for what you're saying makes sense, updated.

[igorpeshansky]

Depends on what you mean by "use composition". If it's in the context of "instead of inheritance", then that's orthogonal. If in the context of "composition of options", then you're probably right.
In any case, this looks good now.

[igorpeshansky]

Still need this, because we want 0 to turn off polling without an error.

[bmoyles0117]

Done.

[igorpeshansky]

LGTM

[igorpeshansky]

I agree that it's a hack, but a limit=500000 in the (user-specified) selector should not cause us to suddenly grab all the pods in the cluster. Hence I was just asking whether this limit=1 will override it where it is now, or whether it should be at the end.

That said, I've just verified that the first occurrence of limit takes precedence, so we're good.

[igorpeshansky]

Depends on what you mean by "use composition". If it's in the context of "instead of inheritance", then that's orthogonal. If in the context of "composition of options", then you're probably right.
In any case, this looks good now.