Reroll deployment when agent config is updated

Author: sjberman

internal/framework/controller/labels.go

@@ -7,3 +7,6 @@ const (
 	AppInstanceLabel  = "app.kubernetes.io/instance"
 	AppManagedByLabel = "app.kubernetes.io/managed-by"
 )
+
+// RestartedAnnotation is added to a Deployment or DaemonSet's PodSpec to trigger a rolling restart.
+const RestartedAnnotation = "kubectl.kubernetes.io/restartedAt"

internal/framework/controller/predicate/annotation.go

@@ -1,8 +1,11 @@
 package predicate
 
 import (
+	appsv1 "k8s.io/api/apps/v1"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	"github.com/nginx/nginx-gateway-fabric/internal/framework/controller"
 )
 
 // AnnotationPredicate implements a predicate function based on the Annotation.
@@ -37,3 +40,39 @@ func (cp AnnotationPredicate) Update(e event.UpdateEvent) bool {
 
 	return oldAnnotationVal != newAnnotationVal
 }
+
+// RestartDeploymentAnnotationPredicate skips update events if they are due to a rolling restart.
+// This type of event is triggered by adding an annotation to the deployment's PodSpec.
+// This is used by the provisioner to ensure it allows for rolling restarts of the nginx deployment
+// without reverting the annotation and deleting the new pod(s).
+type RestartDeploymentAnnotationPredicate struct {
+	predicate.Funcs
+}
+
+// Update filters UpdateEvents based on if the annotation is present or changed.
+func (cp RestartDeploymentAnnotationPredicate) Update(e event.UpdateEvent) bool {
+	if e.ObjectOld == nil || e.ObjectNew == nil {
+		// this case should not happen
+		return false
+	}
+
+	depOld, ok := e.ObjectOld.(*appsv1.Deployment)
+	if !ok {
+		return false
+	}
+
+	depNew, ok := e.ObjectNew.(*appsv1.Deployment)
+	if !ok {
+		return false
+	}
+
+	oldVal, oldExists := depOld.Spec.Template.Annotations[controller.RestartedAnnotation]
+
+	if newVal, ok := depNew.Spec.Template.Annotations[controller.RestartedAnnotation]; ok {
+		if !oldExists || newVal != oldVal {
+			return false
+		}
+	}
+
+	return true
+}

internal/framework/controller/predicate/annotation_test.go

@@ -4,9 +4,13 @@ import (
 	"testing"
 
 	. "github.com/onsi/gomega"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/event"
+
+	"github.com/nginx/nginx-gateway-fabric/internal/framework/controller"
 )
 
 func TestAnnotationPredicate_Create(t *testing.T) {
@@ -222,3 +226,177 @@ func TestAnnotationPredicate_Update(t *testing.T) {
 		})
 	}
 }
+
+func TestRestartDeploymentAnnotationPredicate_Update(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		event     event.UpdateEvent
+		name      string
+		expUpdate bool
+	}{
+		{
+			name: "annotation added",
+			event: event.UpdateEvent{
+				ObjectOld: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{},
+							},
+						},
+					},
+				},
+				ObjectNew: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+			},
+			expUpdate: false,
+		},
+		{
+			name: "annotation changed",
+			event: event.UpdateEvent{
+				ObjectOld: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "false",
+								},
+							},
+						},
+					},
+				},
+				ObjectNew: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+			},
+			expUpdate: false,
+		},
+		{
+			name: "annotation removed",
+			event: event.UpdateEvent{
+				ObjectOld: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+				ObjectNew: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{},
+							},
+						},
+					},
+				},
+			},
+			expUpdate: true,
+		},
+		{
+			name: "annotation unchanged",
+			event: event.UpdateEvent{
+				ObjectOld: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+				ObjectNew: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+			},
+			expUpdate: true,
+		},
+		{
+			name: "old object is nil",
+			event: event.UpdateEvent{
+				ObjectOld: nil,
+				ObjectNew: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+			},
+			expUpdate: false,
+		},
+		{
+			name: "new object is nil",
+			event: event.UpdateEvent{
+				ObjectOld: &appsv1.Deployment{
+					Spec: appsv1.DeploymentSpec{
+						Template: corev1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Annotations: map[string]string{
+									controller.RestartedAnnotation: "true",
+								},
+							},
+						},
+					},
+				},
+				ObjectNew: nil,
+			},
+			expUpdate: false,
+		},
+		{
+			name: "both objects are nil",
+			event: event.UpdateEvent{
+				ObjectOld: nil,
+				ObjectNew: nil,
+			},
+			expUpdate: false,
+		},
+	}
+
+	p := RestartDeploymentAnnotationPredicate{}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			update := p.Update(test.event)
+			g.Expect(update).To(Equal(test.expUpdate))
+		})
+	}
+}

internal/mode/static/handler.go

@@ -270,21 +270,21 @@ func (h *eventHandlerImpl) waitForStatusUpdates(ctx context.Context) {
 			return
 		}
 
