USHIFT-6401, USHIFT-6788: Add fail-fast RBAC bootstrap hook deadlock detection#6471
USHIFT-6401, USHIFT-6788: Add fail-fast RBAC bootstrap hook deadlock detection#6471copejon wants to merge 4 commits intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@copejon: This pull request references USHIFT-6401 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a concurrent RBAC bootstrap-hook deadlock detector to kube-apiserver.Run that probes the poststarthook readiness endpoint and etcd health, signals confirmed deadlocks, attempts recovery by stopping Changes
Sequence DiagramsequenceDiagram
participant Run as Run Method
participant Poll as Readiness Polling
participant Detector as RBAC Detector
participant Hook as /readyz/poststarthook/rbac/bootstrap-roles
participant Etcd as Etcd (v3)
participant Systemctl as systemctl
Run->>Poll: start kube-apiserver readiness polling
Run->>Detector: start RBAC deadlock detector goroutine
Detector->>Detector: wait initial delay
loop periodic checks (bounded by confirmation count & max wait)
Detector->>Hook: GET /readyz/poststarthook/rbac/bootstrap-roles
Detector->>Etcd: short-timeout Status probe (TLS)
Etcd-->>Detector: healthy/unhealthy
alt Etcd healthy & Hook not-ready confirmed
Detector->>Systemctl: run "systemctl stop microshift-etcd.scope"
Systemctl-->>Detector: result
Detector-->>Run: close deadlock channel (signal)
Run->>Run: log, attempt restart scope, return deadlock error
else Hook ready or Etcd unhealthy or threshold not reached
Detector->>Detector: continue polling or reset confirmation
end
end
Estimated Code Review Effort🎯 4 (Complex) | ⏱️ ~40 minutes 🚥 Pre-merge checks | ✅ 11 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (11 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: copejon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
pkg/controllers/kube-apiserver.go (1)
542-557: Function name is misleading.
restartMicroshiftEtcdScopeonly stops the scope; the restart occurs when MicroShift itself restarts afterRun()returns an error. Consider renaming tostopMicroshiftEtcdScopefor clarity.♻️ Suggested rename
-// restartMicroshiftEtcdScope restarts the microshift-etcd.scope to recover from deadlock. -// This forces a clean restart of etcd which can help break the circular dependency. -func restartMicroshiftEtcdScope() error { +// stopMicroshiftEtcdScope stops the microshift-etcd.scope to recover from deadlock. +// MicroShift will restart both etcd and kube-apiserver after Run() returns an error. +func stopMicroshiftEtcdScope() error { klog.Info("Stopping microshift-etcd.scope for recovery")Also update the call site at line 438.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/kube-apiserver.go` around lines 542 - 557, The function restartMicroshiftEtcdScope is misnamed because it only stops the scope; rename the function to stopMicroshiftEtcdScope (and update its comment and klog messages accordingly) and update every call site that invokes restartMicroshiftEtcdScope to call stopMicroshiftEtcdScope instead; ensure exported/internal visibility remains unchanged and run tests/build to verify no references remain to the old name.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 488-496: The current RBAC bootstrap loop resets checkCount to 0
when etcd is unhealthy which allows flapping to prevent ever reaching maxChecks;
modify the logic in the kube-apiserver.go RBAC detection loop (around variables
checkCount, maxChecks, and etcdHealthy) to track a wall-clock deadline (e.g.,
startTime or deadline) when the check begins and do not reset that deadline on
etcd state changes—always compare time.Since(startTime) (or
time.Now().After(deadline)) against a configured maxWaitDuration and fail/exit
the loop if exceeded; keep the existing checkCount logic for deadlock detection
but add this independent timeout check so flapping cannot extend detection
indefinitely.
---
Nitpick comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 542-557: The function restartMicroshiftEtcdScope is misnamed
because it only stops the scope; rename the function to stopMicroshiftEtcdScope
(and update its comment and klog messages accordingly) and update every call
site that invokes restartMicroshiftEtcdScope to call stopMicroshiftEtcdScope
instead; ensure exported/internal visibility remains unchanged and run
tests/build to verify no references remain to the old name.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 8e1dd33d-45f9-439d-91af-e5c44c9150fc
📒 Files selected for processing (1)
pkg/controllers/kube-apiserver.go
|
@coderabbitai help |
ChatThere are 3 ways to chat with CodeRabbit:
CodeRabbit commands
Other keywords and placeholders
Status, support, documentation and community
|
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 469-472: The loop that decides to signal deadlock is incrementing
checkCount and falling through to close(deadlockDetected) on
rbacHookMaxWaitDuration expiry even when isEtcdHealthy() or the RBAC probe
errored; modify the loop (the block around checkCount, isEtcdHealthy,
rbacHookMaxWaitDuration, maxChecks, and close(deadlockDetected)) so that
checkCount is only incremented when the "healthy-etcd stall" predicate is
actually observed (i.e., when both the RBAC probe is unfinished AND
isEtcdHealthy() returns true), ignore/skip increments when probes or health
checks error, and on hitting rbacHookMaxWaitDuration return early unless
checkCount has already reached maxChecks; ensure close(deadlockDetected) is only
called after the predicate has been confirmed maxChecks times.
