fix: capi CI flakes and reconcilation bugs (#172)

berkayoz · web-flow · commit 37658bcd0361 · 2025-08-01T10:50:54.000+03:00
* fix: use namespace from reference for external.Get

* fix: requeue instead of returning when ControlPlaneEndpoint is not set

This change to requeue instead of returning is to ensure intermittent reconcile skips do not happen such as the one that happens in `Workload cluster scaling` tests when scaling up

* fix: add custom haproxy config for docker

The default haproxy config of CAPD does not have a hard timeout, meaning
abrupt config changes or apiservers disappearing can sometimes leave
hanging connections. This recovers capi-manager from being stuck in a loop with `Client.Timeout exceeded while awaiting headers` when performing a node cordon operation etc.
diff --git a/controlplane/controllers/ck8scontrolplane_controller.go b/controlplane/controllers/ck8scontrolplane_controller.go
@@ -443,7 +443,7 @@ func (r *CK8sControlPlaneReconciler) reconcile(ctx context.Context, cluster *clu
 	logger.Info("Reconcile CK8sControlPlane")
 
 	// Make sure to reconcile the external infrastructure reference.
-	if err := r.reconcileExternalReference(ctx, cluster, kcp.Spec.MachineTemplate.InfrastructureRef); err != nil {
+	if err := r.reconcileExternalReference(ctx, cluster, &kcp.Spec.MachineTemplate.InfrastructureRef); err != nil {
 		return reconcile.Result{}, err
 	}
 
@@ -462,10 +462,12 @@ func (r *CK8sControlPlaneReconciler) reconcile(ctx context.Context, cluster *clu
 	}
 	conditions.MarkTrue(kcp, controlplanev1.TokenAvailableCondition)
 
-	// If ControlPlaneEndpoint is not set, return early
+	// If ControlPlaneEndpoint is not set, requeue to wait for it to be set.
+	// (berkayoz): This change to requeue instead of returning is to ensure
+	// intermittent reconcile skips such as the one that happens in `Workload cluster scaling` tests
 	if !cluster.Spec.ControlPlaneEndpoint.IsValid() {
 		logger.Info("Cluster does not yet have a ControlPlaneEndpoint defined")
-		return reconcile.Result{}, nil
+		return reconcile.Result{RequeueAfter: 3 * time.Second}, nil
 	}
 
 	// Generate Cluster Kubeconfig if needed
@@ -561,12 +563,22 @@ func (r *CK8sControlPlaneReconciler) reconcile(ctx context.Context, cluster *clu
 	return reconcile.Result{}, nil
 }
 
-func (r *CK8sControlPlaneReconciler) reconcileExternalReference(ctx context.Context, cluster *clusterv1.Cluster, ref corev1.ObjectReference) error {
+func (r *CK8sControlPlaneReconciler) reconcileExternalReference(ctx context.Context, cluster *clusterv1.Cluster, ref *corev1.ObjectReference) error {
 	if !strings.HasSuffix(ref.Kind, clusterv1.TemplateSuffix) {
 		return nil
 	}
 
-	obj, err := external.Get(ctx, r.Client, &ref)
+	logger := r.Log.WithValues("namespace", ref.Namespace, "CK8sControlPlane", ref.Name, "cluster", cluster.Name)
+	logger.Info("Reconciling external template reference", "ref", ref)
+
+	// Ensure the ref namespace is populated for objects not yet defaulted by webhook
+	// https://github.com/kubernetes-sigs/cluster-api/pull/11361
+	if ref.Namespace == "" {
+		ref = ref.DeepCopy()
+		ref.Namespace = cluster.Namespace
+	}
+
+	obj, err := external.Get(ctx, r.Client, ref)
 	if err != nil {
 		return err
 	}
diff --git a/controlplane/controllers/scale.go b/controlplane/controllers/scale.go
@@ -245,6 +245,12 @@ func (r *CK8sControlPlaneReconciler) cloneConfigsAndGenerateMachine(ctx context.
 		UID:        kcp.UID,
 	}
 
