Merge pull request #829 from enj/enj/i/wait_shutdown

Ensure concierge and supervisor gracefully exit

internal/concierge/apiserver/apiserver.go

@@ -6,6 +6,7 @@ package apiserver
 import (
  "context"
  "fmt"
+ "sync"
 
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/runtime"
@@ -15,6 +16,7 @@ import (
  genericapiserver "k8s.io/apiserver/pkg/server"
  "k8s.io/client-go/pkg/version"
 
+ "go.pinniped.dev/internal/controllerinit"
  "go.pinniped.dev/internal/issuer"
  "go.pinniped.dev/internal/plog"
  "go.pinniped.dev/internal/registry/credentialrequest"
@@ -29,7 +31,7 @@ type Config struct {
 type ExtraConfig struct {
  Authenticator credentialrequest.TokenCredentialRequestAuthenticator
  Issuer issuer.ClientCertIssuer
- StartControllersPostStartHook func(ctx context.Context)
+ BuildControllersPostStartHook controllerinit.RunnerBuilder
  Scheme *runtime.Scheme
  NegotiatedSerializer runtime.NegotiatedSerializer
  LoginConciergeGroupVersion schema.GroupVersion
@@ -105,16 +107,39 @@ func (c completedConfig) New() (*PinnipedServer, error) {
  return nil, fmt.Errorf("could not install API groups: %w", err)
  }
 
+ shutdown := &sync.WaitGroup{}
  s.GenericAPIServer.AddPostStartHookOrDie("start-controllers",
  func(postStartContext genericapiserver.PostStartHookContext) error {
  plog.Debug("start-controllers post start hook starting")
 
  ctx, cancel := context.WithCancel(context.Background())
  go func() {
+ defer cancel()
+
  <-postStartContext.StopCh
- cancel()
  }()
- c.ExtraConfig.StartControllersPostStartHook(ctx)
+
+ runControllers, err := c.ExtraConfig.BuildControllersPostStartHook(ctx)
+ if err != nil {
+ return fmt.Errorf("cannot create run controller func: %w", err)
+ }
+
+ shutdown.Add(1)
+ go func() {
+ defer shutdown.Done()
+
+ runControllers(ctx)
+ }()
+
+ return nil
+ },
+ )
+ s.GenericAPIServer.AddPreShutdownHookOrDie("stop-controllers",
+ func() error {
+ plog.Debug("stop-controllers pre shutdown hook starting")
+ defer plog.Debug("stop-controllers pre shutdown hook completed")
+
+ shutdown.Wait()
 
  return nil
  },

internal/concierge/server/server.go

@@ -27,6 +27,7 @@ import (
  conciergescheme "go.pinniped.dev/internal/concierge/scheme"
  "go.pinniped.dev/internal/config/concierge"
  "go.pinniped.dev/internal/controller/authenticator/authncache"
+ "go.pinniped.dev/internal/controllerinit"
  "go.pinniped.dev/internal/controllermanager"
  "go.pinniped.dev/internal/downward"
  "go.pinniped.dev/internal/dynamiccert"
@@ -135,7 +136,7 @@ func (a *App) runServer(ctx context.Context) error {
 
  // Prepare to start the controllers, but defer actually starting them until the
  // post start hook of the aggregated API server.
- startControllersFunc, err := controllermanager.PrepareControllers(
+ buildControllers, err := controllermanager.PrepareControllers(
  &controllermanager.Config{
  ServerInstallationInfo: podInfo,
  APIGroupSuffix: *cfg.APIGroupSuffix,
@@ -165,7 +166,7 @@ func (a *App) runServer(ctx context.Context) error {
  dynamicServingCertProvider,
  authenticators,
  certIssuer,
- startControllersFunc,
+ buildControllers,
  *cfg.APIGroupSuffix,
  scheme,
  loginGV,
@@ -190,7 +191,7 @@ func getAggregatedAPIServerConfig(
  dynamicCertProvider dynamiccert.Private,
  authenticator credentialrequest.TokenCredentialRequestAuthenticator,
  issuer issuer.ClientCertIssuer,
- startControllersPostStartHook func(context.Context),
+ buildControllers controllerinit.RunnerBuilder,
  apiGroupSuffix string,
  scheme *runtime.Scheme,
  loginConciergeGroupVersion, identityConciergeGroupVersion schema.GroupVersion,
@@ -227,7 +228,7 @@ func getAggregatedAPIServerConfig(
  ExtraConfig: apiserver.ExtraConfig{
  Authenticator: authenticator,
  Issuer: issuer,
- StartControllersPostStartHook: startControllersPostStartHook,
+ BuildControllersPostStartHook: buildControllers,
  Scheme: scheme,
  NegotiatedSerializer: codecs,
  LoginConciergeGroupVersion: loginConciergeGroupVersion,
@@ -237,7 +238,7 @@ func getAggregatedAPIServerConfig(
  return apiServerConfig, nil
 }
 