- Around line 483-486: The RBAC readiness probe call using
restClient.Get().AbsPath("/readyz/poststarthook/rbac/bootstrap-roles").Do(ctx)...
uses the long-lived controller ctx and can hang; wrap that request in a short
per-probe context with timeout (e.g., context.WithTimeout(ctx, 2*time.Second)),
use the derived probeCtx in Do(probeCtx), and defer cancel() so the goroutine
unblocks and the 2s interval / 30s max-wait logic can re-evaluate; update the
call that sets status and err (StatusCode(&status).Error()) to use the probe
context.
- Around line 558-563: The call to stopCmd.CombinedOutput() in
restartMicroshiftEtcdScope is unbounded and can hang; wrap the systemctl
invocation with a context deadline (e.g., create a context.WithTimeout and use
exec.CommandContext) and use that context when constructing stopCmd, then read
CombinedOutput (or CombinedOutput on the context-backed command) and return a
timeout-aware error if the context expires; reference
restartMicroshiftEtcdScope, stopCmd and CombinedOutput and ensure you cancel the
context and propagate/annotate context timeout errors in the returned fmt.Errorf
message.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 6d409d90-afaf-448d-81e1-02888bc827c6
📒 Files selected for processing (1)
pkg/controllers/kube-apiserver.go
copejon
changed the title
|
@copejon: This pull request references USHIFT-6401 which is a valid jira issue. This pull request references USHIFT-6788 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@copejon: This pull request references USHIFT-6401 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead. This pull request references USHIFT-6788 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
♻️ Duplicate comments (1)
pkg/controllers/kube-apiserver.go (1)
468-515:⚠️ Potential issue | 🟠 MajorWall-clock deadline break still triggers false deadlock signal.
When
rbacHookMaxWaitDurationexpires at line 472, the loop breaks and falls through toclose(deadlockDetected)at line 515—even if etcd was never confirmed healthy. The "etcd healthy + hook stuck" predicate may never have been observed.Additionally,
checkCount++at line 481 executes before conditions are verified. IfisEtcdHealthyerrors, the count advances without observing the deadlock predicate.Proposed fix
+ deadlockPredicateObserved := false + for checkCount < maxChecks { // Check absolute deadline first - this cannot be reset by etcd state changes if time.Since(startTime) >= rbacHookMaxWaitDuration { klog.Errorf("RBAC bootstrap hook exceeded maximum wait duration of %v", rbacHookMaxWaitDuration) - break + if !deadlockPredicateObserved { + klog.Warning("Wall-clock deadline reached but deadlock predicate never confirmed - not signaling deadlock") + return + } + break // predicate was observed, signal deadlock } select { case <-ctx.Done(): return case <-time.After(rbacHookCheckInterval * time.Second): } - checkCount++ - // Check RBAC hook status var status int err := restClient.Get().AbsPath("/readyz/poststarthook/rbac/bootstrap-roles").Do(ctx).StatusCode(&status).Error() // If hook is ready, no deadlock if err == nil && status == 200 { klog.V(4).Info("RBAC bootstrap hook completed successfully") return } // Hook not ready - check if etcd is healthy etcdHealthy, etcdErr := isEtcdHealthy(ctx) if etcdErr != nil { klog.V(4).Infof("Could not check etcd health: %v", etcdErr) continue } if etcdHealthy { + checkCount++ + deadlockPredicateObserved = true klog.Warningf("RBAC bootstrap hook not ready (check %d/%d, elapsed %v), but etcd is healthy - potential deadlock", checkCount, maxChecks, time.Since(startTime).Round(time.Second)) } else { // etcd not healthy - not a deadlock, just waiting for etcd klog.V(4).Infof("RBAC hook waiting, etcd not yet healthy (check %d/%d)", checkCount, maxChecks) - // Reset counter since this isn't a deadlock condition - // Note: wall-clock deadline (startTime) is NOT reset - flapping cannot extend indefinitely checkCount = 0 } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/kube-apiserver.go` around lines 468 - 515, The loop currently can fall through to close(deadlockDetected) on wall-clock timeout even if etcd was never observed healthy and also increments checkCount before confirming etcd health; fix by tracking whether etcd has ever been observed healthy (e.g., add sawEtcdHealthy bool set to true when isEtcdHealthy(ctx) returns (true, nil)), only increment checkCount when etcdHealthy==true and etcdErr==nil (move the checkCount++ after the etcd health success path), and after the loop only signal deadlock (close(deadlockDetected)) if sawEtcdHealthy is true and the RBAC hook still isn’t ready; leave the wall-clock timeout to break the loop but not unconditionally declare a deadlock. Ensure references: restClient.Get().AbsPath("/readyz/poststarthook/rbac/bootstrap-roles").Do(...).StatusCode(&status).Error(), isEtcdHealthy(ctx), checkCount, sawEtcdHealthy, and deadlockDetected.
