Rewrite clean-nginx-conf.sh in Go to speed up admission webhook #7076

cgorbit · 2021-04-25T15:21:29Z

What this PR does / why we need it:

Current implementation of validating web hook may be too slow in some
circumstances because it use Shell-script to tidy generated full nginx config.
On my dev-cluster with lots of namespaces/ingresses this sometimes lead too (in apiserver):

Error: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://nginx-internal-grpc-ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1beta1/ingresses?timeout=30s: context deadline exceeded

web hook:

ingress-nginx/internal/admission/controller/main.go

Line 57 in f5cfd57

    
           func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, error) {

call to shell-script:

ingress-nginx/internal/ingress/controller/template/template.go

Line 113 in f5cfd57

cmd := exec.Command("/ingress-controller/clean-nginx-conf.sh")

shell-script: https://github.com/kubernetes/ingress-nginx/blob/f5cfd5730c4b296c87fbc531c83a6e4f33483b75/rootfs/ingress-controller/clean-nginx-conf.sh

I rewrite tidy-code in Golang in this PR to speed it up.

My kubernetes in AWS:

bash-5.0$ time /ingress-controller/clean-nginx-conf.sh < nginx-big.conf > result.old
real	0m3.696s
user	0m4.519s
sys	0m0.868s

bash-5.0$ time ./indent < nginx-big.conf > result.new

real	0m0.127s
user	0m0.120s
sys	0m0.008s

bash-5.0$ diff -u result.old result.new
--- result.old	2021-04-25 14:46:57.549149609 +0000
+++ result.new	2021-04-25 14:47:21.885195144 +0000
@@ -44,7 +44,7 @@
 			use_proxy_protocol = false,
 			is_ssl_passthrough_enabled = false,
 			http_redirect_code = 308,
-		listen_ports = { ssl_proxy = "442", https = "443" },
+			listen_ports = { ssl_proxy = "442", https = "443" },

 			hsts = true,
 			hsts_max_age = 15724800,
@@ -89,7 +89,7 @@
 		plugins = res
 		end
 		-- load all plugins that'll be used here
-	plugins.init({  })
+		plugins.init({  })
 	}

 	init_worker_by_lua_block {

bash-5.0$

On localhost (not so impressive):

17:57:23 cgorbit@cgorbit:[0]~/go/src/k8s.io/ingress-nginx$ time rootfs/ingress-controller/clean-nginx-conf.sh < ~/nginx-big.conf > result.old

real	0m0,328s
user	0m0,730s
sys	0m0,074s
17:57:29 cgorbit@cgorbit:[0]~/go/src/k8s.io/ingress-nginx$ time ./indent < ~/nginx-big.conf > result.new

real	0m0,132s
user	0m0,116s
sys	0m0,017s
17:57:31 cgorbit@cgorbit:[0]~/go/src/k8s.io/ingress-nginx$ diff -u result.old result.new
--- result.old	2021-04-25 17:57:24.120927547 +0300
+++ result.new	2021-04-25 17:57:31.020945713 +0300
@@ -44,7 +44,7 @@
 			use_proxy_protocol = false,
 			is_ssl_passthrough_enabled = false,
 			http_redirect_code = 308,
-		listen_ports = { ssl_proxy = "442", https = "443" },
+			listen_ports = { ssl_proxy = "442", https = "443" },

 			hsts = true,
 			hsts_max_age = 15724800,
@@ -89,7 +89,7 @@
 		plugins = res
 		end
 		-- load all plugins that'll be used here
-	plugins.init({  })
+		plugins.init({  })
 	}

 	init_worker_by_lua_block {

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)

This is performance improvement.

Which issue/s this PR fixes

No related issues

How Has This Been Tested?

I compare result of original clean-nginx-conf.sh and my new code on 11MB nginx.conf
The only diff is: https://gist.github.com/cgorbit/c0c9d6442dc18d44113d685e2e6bce27
Which is improvement, I think.
make test: https://gist.github.com/cgorbit/bd302d9fdd55a93d509427981f9ee490
make lua-test

$ make lua-test
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
163 successes / 0 failures / 0 errors / 0 pending : 0.088464 seconds

make kind-e2e-test
https://gist.github.com/cgorbit/b6f2db83275c8c996f5bb5b4de668820

Checklist:

My change requires a change to the documentation.
I have updated the documentation accordingly.
I've read the CONTRIBUTION guide
I have added tests to cover my changes.
All new and existing tests passed.

k8s-ci-robot · 2021-04-25T15:21:37Z

Welcome @cgorbit!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2021-04-25T15:21:37Z

Hi @cgorbit. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

cgorbit · 2021-04-27T16:18:31Z

ping @bowei ?

cgorbit · 2021-04-27T16:18:44Z

/assign @bowei

cgorbit · 2021-04-27T16:19:27Z

Sorry if I misunderstood instruction and make early assign

rikatz · 2021-05-12T22:20:51Z

/ok-to-test

Thanks for the PR. Will review during this week/end :)

paalkr · 2021-06-02T21:36:56Z

@andersosthus compiled a custom build, for internal testing, with this fix on top of 0.46. In a K8s 1.18 cluster with approx 900 complex ingress objects (several hundred hosts, snippets, regex, certs etc) validation using the bash based code did not succeed within the 30 seconds limit. Now with this Go based implementation, validation takes around 4-7 seconds. So I would say this is a huge improvement. The previous implementation did not work for us due to the timeout.

paalkr · 2021-06-15T22:10:29Z

Any news on when this fix will be merged? We have been running with this in production for two weeks as of now, it really is a game changes for clusters with many ingress objects and complex configurations.

rikatz · 2021-06-15T23:28:13Z

Hi there,

I've been a bit busy with #7156 and this is why I'm taking some time to answer.

As soon as I finish that one I'm really willing to look at this PR, sounds really promising.

Thanks

rikatz · 2021-06-20T15:38:14Z

/priority important-soon
/kind cleanup

rikatz

@cgorbit Thanks for your PR!

I must confess I'm a bit confuse by the logic inside the byte reader, so I would like to ask:

Not ignoring or panic'ng errors, but instead returning them as part of the function and dealing with them in the caller.
Add some comments with examples of what each switch case is doing and when it may happen
As we are moving to Go, some unit test as well with known cases.

Thanks!

rikatz · 2021-06-20T15:47:46Z