+		// TODO(sberman): once we support multiple Gateways, we'll have to get
+		// the correct Graph for the Deployment contained in the update message
+		gr := h.cfg.processor.GetLatestGraph()
+		if gr == nil {
+			continue
+		}
+
 		var nginxReloadRes graph.NginxReloadResult
 		switch {
 		case item.Error != nil:
 			h.cfg.logger.Error(item.Error, "Failed to update NGINX configuration")
 			nginxReloadRes.Error = item.Error
-		default:
+		case gr.Gateway != nil:
 			h.cfg.logger.Info("NGINX configuration was successfully updated")
 		}
-
-		// TODO(sberman): once we support multiple Gateways, we'll have to get
-		// the correct Graph for the Deployment contained in the update message
-		gr := h.cfg.processor.GetLatestGraph()
-		if gr == nil {
-			continue
-		}
 		gr.LatestReloadResult = nginxReloadRes
 
 		switch item.UpdateType {

internal/mode/static/provisioner/eventloop.go

@@ -43,6 +43,7 @@ func newEventLoop(
 					k8spredicate.And(
 						k8spredicate.GenerationChangedPredicate{},
 						nginxResourceLabelPredicate,
+						predicate.RestartDeploymentAnnotationPredicate{},
 					),
 				),
 			},

internal/mode/static/provisioner/handler.go

@@ -57,7 +57,6 @@ func (h *eventHandler) HandleEventBatch(ctx context.Context, logger logr.Logger,
 			case *gatewayv1.Gateway:
 				h.store.updateGateway(obj)
 			case *appsv1.Deployment, *corev1.ServiceAccount, *corev1.ConfigMap:
-				// TODO(sberman): if ConfigMap was updated, we need to reroll Deployment
 				objLabels := labels.Set(obj.GetLabels())
 				if h.labelSelector.Matches(objLabels) {
 					gatewayName := objLabels.Get(controller.GatewayLabel)

internal/mode/static/provisioner/provisioner.go

@@ -3,11 +3,13 @@ package provisioner
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -93,6 +95,7 @@ func NewNginxProvisioner(
 	return provisioner, eventLoop, nil
 }
 
+//nolint:gocyclo // will refactor at some point
 func (p *NginxProvisioner) provisionNginx(
 	ctx context.Context,
 	resourceName string,
@@ -107,6 +110,8 @@ func (p *NginxProvisioner) provisionNginx(
 		"name", resourceName,
 	)
 
+	var agentConfigMapUpdated, deploymentCreated bool
+	var deploymentObj *appsv1.Deployment
 	for _, obj := range objects {
 		createCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 
@@ -145,6 +150,19 @@ func (p *NginxProvisioner) provisionNginx(
 			continue
 		}
 
+		switch o := obj.(type) {
+		case *appsv1.Deployment:
+			deploymentObj = o
+			if res == controllerutil.OperationResultCreated {
+				deploymentCreated = true
+			}
+		case *corev1.ConfigMap:
+			if res == controllerutil.OperationResultUpdated &&
+				strings.Contains(obj.GetName(), nginxAgentConfigMapNameSuffix) {
+				agentConfigMapUpdated = true
+			}
+		}
+
 		result := cases.Title(language.English, cases.Compact).String(string(res))
 		p.cfg.Logger.V(1).Info(
 			fmt.Sprintf("%s nginx %s", result, obj.GetObjectKind().GroupVersionKind().Kind),
@@ -153,6 +171,34 @@ func (p *NginxProvisioner) provisionNginx(
 		)
 	}
 
+	// if agent configmap was updated, then we'll need to restart the deployment
+	if agentConfigMapUpdated && !deploymentCreated {
+		updateCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+		defer cancel()
+
+		p.cfg.Logger.V(1).Info(
+			"Restarting nginx deployment after agent configmap update",
+			"name", deploymentObj.GetName(),
+			"namespace", deploymentObj.GetNamespace(),
+		)
+
+		if deploymentObj.Spec.Template.Annotations == nil {
+			deploymentObj.Annotations = make(map[string]string)
+		}
+		deploymentObj.Spec.Template.Annotations[controller.RestartedAnnotation] = time.Now().Format(time.RFC3339)
+
+		if err := p.k8sClient.Update(updateCtx, deploymentObj); err != nil && !apierrors.IsConflict(err) {
+			p.cfg.EventRecorder.Eventf(
+				deploymentObj,
+				corev1.EventTypeWarning,
+				"RestartFailed",
+				"Failed to restart nginx deployment after agent config update: %s",
+				err.Error(),
+			)
+			return err
+		}
+	}
+
 	return nil
 }