validate subcommand: various changes (#1088)

Craig Furman · web-flow · commit 3ce717fe9ce3 · 2024-05-21T17:03:16.000+01:00
Remove "connections" validation. This checked that various services were TCP-reachable (and resolvable by kube-dns), from various pods. For example, it checked that pgsql was reachable from frontend. This particular validation wouldn't always be useful, e.g. when external postgres clusters were used. It was also failing due to the removal of `nc` from base images. This upstream health-checking _could_ be replaced by doing this check in the readiness probe handler. For example: frontend pods could check the availability of a pgsql connection, and fail their readiness probe if that is unavailable. This is a contentious topic however and should be approached with caution: mean-time-to-recovery can actually substantially increase under some configurations due to cascading failing readiness probes. This commit conservatively aims to restore utility of src-validate by removing the always-failing connections check, and there are no immediate plans to add upstream readiness probing. This commit also changes src-validate to exit with non-zero status when there are no pods and/or services. This white-box check does have some utility, as a sanity check that we've deployed anything at all. The "no PVCs" case is left as a warning, in case the user is using external DBs everywhere, and might legitimately have no PVCs in their namespace. This closes https://linear.app/sourcegraph/issue/REL-42/src-validate-should-not-exit-with-zero-when-no-pods-are-available-at and https://linear.app/sourcegraph/issue/REL-40/fix-src-validate-now-that-nc-is-not-available, assuming we agree with https://linear.app/sourcegraph/issue/REL-40/fix-src-validate-now-that-nc-is-not-available#comment-7b40beee. It will be followed-up with an implementation of https://linear.app/sourcegraph/issue/REL-43/src-validate-should-perform-black-box-validations-of-core-flows.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,10 @@ All notable changes to `src-cli` are documented in this file.
 
 ### Fixed
 
+- validate kube: connections check removed.
+- validate kube: exits non-zero when there are no pods or services in the target
+  namespace.
+
 ### Removed
 
 ## 5.4.0
diff --git a/internal/validate/kube/kube.go b/internal/validate/kube/kube.go
@@ -1,25 +1,21 @@
 package kube
 
 import (
-	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"path/filepath"
 	"reflect"
-	"regexp"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"k8s.io/client-go/tools/remotecommand"
 	"k8s.io/client-go/util/homedir"
 
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
@@ -30,12 +26,6 @@ import (
 	"github.com/sourcegraph/sourcegraph/lib/errors"
 )
 
-var (
-	sourcegraphFrontend    = regexp.MustCompile(`^sourcegraph-frontend-.*`)
-	sourcegraphRepoUpdater = regexp.MustCompile(`^repo-updater-.*`)
-	sourcegraphWorker      = regexp.MustCompile(`^worker-.*`)
-)
-
 type Option = func(config *Config)
 
 type Config struct {
@@ -95,7 +85,6 @@ func Validate(ctx context.Context, clientSet *kubernetes.Clientset, restConfig *
 		{Pods, "validating pods", "pods validated", "validating pods failed"},
 		{Services, "validating services", "services validated", "validating services failed"},
 		{PVCs, "validating pvcs", "pvcs validated", "validating pvcs failed"},
-		{Connections, "validating connections", "connections validated", "validating connections failed"},
 	}
 
 	if cfg.eks {
@@ -213,9 +202,9 @@ func Pods(ctx context.Context, config *Config) ([]validate.Result, error) {
 
 	if len(pods.Items) == 0 {
 		results = append(results, validate.Result{
-			Status: validate.Warning,
+			Status: validate.Failure,
 			Message: fmt.Sprintf(
-				"No pods exist on namespace '%s'. check namespace/cluster",
+				"no pods exist in namespace '%s'. check namespace/cluster",
 				config.namespace,
 			),
 		})
@@ -305,9 +294,9 @@ func Services(ctx context.Context, config *Config) ([]validate.Result, error) {
 
 	if len(services.Items) <= 1 {
 		results = append(results, validate.Result{
-			Status: validate.Warning,
+			Status: validate.Failure,
 			Message: fmt.Sprintf(
-				"unexpected number of services on namespace '%s'; check namespace/cluster",
+				"no services in namespace '%s'; check namespace/cluster",
 				config.namespace,
 			),
 		})
@@ -384,128 +373,6 @@ func validatePVC(pvc *corev1.PersistentVolumeClaim) []validate.Result {
 	return results
 }
 
-type connection struct {
-	src  corev1.Pod
-	dest []dest
-}
-
-type dest struct {
-	addr string
-	port string
-}
-
-// Connections will validate that Sourcegraph services can reach each other over the network.
-func Connections(ctx context.Context, config *Config) ([]validate.Result, error) {
-	var results []validate.Result
-	var connections []connection
-
-	pods, err := config.clientSet.CoreV1().Pods(config.namespace).List(ctx, metav1.ListOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	if len(pods.Items) == 0 {
-		results = append(results, validate.Result{
-			Status: validate.Warning,
-			Message: fmt.Sprintf(
-				"cannot check connections: zero pods exist in namespace '%s'",
-				config.namespace,
-			),
-		})
-
-		return results, nil
-	}
-
-	// iterate through pods looking for specific pod name prefixes, then construct
-	// a relationship map between pods that should have connectivity with each other
-	for _, pod := range pods.Items {
-		switch name := pod.Name; {
-		case sourcegraphFrontend.MatchString(name): // pod is one of the sourcegraph front-end pods
-			connections = append(connections, connection{
-				src: pod,
-				dest: []dest{
-					{
-						addr: "pgsql",
-						port: "5432",
-					},
-					{
-						addr: "indexed-search",
-						port: "6070",
-					},
-					{
-						addr: "repo-updater",
-						port: "3182",
-					},
-					{
-						addr: "syntect-server",
-						port: "9238",
-					},
-				},
-			})
-		case sourcegraphWorker.MatchString(name): // pod is a worker pod
-			connections = append(connections, connection{
-				src: pod,
-				dest: []dest{
-					{
-						addr: "pgsql",
-						port: "5432",
-					},
-				},
-			})
-		case sourcegraphRepoUpdater.MatchString(name):
-			connections = append(connections, connection{
-				src: pod,
-				dest: []dest{
-					{
-						addr: "pgsql",
-						port: "5432",
-					},
-				},
-			})
-		}
-	}
-
-	// use network relationships constructed above to test network connection for each relationship
-	for _, c := range connections {
-		for _, d := range c.dest {
-			req := config.clientSet.CoreV1().RESTClient().Post().
-				Resource("pods").
-				Name(c.src.Name).
-				Namespace(c.src.Namespace).
-				SubResource("exec")
-
-			req.VersionedParams(&corev1.PodExecOptions{
-				Command: []string{"/usr/bin/nc", "-z", d.addr, d.port},
-				Stdin:   false,
-				Stdout:  true,
-				Stderr:  true,
-				TTY:     false,
-			}, scheme.ParameterCodec)
-
-			exec, err := remotecommand.NewSPDYExecutor(config.restConfig, "POST", req.URL())
-			if err != nil {
-				return nil, err
-			}
-
-			var stdout, stderr bytes.Buffer
-
-			err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
-				Stdout: &stdout,
-				Stderr: &stderr,
-			})
-			if err != nil {
-				return nil, errors.Wrapf(err, "connecting to %s", c.src.Name)
-			}
-
-			if stderr.String() != "" {
-				results = append(results, validate.Result{Status: validate.Failure, Message: stderr.String()})
-			}
-		}
-	}
-
-	return results, nil
-}
-
 func CurrentContextSetTo(clusterService string) error {
 	currentContext, err := GetCurrentContext()
 	if err != nil {
