Make leader election a top level pilot component, use it for singleton components

[howardjohn]

This PR does a few things, which I attempted to decompose into different commits

1. Add a new leaderelection component. This is largely a copy of the ingress leader election (which in turn is directly copied from some other implementation)
2. Switch ingress status to use the new component
3. Make validation and namespace controller use the new leader election

[nmittler]

was there previous leader election code in Istio? I was expecting to see moves/deletes

[howardjohn]

Yes, you can see it moved in ingress/status.go. The code is just calling a k8s library, so its not complex/long code or anything.

[ayj]

Is there any chance of losing the lock without shutting down? Is this what line 100 below is referring to?

[howardjohn]

There is - at the very least if someone took away our rbac permission for config map, api server went down, etc we would. In this case, the context will be canceled, so the functions will stop (the library does this, not us).

I was confused looking at this original since I thought we just did nothing when we lose the lock, but its already handled. Probably warrants a comment.

The L100 comment is just for if WE explicitly cancel the context, we also drop the lock immediately. This allows another instance to take over immediately when we exit

[nmittler]

looks good overall ... took a first pass.

[nmittler]

I assume this will only be called before it's Run? If so, maybe we should just have a separate builder. Then we could do something like:

le := leaderelection.NewBuilder().
  Namespace(ns).
  Name(name).
  Client(client).
  WithRun(runFn1).
  WithRun(runFn2).
  Build()
...
le.Run(...)

[nmittler]

@howardjohn there are a few options here:

1. lock access to the runFns array wherever it's used
2. Use a separate builder so that the API makes it clear that runFns can not be mutated after start.
3. Use a separate Config object that you pass to New... and this is the thing that you build up before you create the elector.

Personally, I think my preference is 3, it's probably the simplest since you could just have a simple struct with no additional methods, like a builder would require. It also makes the New method clean.

Also, this method should probably be renamed to something like RunWhenLeader.

[nmittler]

Any reason to use a stop channel as opposed to context.Context? Seems like it would simplify the cancel code below.

[howardjohn]

All of pilot is doing the stop channel passing. So at some point, we will need to convert stop channel into context? So I think its reasonable to do here rather than outside this function?

I feel like there should be a simpler way though..

[nmittler]

Make this a constant at the top?

Also, does this name need to be different for each component (e.g. webhook vs ingress)?

[howardjohn]

No, we will have a single leader election for all components. Technically we could split it up, but I see no reason to have 4+ locks when we can have one?

[howardjohn]

also I moved to a constant

[howardjohn]

/retest

[hzxuzhonghu]

Mostly i am concerned when leader lost, will it renew?

[hzxuzhonghu]

by default hostname equals podname.

[nmittler]

@howardjohn looks like you're just using pod name for Identity in the election config? What are the requirements for this identity? Does it have to be a pod name?

[howardjohn]

I think it will renew but I will check the library

[howardjohn]

Neither Istio's current implementation nor nginx-ingress do anything special to handle leader being lost: https://github.com/nginxinc/kubernetes-ingress/blob/5d4c5ddc70c2a40e78c803d0000908bfb2e6b63f/internal/k8s/controller.go#L310. So based on this I assume we have nothing to worry about here?

[howardjohn]

also looked at the code, it basically does

for {
  renew()
}

so if we lose it we can get it back again

[hzxuzhonghu]

I remember in kube-controller-manager, the OnStoppedLeading is set to panic and exit.

// Run starts the leader election loop
func (le *LeaderElector) Run(ctx context.Context) {
	defer func() {
		runtime.HandleCrash()
		le.config.Callbacks.OnStoppedLeading()
	}()
	if !le.acquire(ctx) {
		return // ctx signalled done
	}
	ctx, cancel := context.WithCancel(ctx)
	defer cancel()
	go le.config.Callbacks.OnStartedLeading(ctx)
	le.renew(ctx)
}

[howardjohn]

But for us we do nothing for OnStoppedLeading, so I don't think there is an issue?

[hzxuzhonghu]

We do nothing just print a log. But this goroutine will exit. There is no way to re-acquire the lock.

[howardjohn]

@hzxuzhonghu thanks for pushing back on this, i misunderstood the code. I simulated loosing the lock (by removing RBAC permission) and found

• With ReleaseOnCancel, a panic from kubernetes (seems like a bug): leaderelection panic when failing to renew lease kubernetes/kubernetes#87800
• Without release on cancel, no panic, but we don't ever renew

So I think you are right, we need some looping to acquire leadership again

[howardjohn]

/hold

I added a test that fails due to the k8s crashing bug

[hzxuzhonghu]

defer

[nmittler]

@howardjohn looks like you're just using pod name for Identity in the election config? What are the requirements for this identity? Does it have to be a pod name?

[nmittler]

@howardjohn there are a few options here:

1. lock access to the runFns array wherever it's used
2. Use a separate builder so that the API makes it clear that runFns can not be mutated after start.
3. Use a separate Config object that you pass to New... and this is the thing that you build up before you create the elector.

Personally, I think my preference is 3, it's probably the simplest since you could just have a simple struct with no additional methods, like a builder would require. It also makes the New method clean.

Also, this method should probably be renamed to something like RunWhenLeader.

[nmittler]

nit: the name creates a stutter with the package name leaderelection.LeaderElection. Also, I think Elector is a little better than Election. Perhaps the package could be leader and the type could be Elector, so that callsites would see leader.Elector? WDYT?

[istio-testing]

In response to a cherrypick label: new pull request created: #20939