Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apiserver: better-log handling routines when changes occur to extensi… #9719

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

apiserver: better-log handling routines when changes occur to extensi… #9719

wants to merge 3 commits into from

Conversation

aaaaaaaalex
Copy link
Contributor

…on-apiserver-authentication ConfigMap

Description

Related issues/PRs

Todos

  • Tests
  • Documentation
  • Release note

Release Note

Increase logging in Calico API-server when changes are detected in Extension-Auth ConfigMap

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@aaaaaaaalex aaaaaaaalex added release-note-required Change has user-facing impact (no matter how small) docs-not-required Docs not required for this change labels Jan 15, 2025
@aaaaaaaalex aaaaaaaalex requested a review from a team as a code owner January 15, 2025 10:34
@marvin-tigera marvin-tigera added this to the Calico v3.30.0 milestone Jan 15, 2025
@aaaaaaaalex aaaaaaaalex force-pushed the apiserver-configmap-restart-log-level branch from 6d40be5 to 5542d83 Compare January 15, 2025 10:39
fasaxc
fasaxc reviewed Jan 15, 2025
View reviewed changes
apiserver/cmd/apiserver/server/watch.go
@@ -81,6 +84,7 @@ func WatchExtensionAuth(ctx context.Context) (bool, error) {
n := new.(*corev1.ConfigMap)
// Only detect as changed if the version has changed
Copy link
Member

@fasaxc fasaxc Jan 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we definitely care about every revision change here? Seems like we could easily check the data for changes instead:

if len(n.Data) != len(o.Data) { changed = true ... }
for k, v := range n.Data {
  if ov, ok := o.Data[k] !ok || ov != v { 
    logrus.WithField("key", k).Info("Config map key changed/added") // Guessing we don't want to log the value (might be sensitive?)
    changed = true ... }
}
// Same for n.BinaryData ...

(It's common for an operator to tweak annotations on the object every few seconds, but we should look at the data we care about and ignore anything else.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intention of this change is to see if our cache is stale and re-iterating over the same revisions post-restart, rather than investigating the change itself. Though, I suppose if we confirm that our cache is not stale, inspecting the changes themselves is the next step, so I'll put both in, thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is done now

@aaaaaaaalex aaaaaaaalex force-pushed the apiserver-configmap-restart-log-level branch from 387f3e7 to 4b34d5f Compare January 15, 2025 11:39
@aaaaaaaalex aaaaaaaalex requested a review from fasaxc January 15, 2025 11:40
@aaaaaaaalex aaaaaaaalex force-pushed the apiserver-configmap-restart-log-level branch from 4b34d5f to 2c93a61 Compare January 15, 2025 11:45
matthewdupre
matthewdupre reviewed Jan 15, 2025
View reviewed changes
apiserver/cmd/apiserver/server/watch.go Outdated
"newResourceVersion": n.ResourceVersion,
"changedDataKey": changedKey,
"oldKeyValue": oldVal,
"newKeyValue": newVal,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We mustn't log sensitive values, and I think these come from a secret which by default makes them sensitive (unless carefully reasoned otherwise).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorted now, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fasaxc fasaxc Awaiting requested review from fasaxc

@matthewdupre matthewdupre Awaiting requested review from matthewdupre

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Milestone
Calico v3.30.0
Development

Successfully merging this pull request may close these issues.
4 participants
@aaaaaaaalex @fasaxc @matthewdupre @marvin-tigera