🧹 Nitpick comments (1)
pkg/controllers/kube-apiserver.go (1)
566-568: Consider context-aware wait.The 1s
time.Sleepisn't interruptible. Low impact but aselectwithctx.Done()would be cleaner for graceful shutdown.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/kube-apiserver.go` around lines 566 - 568, Replace the uninterruptible time.Sleep(1 * time.Second) with a context-aware wait so shutdown can be cancelled: where the sleep occurs (the time.Sleep call in kube-apiserver.go cleanup/wait block), use a select that waits on time.After(1 * time.Second) and also listens on ctx.Done(), returning early if ctx is cancelled; ensure you reference the existing ctx variable and keep the same timeout duration.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 468-515: The loop currently can fall through to
close(deadlockDetected) on wall-clock timeout even if etcd was never observed
healthy and also increments checkCount before confirming etcd health; fix by
tracking whether etcd has ever been observed healthy (e.g., add sawEtcdHealthy
bool set to true when isEtcdHealthy(ctx) returns (true, nil)), only increment
checkCount when etcdHealthy==true and etcdErr==nil (move the checkCount++ after
the etcd health success path), and after the loop only signal deadlock
(close(deadlockDetected)) if sawEtcdHealthy is true and the RBAC hook still
isn’t ready; leave the wall-clock timeout to break the loop but not
unconditionally declare a deadlock. Ensure references:
restClient.Get().AbsPath("/readyz/poststarthook/rbac/bootstrap-roles").Do(...).StatusCode(&status).Error(),
isEtcdHealthy(ctx), checkCount, sawEtcdHealthy, and deadlockDetected.
---
Nitpick comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 566-568: Replace the uninterruptible time.Sleep(1 * time.Second)
with a context-aware wait so shutdown can be cancelled: where the sleep occurs
(the time.Sleep call in kube-apiserver.go cleanup/wait block), use a select that
waits on time.After(1 * time.Second) and also listens on ctx.Done(), returning
early if ctx is cancelled; ensure you reference the existing ctx variable and
keep the same timeout duration.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 8aa2f8a5-61b0-40e5-a4e9-2c35b99a9835
📒 Files selected for processing (1)
pkg/controllers/kube-apiserver.go
|
/retest |
|
@copejon: This pull request references USHIFT-6401 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead. This pull request references USHIFT-6788 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
copejon
force-pushed
the
fix-USHIFT-6401
branch
from
7daee5d to
184e1cb
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/controllers/kube-apiserver.go`:
- Around line 59-69: rbac timing constants rbacHookDeadlockTimeout and
rbacHookCheckInterval are plain integers but used as time.Duration; change them
to durations by multiplying by time.Second (rbacHookDeadlockTimeout = 15 *
time.Second and rbacHookCheckInterval = 2 * time.Second), then update the
log/format that prints the timeout to use %s (duration) instead of “%d seconds”,
and remove any places that multiply rbacHookCheckInterval by time.Second (e.g.
the spot that computes maxChecks / or multiplies the interval) so all arithmetic
uses time.Duration consistently.
