-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix getting updated user namespaces #2770
base: main
Are you sure you want to change the base?
Conversation
82d96ca
to
1666763
Compare
1666763
to
e7cd75e
Compare
Thank you for the excellent explanation of the problem!
|
Thanks for taking a look!
Good point we might have to rethink the locking methodology in this part, it seems that there might be too much. In the case of
This would indeed be a problem. Is there another unique identifier that we can use for users? |
There might be .toString() kind of thing on the Principal. But it might strip out the token.. which would make it not great for this. It can be potentially sensitive so don't want it in logs etc, maybe we add |
ac6b04d
to
a8da483
Compare
a8da483
to
3e2a666
Compare
@alichaddad @foot Is this still in progress? |
Closes
What changed?
When attempting to get the namespaces of a user we lock getting the flow of getting the namespaces from the cache and updating it when necessary. We also only update a cluster namespaces to a user namespaces when the cluster is actually found in the cluster namespaces cache.
Why was this change made?
This change was made to fix an issue where requests for resources like Kustomizations or helm releases would sometimes return empty result.
The issue happens when another request checks on the user namespaces in the cache while a previous request is still building the cache, resulting in a response with partial or empty results. This becomes more apparent when a cluster has an issue(unreachable or has no namespaces for whatever reasons) making empty responses a common occurences. This is due to how the implementation was written:
The proposed fix is to lock each user request by the user ID. So if a request comes from the same user while another is in process it will only check on the status of the cache after in-flight request is finished.
If a cluster has issues retrieving namespaces or the cluster itself is not reachable it would not be set in the cluster namespaces cache but it will still be set in the user namespaces cache with an empty namespaces list. The PR changes this behavior and only add a cluster namespaces to the user cache when it already exists in the cluster namespaces cache.
How was this change implemented?
By adding a lock when retrieving the user namespaces. Since there is a lock per user ID we had to store the locks in a map. Currently this is not being cleaned up, which might be something that we need to handle down the line.
How did you validate the change?
By adding a non valid cluster to my instance which caused the results of certain APIs to return empty responses consistently before my changes and redoing the same scenario after my changes.
Release notes
Documentation Changes