+	// Ensure the ref namespace is populated for objects not yet defaulted by webhook
+	if kcp.Spec.MachineTemplate.InfrastructureRef.Namespace == "" {
+		kcp.Spec.MachineTemplate.InfrastructureRef = *kcp.Spec.MachineTemplate.InfrastructureRef.DeepCopy()
+		kcp.Spec.MachineTemplate.InfrastructureRef.Namespace = cluster.Namespace
+	}
+
 	// Clone the infrastructure template
 	infraRef, err := external.CreateFromTemplate(ctx, &external.CreateFromTemplateInput{
 		Client:      r.Client,
diff --git a/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml b/test/e2e/data/infrastructure-docker/cluster-template-kcp-remediation.yaml
@@ -21,11 +21,69 @@ spec:
     kind: DockerCluster
     name: ${CLUSTER_NAME}
 ---
+# Derived from https://github.com/kubernetes-sigs/cluster-api/blob/3a4074421425869d65bf040a3f4730f2d4492cf9/test/infrastructure/docker/internal/loadbalancer/config.go#L42-L85 
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: haproxy-config
+data:
+  value: |
+    # generated by kind
+    global
+      log /dev/log local0
+      log /dev/log local1 notice
+      daemon
+      # limit memory usage to approximately 18 MB
+      # (see https://github.com/kubernetes-sigs/kind/pull/3115)
+      maxconn 100000
+      # (berkayoz): Below is our addition to the original file
+      # This is to ensure that connections do not hang open when a control plane is removed or configuration is changed abruptly
+      # This fixes the errors from capi itself like "Client.Timeout exceeded while awaiting headers"
+      hard-stop-after 5000
+
+    resolvers docker
+      nameserver dns 127.0.0.11:53
+
+    defaults
+      log global
+      mode tcp
+      option dontlognull
+      # TODO: tune these
+      timeout connect 5000
+      timeout client 50000
+      timeout server 50000
+      # allow to boot despite dns don't resolve backends
+      default-server init-addr none
+
+    frontend stats
+      mode http
+      bind *:8404
+      stats enable
+      stats uri /stats
+      stats refresh 1s
+      stats admin if TRUE
+
+    frontend control-plane
+      bind *:{{ .FrontendControlPlanePort }}
+      {{ if .IPv6 -}}
+      bind :::{{ .FrontendControlPlanePort }};
+      {{- end }}
+      default_backend kube-apiservers
+
+    backend kube-apiservers
+      option httpchk GET /healthz
+      {{range $server, $backend := .BackendServers}}
+      server {{ $server }} {{ JoinHostPort $backend.Address $.BackendControlPlanePort }} weight {{ $backend.Weight }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
+      {{- end}}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerCluster
 metadata:
   name: ${CLUSTER_NAME}
-spec: {}
+spec:
+  loadBalancer:
+    customHAProxyConfigTemplateRef:
+      name: haproxy-config
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta2
 kind: CK8sControlPlane
diff --git a/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml b/test/e2e/data/infrastructure-docker/cluster-template-md-remediation.yaml
@@ -24,11 +24,69 @@ spec:
     kind: DockerCluster
     name: ${CLUSTER_NAME}
 ---
+# Derived from https://github.com/kubernetes-sigs/cluster-api/blob/3a4074421425869d65bf040a3f4730f2d4492cf9/test/infrastructure/docker/internal/loadbalancer/config.go#L42-L85 
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: haproxy-config
+data:
+  value: |
+    # generated by kind
+    global
+      log /dev/log local0
+      log /dev/log local1 notice
+      daemon
+      # limit memory usage to approximately 18 MB
+      # (see https://github.com/kubernetes-sigs/kind/pull/3115)
+      maxconn 100000
+      # (berkayoz): Below is our addition to the original file
+      # This is to ensure that connections do not hang open when a control plane is removed or configuration is changed abruptly
+      # This fixes the errors from capi itself like "Client.Timeout exceeded while awaiting headers"
+      hard-stop-after 5000
+
+    resolvers docker
+      nameserver dns 127.0.0.11:53
+
+    defaults
+      log global
+      mode tcp
+      option dontlognull
+      # TODO: tune these
+      timeout connect 5000
+      timeout client 50000
+      timeout server 50000
+      # allow to boot despite dns don't resolve backends
+      default-server init-addr none
+
+    frontend stats
+      mode http
+      bind *:8404
+      stats enable
+      stats uri /stats
+      stats refresh 1s
+      stats admin if TRUE
+
+    frontend control-plane
+      bind *:{{ .FrontendControlPlanePort }}
+      {{ if .IPv6 -}}
+      bind :::{{ .FrontendControlPlanePort }};
+      {{- end }}
+      default_backend kube-apiservers
+
+    backend kube-apiservers
+      option httpchk GET /healthz
+      {{range $server, $backend := .BackendServers}}
+      server {{ $server }} {{ JoinHostPort $backend.Address $.BackendControlPlanePort }} weight {{ $backend.Weight }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
+      {{- end}}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerCluster
 metadata:
   name: ${CLUSTER_NAME}
-spec: {}
+spec:
+  loadBalancer:
+    customHAProxyConfigTemplateRef:
+      name: haproxy-config
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta2
 kind: CK8sControlPlane
diff --git a/test/e2e/data/infrastructure-docker/cluster-template-upgrades-max-surge-0.yaml b/test/e2e/data/infrastructure-docker/cluster-template-upgrades-max-surge-0.yaml
@@ -24,11 +24,69 @@ spec:
     kind: DockerCluster
     name: ${CLUSTER_NAME}
 ---
+# Derived from https://github.com/kubernetes-sigs/cluster-api/blob/3a4074421425869d65bf040a3f4730f2d4492cf9/test/infrastructure/docker/internal/loadbalancer/config.go#L42-L85 
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: haproxy-config
+data:
+  value: |
+    # generated by kind
+    global
+      log /dev/log local0
+      log /dev/log local1 notice
+      daemon
+      # limit memory usage to approximately 18 MB
+      # (see https://github.com/kubernetes-sigs/kind/pull/3115)
+      maxconn 100000
+      # (berkayoz): Below is our addition to the original file
+      # This is to ensure that connections do not hang open when a control plane is removed or configuration is changed abruptly
+      # This fixes the errors from capi itself like "Client.Timeout exceeded while awaiting headers"
+      hard-stop-after 5000
+
+    resolvers docker
+      nameserver dns 127.0.0.11:53
+
+    defaults
+      log global
+      mode tcp
+      option dontlognull
+      # TODO: tune these
+      timeout connect 5000
+      timeout client 50000
+      timeout server 50000
+      # allow to boot despite dns don't resolve backends
+      default-server init-addr none
+
+    frontend stats
+      mode http
+      bind *:8404
+      stats enable
+      stats uri /stats
+      stats refresh 1s
+      stats admin if TRUE
+
+    frontend control-plane
+      bind *:{{ .FrontendControlPlanePort }}
+      {{ if .IPv6 -}}
+      bind :::{{ .FrontendControlPlanePort }};
+      {{- end }}
+      default_backend kube-apiservers
+
+    backend kube-apiservers
+      option httpchk GET /healthz
+      {{range $server, $backend := .BackendServers}}
+      server {{ $server }} {{ JoinHostPort $backend.Address $.BackendControlPlanePort }} weight {{ $backend.Weight }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
+      {{- end}}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerCluster
 metadata:
   name: ${CLUSTER_NAME}
-spec: {}
+spec:
+  loadBalancer:
+    customHAProxyConfigTemplateRef:
+      name: haproxy-config
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta2
 kind: CK8sControlPlane
diff --git a/test/e2e/data/infrastructure-docker/cluster-template-upgrades.yaml b/test/e2e/data/infrastructure-docker/cluster-template-upgrades.yaml
@@ -24,11 +24,69 @@ spec:
     kind: DockerCluster
     name: ${CLUSTER_NAME}
 ---
+# Derived from https://github.com/kubernetes-sigs/cluster-api/blob/3a4074421425869d65bf040a3f4730f2d4492cf9/test/infrastructure/docker/internal/loadbalancer/config.go#L42-L85 
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: haproxy-config
+data:
+  value: |
+    # generated by kind
+    global
+      log /dev/log local0
+      log /dev/log local1 notice
+      daemon
+      # limit memory usage to approximately 18 MB
+      # (see https://github.com/kubernetes-sigs/kind/pull/3115)
+      maxconn 100000
+      # (berkayoz): Below is our addition to the original file
+      # This is to ensure that connections do not hang open when a control plane is removed or configuration is changed abruptly
+      # This fixes the errors from capi itself like "Client.Timeout exceeded while awaiting headers"
+      hard-stop-after 5000
+
+    resolvers docker
+      nameserver dns 127.0.0.11:53
+
+    defaults
+      log global
+      mode tcp
+      option dontlognull
+      # TODO: tune these
+      timeout connect 5000
+      timeout client 50000
+      timeout server 50000
+      # allow to boot despite dns don't resolve backends
+      default-server init-addr none
+
+    frontend stats
+      mode http
+      bind *:8404
+      stats enable
+      stats uri /stats
+      stats refresh 1s
+      stats admin if TRUE
+
+    frontend control-plane
+      bind *:{{ .FrontendControlPlanePort }}
+      {{ if .IPv6 -}}
+      bind :::{{ .FrontendControlPlanePort }};
+      {{- end }}
+      default_backend kube-apiservers
+
+    backend kube-apiservers
+      option httpchk GET /healthz
+      {{range $server, $backend := .BackendServers}}
+      server {{ $server }} {{ JoinHostPort $backend.Address $.BackendControlPlanePort }} weight {{ $backend.Weight }} check check-ssl verify none resolvers docker resolve-prefer {{ if $.IPv6 -}} ipv6 {{- else -}} ipv4 {{- end }}
+      {{- end}}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerCluster
 metadata:
   name: ${CLUSTER_NAME}
-spec: {}
+spec:
+  loadBalancer:
+    customHAProxyConfigTemplateRef:
+      name: haproxy-config
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta2
 kind: CK8sControlPlane
diff --git a/test/e2e/data/infrastructure-docker/cluster-template.yaml b/test/e2e/data/infrastructure-docker/cluster-template.yaml
