Use node addresses from informer in kubelet certificate manager

[aojea]

The kubelet certificate manager was using a closure to get the node addresses, but this closure depended on a static field that was only updated during the node status update. This created a twisted dependency between the node.status reconcile loops and the certificate manager.

This commit fixes this issue by using the node informer to get the node addresses directly. This ensures that the kubelet always requests a certificate with the latest node addresses.

/kind bug
/kind cleanup

Fixes #130001

NONE

/sig node
/sig network

[aojea]

/assign @liggitt @dims
/cc @lentzi90 @mengqiy

[dims]

cc @cartermckinnon @mmerkes @tzneal

[lentzi90]

This is such a nice improvement! Thanks!
LGTM from my side

[cartermckinnon]

So kubelet will no longer request a cert until the taint is removed? I think that makes sense, given the external cloud provider "owns" the address list, but this will lengthen the period when kubelet is ready/accepting pods without having any serving cert. Can you add a log line here for visibility?

Somewhat related to the discussion in: #73047

[aojea]

yeah, related to this #125813

The node addresses are updated just after the taint is removed when the node is initialized by the cloud controller manager

kubernetes/staging/src/k8s.io/cloud-provider/controllers/node/node_controller.go

Lines 463 to 472 in 8cca6d9

	_, err = cnc.kubeClient.CoreV1().Nodes().Update(ctx, newNode, metav1.UpdateOptions{})
	if err != nil {
	return err
	}
	removeCloudProviderTaintDelay.Observe(time.Since(newNode.ObjectMeta.CreationTimestamp.Time).Seconds())
	// After adding, call UpdateNodeAddress to set the CloudProvider provided IPAddresses
	// So that users do not see any significant delay in IP addresses being filled into the node
	cnc.updateNodeAddress(ctx, newNode, instanceMetadata)

Bear in mind that the CSR requires to have at least one IP , that mean there should be one IP in node.Status.Addresses

kubernetes/pkg/kubelet/certificate/kubelet.go

Lines 50 to 51 in 8cca6d9

	// by default, require at least one IP before requesting a serving certificate
	hasRequiredAddresses := len(ips) > 0

But I'm not sure of what path we want to follow:

• no external cloud provider, everything is the same
• external cloud provider
  • no --node-ip specified, effectively the behavior should be the same, as there will be no IPs on node.status.addresses
  • node-ip specified, this is the tricky part per kubelet: cloud-provider external addresses #121028
    • ip matches cloud-provider addresses, only one CSR is sent and we'll regress on node startup
    • ip partially matches, two CSR are sent, but it may regress or not
    • ip does not match, two CSR are sent but only the last one will be the one matching the actual addresses.

We have been so many times back and forth with node.status.address that now I think we should remove this check, and keep the existing behavior, if someone is specifies the --node-ip with the flag, then it may want to send the CSR with that IP ...

[aojea]

Pushed last version based on discussion with @cartermckinnon in #130362 (comment), this keeps the same behavior, just removes the dependency on the node status loops by using the local informer. Based on the last year experience better the devil you know than the devil you don't

[aojea]

@cartermckinnon this will also improve the latency on cloud providers, since it will not have to wait for the patch of the kubelet,

[bart0sh]

/triage accepted

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[enj]

/lgtm cancel

To stop CI spam.

[cartermckinnon]

/retest

Code freeze is over, still want to get this one in @aojea ?

[cartermckinnon]

Might need a rebase to fix the tests?

[aojea]

Might need a rebase to fix the tests?

it shouldn't but it will retrigger the jobs, @cartermckinnon can you lgtm again?

[aojea]

/retest

streamtranslator_test.go:249: # HELP apiserver_stream_translator_requests_total [ALPHA] Total number of requests that were handled by the StreamTranslatorProxy, which processes streaming RemoteCommand/V5
# TYPE apiserver_stream_translator_requests_total counter
apiserver_stream_translator_requests_total{code="200"} 1
-apiserver_stream_translator_requests_total{code="400"} 1

the window unit test are panicing and look very unstable https://prow.k8s.io/job-history/gs/kubernetes-ci-logs/pr-logs/directory/pull-kubernetes-unit-windows-master , they should not be informing in current state since create confusion

[k8s-ci-robot]

@aojea: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubernetes-unit-windows-master	1214dc2	link	false	/test pull-kubernetes-unit-windows-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aojea]

/lgtm cancel

To stop CI spam.

someone can lgtm again, the windows job does not seem related and is also not very stable

[BenTheElder]

/skip

[BenTheElder]

/lgtm
re-applying

[k8s-ci-robot]

LGTM label has been added.

Details

Git tree hash: 32408a9c0c81fb45bf0a57f10d517c88e77a6521