* make minimum tls version configurable
* change default min TLS version to 1.3
* change opencensus tls min version to 1.3
* Update env var name
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
* use webhook options to configure min tls version
* add unit tests for webhook tlsMinVersion option
* Update webhook/env.go
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
* address feeback
---------
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
* allow drainer to be reset
* ensure Reset can be called multiple times
* add comment explaining the use of the channel
* bump tolerance as it flaked in actions
* update godoc
* fix linting and comments
* Making TestDialWithBackoff work without special environment
* Use listen to force a connection timeout (#1)
* Don't parallelize tests to avoid free port conflicts
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
Go 1.17 introduced a new handy API for setting env vars scoped for
a single test so we can avoid the hard to read set and reset env
loops.
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Go's http client helpfully adds an "Accept-Encoding: gzip" header if not
already present, and unzips the response if it did so. While this is
often the right thing to do, it is not the right thing to do if we're
reverse proxying since (a) it means we add a header to the request the
client didn't actually ask for (b) it means we end up uncompressing
things in the proxy, which e.g. for activator/QP is not what we want.
* Use http.Transport.Clone in preference to copy-pasting defaults
Since go 1.13 http.Transport has a Clone method which means we can
inherit and override the defaults rather than re-stating them. This also
makes it clear that we're overriding the http.DefaultTransport default
for ForceAttemptHTTP2, which we are.
* Enable disableKeepAlives
This method is not used anywhere outside pkg right now, so it's a safe change.
This will permit activator to set desired maxidle params and cache more connection for better performance
* Harden the drain tests more
- introduce synthetic timer that gives us the capability to actually trigger events in the drain itself
- unfortunately we still need time.After calls in the test due to the timing for go routines to finish (they race the default: case and lose).
* comment
* more things
* pfpf
* dudud
* Implement a new shared "Drainer" handler.
This implements a new `http.Handler` called `Drainer`, which is intended to wrap some inner `http.Handler` business logic with a new outer handler that can respond to Kubelet probes (successfully until told to "Drain()").
This takes over the webhook's relatively new probe handling and lame duck logic with one key difference. Previously the webhook waited for a fixed period after SIGTERM before exitting, but the new logic waits for this same grace period AFTER THE LAST REQUEST. So if the handler keeps getting (non-probe) requests, the timer will continually reset, and once it stops receiving requests for the configured grace period, "Drain()" will return and the webhook will exit.
The goal of this work is to try to better cope with what we believe to be high tail latencies of the API server seeing that a webhook replica is shutting down.
Related: https://github.com/knative/pkg/issues/1509
* Switch to RWLock
* Implement the K8s lifecycle in webhook.
The webhook never properly implemented the Kubernetes SIGTERM/SIGKILL
lifecycle, and doesn't even really support readiness probes today. This
change enables folks to use a block like this on their webhook container:
```yaml
readinessProbe: &probe
periodSeconds: 1
httpGet:
scheme: HTTPS
port: 8443
httpHeaders:
- name: k-kubelet-probe
value: "webhook"
livenessProbe: *probe
```
With this, the webhook won't report as `Ready` until a probe has succeeded,
and when the SIGTERM is received, we will start failing probes for a grace
period (so our Endpoint drops) before shutting down the webhook's HTTP Server.
This was uncovered by running the webhook across 10 replicas in Serving with
the "Goose" (https://github.com/knative/pkg/pull/1316) enabled for the e2e
tests. The failure mode I saw was conversion webhook requests failing across
random tests.
This also moves the Serving probe-detection function into PKG.
* Increase the log level when we start to fail probes
* Wait for go routines to terminate on all paths.
* Move generic packages from serving to pkg.
I was asked to move this to do some re-use in Eventing.
/cc @chizh
/assign mattmoor @tcnghia
* fix the compile error
Izabela Gomes
kmahapatra
Dave Protasowski
Evan Anderson
Matt Moore
Chris Suszynski
Kenjiro Nakayama
Pierangelo Di Pilato
Nader Ziada
Markus Thömmes
Scott Nichols
Victor Agababov
Julian Friedman
Grace Gao
runzexia
Matt Moore
Josh Soref
Nghia Tran
Nghia Tran