- Around line 496-515: The current RBAC probe logic treats any non-nil err from
restClient.Get() as a transport error and skips deadlock counting; change the
condition so only requests with no HTTP status code (transport/timeout errors)
are skipped — i.e., update the check around restClient.Get()/probeCtx to
skip/continue only when err != nil AND status == 0 (use the existing status
integer and err from the Do(...).StatusCode(&status).Error() call), while
allowing HTTP responses (even 5xx where status != 0) to be counted toward the
deadlock check and preserve the existing klog message for the skipped case.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 7ca5fc05-cf7b-4e48-970f-e7400f1307ef
📒 Files selected for processing (1)
pkg/controllers/kube-apiserver.go
…tion On MicroShift restart, the RBAC bootstrap hook can deadlock when etcd contains existing data. The hook uses context.TODO() for API calls, which has no timeout. When the loopback client hangs, this creates a circular dependency where the hook waits for the API server while the API server waits for the hook to complete. This change adds a parallel deadlock detector that: - Monitors /readyz/poststarthook/rbac/bootstrap-roles specifically - Checks if etcd is healthy while the hook is stuck - Detects deadlock in ~15 seconds instead of waiting 60 seconds - Restarts microshift-etcd.scope to recover from the deadlock This breaks the crash loop by detecting the condition early and taking recovery action at the MicroShift level, without requiring changes to vendored upstream Kubernetes code. Related upstream issues: kubernetes/kubernetes#86715, #97119 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add rbacHookMaxWaitDuration (30s) as an absolute deadline that cannot be reset by etcd health state changes. This prevents a flapping etcd from extending the deadlock detection indefinitely. The existing checkCount logic is preserved for detecting deadlock when etcd is consistently healthy, but the wall-clock deadline provides a hard upper bound regardless of etcd state transitions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…itives - Only increment checkCount when deadlock predicate confirmed (RBAC not ready AND etcd healthy) - Skip counting when RBAC probe or etcd health check errors - On wall-clock timeout, only trigger recovery if checkCount >= maxChecks - Add 1s timeout to RBAC probe to prevent hanging on unresponsive API - Add 5s timeout to systemctl stop to prevent recovery path from stalling - Extract rbacHookPollDelayStart constant for clarity Prevents false positive deadlock detection when etcd flaps or probes error, ensuring close(deadlockDetected) only fires after confirming the deadlock condition the required number of times. Related: kubernetes/kubernetes#86715, #97119 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
copejon
force-pushed
the
fix-USHIFT-6401
branch
2 times, most recently
from
b64ecdb to
097404a
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
pkg/controllers/kube-apiserver.go (2)
371-371:⚠️ Potential issue | 🔴 CriticalUse duration constants directly.
Line 371 now overflows because
kubeAPIStartupTimeoutis already atime.Duration. Line 493 also turns the 2s detector interval into a multi-decade sleep. Use the constants directly and format durations with%s.Proposed fix
- err := wait.PollUntilContextTimeout(ctx, time.Second, kubeAPIStartupTimeout*time.Second, true, func(ctx context.Context) (bool, error) { + err := wait.PollUntilContextTimeout(ctx, time.Second, kubeAPIStartupTimeout, true, func(ctx context.Context) (bool, error) { ... - return fmt.Errorf("RBAC bootstrap hook deadlock detected after %d seconds", rbacHookDeadlockTimeout) + return fmt.Errorf("RBAC bootstrap hook deadlock detected after %s", rbacHookDeadlockTimeout) ... - case <-time.After(rbacHookCheckInterval * time.Second): + case <-time.After(rbacHookCheckInterval):Verify the stale multipliers are gone:
#!/bin/bash rg -n 'kubeAPIStartupTimeout\s*\*\s*time\.Second|rbacHookCheckInterval\s*\*\s*time\.Second|after %d seconds' pkg/controllers/kube-apiserver.goAlso applies to: 446-446, 490-494
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/kube-apiserver.go` at line 371, The code is multiplying existing time.Duration constants (e.g. kubeAPIStartupTimeout, rbacHookCheckInterval) by time.Second which causes overflow and wrong intervals; update calls like wait.PollUntilContextTimeout(ctx, time.Second, kubeAPIStartupTimeout*time.Second, ...) and any other occurrences (rbacHookCheckInterval*time.Second) to pass the durations directly (use kubeAPIStartupTimeout and rbacHookCheckInterval as the timeout/interval arguments) and change any formatted log strings that use "after %d seconds" to use "%s" with the duration value; search for usages in functions referencing kubeAPIStartupTimeout and rbacHookCheckInterval and replace the multipliers and integer %d format with the direct duration and %s respectively.
