[LP#2068597] Metallb deployments can get stuck in a config-changed busy loop

[addyess]

LP#2068597

Overview

When metallb doesn't have permissions because of lack of trust, the charm can get stuck trying to apply a configuration that will never finish causing the config-change hook to perpetually run.

Changes

• use tenacity stop to quick retrying after a certain number of times
• use a context_manager to block the charm when 403 error codes are returned from the API indicating a lack of permission
• Don't let the update_status hook wipe out the blocked status
• Only go to ActiveStatus when the update_status handler declares everything is ready
• Use MaintenanceStatus to indicate the charm is working on something
• Include tests to confirm the charm is blocked when not deployed with trust

[eaudetcobello]

Or test .+/\d{1,2}$ ?

[addyess]

nothing scarier here than using regex for ip address matching. I'll let python check it. See if you like my change here.

i want to make sure it's a ip_network and NOT an ip_address. The python library accepts a bare address to be processed as a "network" even when it's not in CIDR notation

assert ipaddress.ip_network("1.2.3.4") == ipaddress.ip_network("1.2.3.4/32")

HOWEVER, using ip_address totally raises a ValueError

>>> ipaddress.ip_address("1.2.3.4/32")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/ubuntu/.pyenv/versions/3.12.3/lib/python3.12/ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: '1.2.3.4/32' does not appear to be an IPv4 or IPv6 address
```

[eaudetcobello]

Cool pattern, had not seen before.

[eaudetcobello]

Unchanged on missing? Is that the best wording?

[addyess]

i just tried to make this more clear. I just wanted some text that clearly indicates the charm code isn't changing the blocked message