2026-04-24 23:11:47 -05:00
|
|
|
package agent
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"log/slog"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/types"
|
|
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
|
"k8s.io/client-go/rest"
|
|
|
|
|
)
|
|
|
|
|
|
2026-04-26 08:55:03 -05:00
|
|
|
// fieldManager identifies flock-agent in apiserver field-manager bookkeeping.
|
|
|
|
|
// Server-Side Apply only takes ownership of the fields we send, so other
|
|
|
|
|
// managers (kubelet, kcm) keep their conditions untouched between our writes.
|
|
|
|
|
const nodeStatusFieldManager = "flock-agent"
|
|
|
|
|
|
2026-04-24 23:11:47 -05:00
|
|
|
// keepNetworkAvailable maintains a NetworkUnavailable=False condition on
|
|
|
|
|
// the node's status. Calico-node sets this False while it owns CNI; on
|
|
|
|
|
// shutdown it sets it to True with reason CalicoIsDown, which adds the
|
|
|
|
|
// node.kubernetes.io/network-unavailable taint and blocks new scheduling.
|
2026-04-26 08:55:03 -05:00
|
|
|
// Once flock-agent is in charge, we own that single condition.
|
|
|
|
|
//
|
|
|
|
|
// Uses Server-Side Apply against the status subresource. NodeStatus.Conditions
|
|
|
|
|
// is a listType=map keyed by `type`, so SSA merges by type — our partial body
|
|
|
|
|
// declares ownership of just the NetworkUnavailable entry and leaves the
|
|
|
|
|
// kubelet-managed conditions (Ready, MemoryPressure, DiskPressure, PIDPressure)
|
|
|
|
|
// alone. A prior implementation used JSON merge-patch with a one-element
|
|
|
|
|
// conditions array, which the apiserver REPLACES (merge-patch on arrays is
|
|
|
|
|
// whole-array semantics) — that race-stripped the kubelet conditions every
|
|
|
|
|
// 60s and produced ~5s flickers in `kubectl get nodes`.
|
2026-04-24 23:11:47 -05:00
|
|
|
//
|
2026-04-26 08:55:03 -05:00
|
|
|
// Re-applies every minute (heartbeat-style) so a stale condition from a
|
2026-04-24 23:11:47 -05:00
|
|
|
// previous CNI is overwritten without an explicit transition.
|
|
|
|
|
func keepNetworkAvailable(ctx context.Context, cfg *rest.Config, node string, logger *slog.Logger) {
|
|
|
|
|
cs, err := kubernetes.NewForConfig(cfg)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Warn("network-condition: kubernetes client", "err", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
apply := func() {
|
2026-04-26 08:55:03 -05:00
|
|
|
now := metav1.Now().UTC().Format(time.RFC3339)
|
|
|
|
|
// Hand-build the SSA body so we only declare the fields we own.
|
|
|
|
|
// Force=true lets us reclaim the condition if a previous CNI's
|
|
|
|
|
// finalizer/cleanup left it owned by a different manager.
|
|
|
|
|
body := []byte(fmt.Sprintf(`{
|
|
|
|
|
"apiVersion": "v1",
|
|
|
|
|
"kind": "Node",
|
|
|
|
|
"metadata": {"name": %q},
|
|
|
|
|
"status": {"conditions": [{
|
|
|
|
|
"type": "NetworkUnavailable",
|
|
|
|
|
"status": "False",
|
|
|
|
|
"reason": "FlockReady",
|
|
|
|
|
"message": "flock-agent owns CNI on this node",
|
|
|
|
|
"lastHeartbeatTime": %q,
|
|
|
|
|
"lastTransitionTime": %q
|
|
|
|
|
}]}
|
|
|
|
|
}`, node, now, now))
|
|
|
|
|
force := true
|
|
|
|
|
_, err := cs.CoreV1().Nodes().Patch(ctx, node, types.ApplyPatchType, body,
|
|
|
|
|
metav1.PatchOptions{FieldManager: nodeStatusFieldManager, Force: &force},
|
|
|
|
|
"status")
|
2026-04-24 23:11:47 -05:00
|
|
|
if err != nil {
|
2026-04-26 08:55:03 -05:00
|
|
|
logger.Warn("network-condition: ssa apply failed", "err", err)
|
2026-04-24 23:11:47 -05:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
apply()
|
|
|
|
|
t := time.NewTicker(60 * time.Second)
|
|
|
|
|
defer t.Stop()
|
|
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
return
|
|
|
|
|
case <-t.C:
|
|
|
|
|
apply()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