-func Main() {
+func main() error { // return an error instead of klog.Fatal to allow defer statements to run
  logs.InitLogs()
  defer logs.FlushLogs()
 
@@ -250,7 +251,11 @@ func Main() {
 
  ctx := genericapiserver.SetupSignalContext()
 
- if err := New(ctx, os.Args[1:], os.Stdout, os.Stderr).Run(); err != nil {
+ return New(ctx, os.Args[1:], os.Stdout, os.Stderr).Run()
+}
+
+func Main() {
+ if err := main(); err != nil {
  klog.Fatal(err)
  }
 }

internal/controllerinit/controllerinit.go

@@ -0,0 +1,87 @@
+// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package controllerinit
+
+import (
+ "context"
+ "fmt"
+ "reflect"
+ "sort"
+ "time"
+)
+
+// Runner is something that can be run such as a series of controllers. Blocks until context is canceled.
+type Runner func(context.Context)
+
+// RunnerWrapper takes a Runner and wraps its execution with other logic. Blocks until context is canceled.
+// RunnerWrapper is responsible for the lifetime of the passed in Runner.
+type RunnerWrapper func(context.Context, Runner)
+
+// RunnerBuilder is a function that can be used to construct a Runner.
+// It is expected to be called in the main go routine since the construction can fail.
+type RunnerBuilder func(context.Context) (Runner, error)
+
+// informer is the subset of SharedInformerFactory needed for starting an informer cache and waiting for it to sync.
+type informer interface {
+ Start(stopCh <-chan struct{})
+ WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
+}
+
+// Prepare returns RunnerBuilder that, when called:
+// 1. Starts all provided informers and waits for them sync (and fails if they hang)
+// 2. Returns a Runner that combines the Runner and RunnerWrapper passed into Prepare
+func Prepare(controllers Runner, controllersWrapper RunnerWrapper, informers ...informer) RunnerBuilder {
+ return func(ctx context.Context) (Runner, error) {
+ for _, informer := range informers {
+ informer := informer
+
+ informer.Start(ctx.Done())
+
+ // prevent us from blocking forever due to a broken informer
+ waitCtx, waitCancel := context.WithTimeout(ctx, time.Minute)
+ defer waitCancel()
+
+ // wait until the caches are synced before returning
+ status := informer.WaitForCacheSync(waitCtx.Done())
+
+ if unsynced := unsyncedInformers(status); len(unsynced) > 0 {
+ return nil, fmt.Errorf("failed to sync informers of %s: %v", anyToFullname(informer), unsynced)
+ }
+ }
+
+ return func(controllerCtx context.Context) {
+ controllersWrapper(controllerCtx, controllers)
+ }, nil
+ }
+}
+
+func unsyncedInformers(status map[reflect.Type]bool) []string {
+ if len(status) == 0 {
+ return []string{"all:empty"}
+ }
+
+ var names []string
+
+ for typ, synced := range status {
+ if !synced {
+ names = append(names, typeToFullname(typ))
+ }
+ }
+
+ sort.Strings(names)
+
+ return names
+}
+
+func anyToFullname(any interface{}) string {
+ typ := reflect.TypeOf(any)
+ return typeToFullname(typ)
+}
+
+func typeToFullname(typ reflect.Type) string {
+ if typ.Kind() == reflect.Ptr {
+ typ = typ.Elem()
+ }
+ return typ.PkgPath() + "." + typ.Name()
+}

internal/controllermanager/prepare_controllers.go

@@ -6,7 +6,6 @@
 package controllermanager
 
 import (
- "context"
  "fmt"
  "time"
 
