[SHIPA-2066] ketch to monitor deployment better

[stinkyfingers]

Description

A lot of this was borrowed from: https://github.com/shipa-corp/shipa/blob/master/provision/kubernetes/app_manager.go#L404, as the ticket 2066 indicates. Essentially, this change creates an event watcher and repeatedly checks deployments for updates. It then records new app events with relevant info.

Fixes # 2066

Permits Shipa to generate output shown below during an App Deployment using Ketch provisioner. Corresponding shipa PR - we may want to remove the AppReconcileOutcome in the Shipa PR.

To use, make docker-build and docker-push this branch, run shipa specifying this new docker image for ketch in the shipa.yaml, and create & deploy a ketch-provisioned App.

johnshenk@Johns-MacBook-Pro shipa % shipa app create test -k test -t shipa-admin-team
shipa app deploy -a test -i gcr.io/kubernetes-312803/sample-go-app:latest
App "test" has been created!
Use app-info to check the status of the app and its units.
 ok
 ---> Security scan is disabled
 ----> Step 1:
 -----> Set target:
 -----> Update deployment 1:
          web => 1 units
AppReconcileOutcome: app test 0 reconcile success
AppReconcileOutcome: app test 0 reconcile fail: [Operation cannot be fulfilled on apps.shipa.io "test": the object has been modified; please apply your changes to the latest version and try again]

---- Updating units [web] ----
  ---> 1 of 1 new units created
  ---> test-web-1-585577fd6b-z8wd5 - Successfully assigned shipa-test/test-web-1-585577fd6b-z8wd5 to minikube []
  ---> 0 of 1 new units ready
  ---> waiting healthcheck on 1 created units
  ---> 1 of 1 new units ready
  ----> app test 1 reconcile success
Rollout successful

OK

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Chore (documentation addition or typo, file relocation)

Testing

• New tests were added with this PR that prove my fix is effective or that my feature works (describe below this bullet)
• This change requires no testing (i.e. documentation update)

Documentation

• All added public packages, funcs, and types have been documented with doc comments
• I have commented my code, particularly in hard-to-understand areas

Final Checklist:

• I followed standard GitHub flow guidelines
• I have performed a self-review of my own code
• My changes generate no new warnings

[aleksej-paschenko]

I think the loop in watchDeployEvents looks like a good solution.
Yesterday @DavisFrench merged a PR to send events with annotations, maybe we can annotate events in this PR too? so it'll be easier to consume events in shipa

[aleksej-paschenko]

it's already imported as v1

[aleksej-paschenko]

should it be fmt.Sprintf("%s-%s-%d", app.GetName(), process.Name, latestDeployment.Version)?
because ketch generates a k8s Deployment name using <app-name>-<process-name>-<deploymentVersion> template.

Do we need this check?

if dep.Status.ObservedGeneration >= dep.Generation {
	continue
}

Inside watchDeployEvents we wait when dep.Status.ObservedGeneration < dep.Generation condition becomes true, and then start monitoring things.

[stinkyfingers]

Generation check removed.

[aleksej-paschenko]

running this function in the app reconciler's goroutine blocks all other deployments.
We can either run it in a dedicated goroutine or set MaxConcurrentReconciles to something more suitable.

func (r *AppReconciler) SetupWithManager(mgr ctrl.Manager) error {
	return ctrl.NewControllerManagedBy(mgr).
		For(&ketchv1.App{}).
	        WithOptions(controller.Options{MaxConcurrentReconciles: 10}).
		Complete(r)
}

Moreover, ketch doesn't use ObservedGeneration and Generation.
A nice write-up about it https://alenkacz.medium.com/kubernetes-operator-best-practices-implementing-observedgeneration-250728868792
When ketch starts up, it goes thru all apps and updates their states, meaning it'll run this function for all apps.

[stinkyfingers]

I modified the MaxConcurrentReconciles

[aleksej-paschenko]

I think we can use opts.ResourceVersion here

	opts := listOptsForPodEvent(app)
	opts.Watch = true
	opts.ResourceVersion = app.ResourceVersion

https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions

[aleksej-paschenko]

Not sure I get it
why we can't go with

watch, err := cli.CoreV1().Events(namespace).Watch(ctx, opts)
if err != nil {
	return err
}
defer watch.Stop()

for {

	select {
	case <-time.After(100 * time.Millisecond):
	case msg, isOpen := <-watch.ResultChan():
		if !isOpen {
			break
		}
	}
}

[stinkyfingers]

Me neither. I added the deferred watch.Stop().

[aleksej-paschenko]

When we update a k8s Deployment, k8s controller creates a new ReplicaSet.
The previous ReplicaSet starts removing pods, the new one starts creating pods.
We are interested in new pods, right?

idk, maybe there is another way to get them, but here's a working solution:

1. get the k8s deployment's deployment.kubernetes.io/revision annotation
2. find a ReplicaSet that has the same annotation with the same value
3. find all pods that have a link in their ownerReference list pointing to the ReplicaSet from step 2.