496-515:⚠️ Potential issue | 🟠 MajorDon’t skip HTTP not-ready responses.
client-go can return both
status != 0anderr != nilfor HTTP error responses, so Line 513 skips the RBAC “not ready” signal the detector needs. Only skip transport/timeout failures where no HTTP status was received.Proposed fix
- if err != nil { + if err != nil && status == 0 { klog.V(4).Infof("RBAC probe error (not counting toward deadlock): %v", err) continue }Verify client-go
Resultstatus/error behavior in the vendored source:#!/bin/bash sed -n '496,515p' pkg/controllers/kube-apiserver.go rg -n -A8 -B4 'func \(r .*Result\) StatusCode|func \(r .*Result\) Error|func \(r \*Request\) transformResponse' ./deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go/rest/request.go🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/kube-apiserver.go` around lines 496 - 515, The code currently treats any err from restClient.Get().Do(...).Error() as a transport/timeout failure and skips counting toward deadlock; change that logic so only transport-level failures (err != nil AND status == 0) are skipped. In other words, keep the probe request creation (probeCtx, cancel, restClient.Get... StatusCode(&status).Error()), then replace the "if err != nil { ... continue }" check with a conditional that logs and continues only when err != nil && status == 0; if err != nil but status != 0, treat it as an HTTP error response (do not continue) so the RBAC “not ready” HTTP status is observed by the detector (referencing probeCtx, status, and err).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/controllers/kube-apiserver.go`:
- Line 70: The const block in kube-apiserver.go contains a stray character "1"
immediately before its closing parenthesis which breaks Go syntax; remove that
stray "1" so the const (...) block ends with just the closing ')' and nothing
else, ensuring the const declaration (the const block surrounding the
kube-apiserver constants) compiles cleanly.
---
Duplicate comments:
In `@pkg/controllers/kube-apiserver.go`:
- Line 371: The code is multiplying existing time.Duration constants (e.g.
kubeAPIStartupTimeout, rbacHookCheckInterval) by time.Second which causes
overflow and wrong intervals; update calls like
wait.PollUntilContextTimeout(ctx, time.Second,
kubeAPIStartupTimeout*time.Second, ...) and any other occurrences
(rbacHookCheckInterval*time.Second) to pass the durations directly (use
kubeAPIStartupTimeout and rbacHookCheckInterval as the timeout/interval
arguments) and change any formatted log strings that use "after %d seconds" to
use "%s" with the duration value; search for usages in functions referencing
kubeAPIStartupTimeout and rbacHookCheckInterval and replace the multipliers and
integer %d format with the direct duration and %s respectively.
- Around line 496-515: The code currently treats any err from
restClient.Get().Do(...).Error() as a transport/timeout failure and skips
counting toward deadlock; change that logic so only transport-level failures
(err != nil AND status == 0) are skipped. In other words, keep the probe request
creation (probeCtx, cancel, restClient.Get... StatusCode(&status).Error()), then
replace the "if err != nil { ... continue }" check with a conditional that logs
and continues only when err != nil && status == 0; if err != nil but status !=
0, treat it as an HTTP error response (do not continue) so the RBAC “not ready”
HTTP status is observed by the detector (referencing probeCtx, status, and err).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 16493598-1abd-4ebf-8630-0d3b8ae52d52
📒 Files selected for processing (1)
pkg/controllers/kube-apiserver.go
copejon
force-pushed
the
fix-USHIFT-6401
branch
from
097404a to
266c5aa
Compare
copejon
force-pushed
the
fix-USHIFT-6401
branch
from
266c5aa to
2449af6
Compare
|
@copejon: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/verified by ci |
openshift-ci-robot
added
the
verified
|
@copejon: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2 participants
Summary
rbacHookMaxWaitDuration = 30s) to prevent etcd health flapping from extending detection indefinitelyProblem
MicroShift enters a permanent crash loop after first restart due to the RBAC bootstrap hook deadlocking when etcd contains existing data. The
rbac/bootstrap-rolesPostStartHook usescontext.TODO()for API calls with no timeout, causing a circular dependency where the hook waits for API server readiness while the API server waits for the hook to complete.Related upstream issues: kubernetes/kubernetes#86715, kubernetes/kubernetes#97119
Solution
Add a fail-fast deadlock detector that:
/readyz/poststarthook/rbac/bootstrap-rolesspecificallymicroshift-etcd.scopeto force clean recoveryTest plan
make verify-gopassesmake test-unitpasses🤖 Generated with Claude Code via
/jira:solve USHIFT-6401, [USHIFT-6788](https://redhat.atlassian.net/browse/USHIFT-6788)Summary by CodeRabbit