🐛 server: revert non-standalone VW URL

[hardys]

Summary

Partially reverts logic introduced in #2407 so we don't unconditionally use the external URL - when non-standalone VW mode is used we still need the old behavior, or the loopback client can't access the non-standalone VW server.

This breaks shard bootstrapping (evidently not in our e2e scenarios, but in a real deployment where probes mean the proxy isn't ready until the shard bootstrap is complete)

I suspect further work will be required to make standalone VW mode work when deployed on a real cluster, since the ExternalAddress will go via the proxy, which depends on proxy bootstrapping (when the shard is deployed via a Service)

[nrb]

/lgtm

[sttts]

/retest

[sttts]

/approve

[hardys]

/hold

e2e-sharded failure does look related e.g

W0124 10:26:12.676402     712 reflector.go:324] k8s.io/client-go@v0.0.0-20230113194502-8f8fb5fa4eea/tools/cache/reflector.go:167: failed to list *v1alpha1.LogicalCluster: Get "https://10.129.28.8:7445/services/initializingworkspaces/system:apibindings/clusters/%2A/apis/core.kcp.io/v1alpha1/logicalclusters?limit=500&resourceVersion=0": x509: certificate is valid for localhost, 10.129.28.8, not apiserver-loopback-client

#2407 passed so I need to figure out what changed and reproduce locally, currently I'm not clear why this previously worked given that AFAICS the controllers always use the loopback client...

[hardys]

Ok the failure in the previous revision was my mistake, I used ShardVirtualWorkspaceURL which is for shard->vw traffic, we still need to use ExternalAddress in the standalone VW case, so the initializingworkspaces requests hit the proxy.

This should now be ready to land as a first step (enables the integrated-VW case to work again when the shard is deployed behind a Service)

However @ncdc FYI I think we'll have to do further work to enable the standalone-vw case on real clusters - currently the shard bootstrap dependency on ExternalAddress presents a chicken/egg problem given that the proxy isn't available until the shard is ready.

[ncdc]

@hardys let's chat tomorrow?

[hardys]

@hardys let's chat tomorrow?

Sure, but we could also consider landing this as an interim measure (to unblock the unstable test environment)

[hardys]

/hold cancel

This could land now to unblock things, but I'll follow-up with @ncdc to discuss the plan for standalone vw - we could also look at reworking sharded-test-server so e2e better replicates the serialized bootstrapping behavior implied by using services and probes in a "real" deployment.

[hardys]

we could also look at reworking sharded-test-server so e2e better replicates the serialized bootstrapping behavior implied by using services and probes in a "real" deployment.

Turns out the proxy startup is already serialized (we wait until the shard is ready before starting the proxy), so the main difference is --external-hostname isn't pointing to the proxy in CI, pushed #2672 so we have a reproducer

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ncdc,sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ncdc]

Flake #2589
/retest