[aleksej-paschenko]

more about ownerReference
https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/

[stinkyfingers]

I removed this func and used the existing checkPodStatus.

[aleksej-paschenko]

it looks like we get all pods here even ones not related to the app.

[stinkyfingers]

Good catch. I added a LabelSelector to limit by AppName.

[aleksej-paschenko]

and it might be that we need to check the pods of the current deployment's revision.
A use-case: as a user I deployed an application and it is failing now, several of the app's pods are not ready. I have built a new image and am deploying it right now.

[stinkyfingers]

I updated label selector to LabelSelector: fmt.Sprintf("%s/app-name=%s,%s/app-deployment-version=%d", group, app.Name, group, deploymentVersion), to add limiting by deployment version. Is this what you're thinking?

[aleksej-paschenko]

should we use the passed in ctx?

[stinkyfingers]

Good call. Changed.

[aleksej-paschenko]

so we can deploy only 10 apps simultaneously?

[stinkyfingers]

I removed this and opted to run all of the watch in a goroutine to prevent blocking.

[koncar]

how about creating a new field in AppReconclier and using that instea of incluster config get

type AppReconciler struct {
...
	Config *restclient.Config
}

and instantiate it in main with

AppReconclier{

  Config: ctrl.GetConfigOrDie
}

[koncar]

there is also a way given here
https://github.com/shipa-corp/ketch/blob/master/cmd/ketch/configuration/configuration.go#L93-L96

this would introduce 3rd way to initialize config, do we want it?

[stinkyfingers]

Good call. I utilized the existing function in the config and initialized in main as you suggest.

[koncar]

is this line blocking?

meaning should we watch processes in parallel?
or with this we wait for first process, then monitor second and so on?

i belive it should be parallel, what do you guys think?

[stinkyfingers]

Good call. I put all of the Event watch code in a goroutine. I was struggling a lot with an issue where the reconciler would complete before creating all events, but realized it was fixable with a requeue parameter rather than blocking everything.

[koncar]

should it be for the given app?

[stinkyfingers]

I'm not sure there is a way to filter Pod events by App since events don't have labels. isDeploymentEvent filters them by app name prefix before emitting them as App Events.

[koncar]

this is always -1?

should we read old status instead?

[stinkyfingers]

It gets set to pendingTermination each cycle here: https://github.com/theketchio/ketch/pull/177/files#diff-01570fd749623ed07d5f2e0b7097495a4ef86b6f3419378180bc43fc73c9223eR443. I'm okay with changing it, but was trying to keep output similar to Shipa's: https://github.com/shipa-corp/shipa/blob/master/provision/kubernetes/app_manager.go#L445

[koncar]

will it always break?

do we always either get and error or the following condition is always met?

readyUnits == specReplicas &&
dep.Status.Replicas == specReplicas

should we have timeout?

[stinkyfingers]

Good call. I re-added the bit that checks for timeouts.

[koncar]

maybe using annotations, similar to CanaryEvents is better solution, what do you think?

[stinkyfingers]

That sounds good. I removed this and added an AppDeploymentEvent type that includes annotations and String(), similar to the Canary work. Hoping it's close to what you are expecting.

[aleksej-paschenko]

and it might be that we need to check the pods of the current deployment's revision.
A use-case: as a user I deployed an application and it is failing now, several of the app's pods are not ready. I have built a new image and am deploying it right now.

[aleksej-paschenko]

there is a nice ctrl.GetConfigOrDie() function

[stinkyfingers]

Yep. I removed this whole file as it's not used anymore.

[koncar]

if you loaded config from ctrl, we don't need this file anymore right?

[stinkyfingers]

Yep. Removed this dead code.

[koncar]

do processes share watcher?

we instantiate watcher for each process, but i would say from code that we would get same events for each process, we just print them differently Updating units [%s]", process.Name

how do we know that some events belong to certain process?

[stinkyfingers]

Each process has it's own watcher (is that a good idea 🤷 ). The watcher does 2 things: 1) watch Pod Events and 2) keep checking the appsv1.Deployment for updates.

1. The Pod Events are filtered by process here because the appsv1.Deployment name includes the process name. An appsv1.Deployment is 1-to-1 with a Ketch Process (which confuses because Ketch has Deployments too).
2. The appsv1.Deployments that we keep checking are also filtered by appsv1.Deployment.Name e.g. here which is the Ketch Process Name.

At least, I think that's what's going on. I'm new here.

[koncar]

can we remove this line

[koncar]

do we need this function if we use annotations?

[stinkyfingers]

Good idea. I removed this func and moved the string presentation logic into the corresponding shipa PR: https://github.com/shipa-corp/shipa/pull/1028

[koncar]

awesome job

[stinkyfingers]

This test was panicking without a client.

[stinkyfingers]

Watch asynchronously.

[aleksej-paschenko]

looks good!