@@ -27,6 +26,7 @@ import (
  "go.pinniped.dev/internal/controller/authenticator/webhookcachefiller"
  "go.pinniped.dev/internal/controller/impersonatorconfig"
  "go.pinniped.dev/internal/controller/kubecertagent"
+ "go.pinniped.dev/internal/controllerinit"
  "go.pinniped.dev/internal/controllerlib"
  "go.pinniped.dev/internal/deploymentref"
  "go.pinniped.dev/internal/downward"
@@ -95,7 +95,7 @@ type Config struct {
 
 // Prepare the controllers and their informers and return a function that will start them when called.
 //nolint:funlen // Eh, fair, it is a really long function...but it is wiring the world...so...
-func PrepareControllers(c *Config) (func(ctx context.Context), error) {
+func PrepareControllers(c *Config) (controllerinit.RunnerBuilder, error) {
  loginConciergeGroupData, identityConciergeGroupData := groupsuffix.ConciergeAggregatedGroups(c.APIGroupSuffix)
 
  dref, deployment, err := deploymentref.New(c.ServerInstallationInfo)
@@ -303,11 +303,12 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
  singletonWorker,
  )
 
- // Return a function which starts the informers and controllers.
- return func(ctx context.Context) {
- informers.startAndWaitForSync(ctx)
- go leaderElector(ctx, controllerManager.Start)
- }, nil
+ return controllerinit.Prepare(controllerManager.Start, leaderElector,
+ informers.kubePublicNamespaceK8s,
+ informers.kubeSystemNamespaceK8s,
+ informers.installationNamespaceK8s,
+ informers.pinniped,
+ ), nil
 }
 
 type informers struct {
@@ -345,15 +346,3 @@ func createInformers(
  ),
  }
 }
-
-func (i *informers) startAndWaitForSync(ctx context.Context) {
- i.kubePublicNamespaceK8s.Start(ctx.Done())
- i.kubeSystemNamespaceK8s.Start(ctx.Done())
- i.installationNamespaceK8s.Start(ctx.Done())
- i.pinniped.Start(ctx.Done())
-
- i.kubePublicNamespaceK8s.WaitForCacheSync(ctx.Done())
- i.kubeSystemNamespaceK8s.WaitForCacheSync(ctx.Done())
- i.installationNamespaceK8s.WaitForCacheSync(ctx.Done())
- i.pinniped.WaitForCacheSync(ctx.Done())
-}

internal/leaderelection/leaderelection.go

@@ -16,6 +16,7 @@ import (
  "k8s.io/client-go/tools/leaderelection/resourcelock"
 
  "go.pinniped.dev/internal/constable"
+ "go.pinniped.dev/internal/controllerinit"
  "go.pinniped.dev/internal/downward"
  "go.pinniped.dev/internal/kubeclient"
  "go.pinniped.dev/internal/plog"
@@ -36,7 +37,7 @@ const ErrNotLeader constable.Error = "write attempt rejected as client is not le
 // logic and will coordinate lease release with the input controller starter function.
 func New(podInfo *downward.PodInfo, deployment *appsv1.Deployment, opts ...kubeclient.Option) (
  *kubeclient.Client,
- func(context.Context, func(context.Context)),
+ controllerinit.RunnerWrapper,
  error,
 ) {
  internalClient, err := kubeclient.New(opts...)
@@ -89,7 +90,10 @@ func New(podInfo *downward.PodInfo, deployment *appsv1.Deployment, opts ...kubec
  return nil, nil, fmt.Errorf("could not create leader election client: %w", err)
  }
 
- controllersWithLeaderElector := func(ctx context.Context, controllers func(context.Context)) {
+ controllersWithLeaderElector := func(ctx context.Context, controllers controllerinit.Runner) {
+ plog.Debug("leader election loop start", "identity", identity)
+ defer plog.Debug("leader election loop shutdown", "identity", identity)
+
  leaderElectorCtx, leaderElectorCancel := context.WithCancel(context.Background()) // purposefully detached context
 
  go func() {