[CONTP-521] use a hybrid health check for wlm kubeapiserver collector

[adel121]

What does this PR do?

Replaces Startup health check of workloadmeta's kubeapiserver collector by a hybrid check between readiness and startup:

• if the check didn't pass yet, the DCA pod should be removed from the DCA service
• if the check didn't pass for some time, the DCA should not be killed and restarted.

Motivation

Reduce CrashLoopbackOff issues faced in the DCA on large clusters due to the time it takes for the kubeapiserver workloadmeta collector to sync kubernetes resources and mark the check as ready.

Full context:

The main problem with using the Readiness probe is that it stays active for the entire lifecycle of the pod. This means that it will keep checking the Readiness probe even though the probe on `workloadmeta-kubeapiserver` was intended as a startup one. This could lead to the Cluster Agent being removed from the Kubernetes Service and therefor unreachable.

The Startup probe will pass once and after validation, be disabled by Kubernetes, fitting the use-case that we have for the `workloadmeta-kubeapiserver`.

The problem with this probe is that the impact is not the same. Instead of removing the pod for Kubernetes Services, the startup probe will, like the liveness one, try to restart the pod.

In specific cases like on large cluster, the `workloadmeta-kubeapiserver` can take more than the allocated time to be validated as the synchronization of the reflector is depends on the Kubernetes API Server. If that happens, then the Cluster Agent gets restarted.

Even worse, this could lead to CrashLoopBackOff as the Cluster Agent never has enough time to sync the reflectors before the probe fails.

Describe how you validated your changes

Unit tests are updated to test the new change.
We also already have E2E tests in place.

As an extra validation, you can deploy the cluster agent on a kubernetes cluster and ensure that you have the correct components healthy in liveness, readiness and startup endpoints:

# startup probe:
curl http://localhost:5556/start

{
  "Healthy":
    [
      "healthcheck",
      "tagger-store",
      "clusterchecks-leadership",
      "ad-config-provider-kubernetes-endpoints",
      "ad-config-provider-kubernetes-services",
      "clusterchecks-dispatch",
      "workloadmeta-puller",
      "ad-servicelistening",
      "workloadmeta-store",
      "tagger-workloadmeta",
      "collector-queue-15s",
      "aggregator",
    ],
  "Unhealthy": null,
}


# liveness probe:
curl http://localhost:5556/live

{
  "Healthy":
    [
      "healthcheck",
      "clusterchecks-leadership",
      "ad-config-provider-kubernetes-endpoints",
      "ad-config-provider-kubernetes-services",
      "clusterchecks-dispatch",
      "workloadmeta-puller",
      "tagger-store",
      "workloadmeta-store",
      "tagger-workloadmeta",
      "collector-queue-15s",
      "aggregator",
      "ad-servicelistening",
    ],
  "Unhealthy": null,
}

# readiness probe:
curl http://localhost:5556/ready

{
  "Healthy":
    [
      "healthcheck",
      "collector-queue-15s",
      "aggregator",
      "ad-servicelistening",
      "workloadmeta-store",
      "tagger-workloadmeta",
      "ad-config-provider-kubernetes-services",
      "clusterchecks-dispatch",
      "workloadmeta-puller",
      "tagger-store",
      "clusterchecks-leadership",
      "ad-config-provider-kubernetes-endpoints",
      "healthcheck",
      "workloadmeta-kubeapiserver",
    ],
  "Unhealthy": null,
}

Possible Drawbacks / Trade-offs

Additional Notes

[agent-platform-auto-pr]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=50585312 --os-family=ubuntu

Note: This applies to commit 5a562f8

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: f141bd4c-6af5-46bb-b4c3-6a987a15a00d

Baseline: 2491564
Comparison: 5a562f8
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.35	[-0.43, +1.14]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.31	[-0.43, +1.04]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.16	[+0.05, +0.27]	1	Logs bounds checks dashboard
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	+0.14	[-0.33, +0.60]	1	Logs
➖	quality_gate_idle	memory utilization	+0.03	[-0.01, +0.08]	1	Logs bounds checks dashboard
➖	file_to_blackhole_100ms_latency	egress throughput	+0.03	[-0.68, +0.74]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.01, +0.01]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.11, +0.10]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.04	[-0.92, +0.84]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	-0.07	[-0.70, +0.57]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.13	[-0.91, +0.65]	1	Logs
➖	otel_to_otel_logs	ingress throughput	-0.25	[-0.90, +0.41]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.78	[-0.86, -0.71]	1	Logs
➖	file_tree	memory utilization	-1.05	[-1.18, -0.92]	1	Logs
➖	quality_gate_logs	% cpu utilization	-2.29	[-5.20, +0.63]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[vickenty]

Rather than having to update a lot of code, consider using functional options to pass additional flags. In addition to fewer places to update, RegisterLiveness(..., health.RunOnce) is more explicit than RegisterLiveness(..., true) and will easier to extend later.

[adel121]

Thanks for the suggestion

I wanted to do this at first but I thought it would make the code a bit harder to understand (I mean when reading the health package, while it will definitely be more understandable for external components).

I updated the code with your suggestion, I agree it is cleaner this way

[adel121]

/merge

[dd-devflow]

Devflow running: /merge

View all feedbacks in Devflow UI.

---

2024-12-09 18:27:37 UTC ℹ️ MergeQueue: pull request added to the queue

The median merge time in main is 24m.