fix: Detect pod configuration errors early instead of timeout

[vdemeester]

Changes

• Fail fast on missing ConfigMaps/Secrets used in env variables, using valueFrom, within seconds of detection
• Show actionable error messages instead of generic timeout failures
• Add early detection for CreateContainerConfigError and related failures

/kind bug

Fixes #9144

/cc @afrittoli @aThorp96 @arewm

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fixed TaskRuns to fail immediately when pod containers have configuration errors (missing ConfigMap/Secret) instead of silently timing out.

[tekton-robot]

@vdemeester: GitHub didn't allow me to request PR reviews from the following users: arewm.

Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Changes

• Fail fast on missing ConfigMaps/Secrets within seconds of detection
• Show actionable error messages instead of generic timeout failures
• Add early detection for CreateContainerConfigError and related failures

/kind bug

Fixes #9144

/cc @afrittoli @aThorp96 @arewm

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fixed TaskRuns to fail immediately when pod containers have configuration errors (missing ConfigMap/Secret) instead of silently timing out.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vdemeester]

/retest

[vdemeester]

/retest

[vdemeester]

/retest

[afrittoli]

• Fail fast on missing ConfigMaps/Secrets within seconds of detection

WRT to this, users may be relying on the current behaviour in cases where a config map or secret is provisioned roughly at the same as the TaskRun or PipelineRun and may not yet be on the cluster during the first reconcile. Would it make sense to have a configurable timeout for this or at least a configurable on/off switch for the feature?

[vdemeester]

• Fail fast on missing ConfigMaps/Secrets within seconds of detection

WRT to this, users may be relying on the current behaviour in cases where a config map or secret is provisioned roughly at the same as the TaskRun or PipelineRun and may not yet be on the cluster during the first reconcile. Would it make sense to have a configurable timeout for this or at least a configurable on/off switch for the feature?

Ah I should have written a better description. Essentially, if they use Volumes/VolumeMounts for configmaps or secrets, the behavior doesn't change at all, as it is a recoverable issue (from the Pod and thus TaskRun stand-point). But if they use the EnvSource (aka loading an environment variable value from a ConfigMap or a Secret), this is where it will fail-fast as it won't ever be recovered. See #9144 (comment).

So users who were relying on current behavior will either see a failure early instead of a timeout (always), or it won't change a thing. If there was a failure before, there is a failure now, just quicker ; if there was no failure before, there is no failure now either (from the user point of view).

I'll update the description.

[aThorp96]

Overall seems good to me! Couple questions and a few optional suggestions/nits (mostly regarding patterns which were already in the code)

[aThorp96]

Love this helper

[aThorp96]

optional nit: no need to alloc

Suggested change

	image := step.ImageID
	message := fmt.Sprintf(`the step %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, step.Name, tr.Name, image, step.Waiting.Message)
	message := fmt.Sprintf(`the step %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, step.Name, tr.Name, step.ImageID, step.Waiting.Message)

[aThorp96]

optional nit: no need to alloc

Suggested change

	image := step.ImageID
	message := fmt.Sprintf(`the step %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, step.Name, tr.Name, image, step.Waiting.Message)
	message := fmt.Sprintf(`the step %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, step.Name, tr.Name, step.ImageID, step.Waiting.Message)

[aThorp96]

Optional nit: no need to alloc

Suggested change

	image := sidecar.ImageID
	message := fmt.Sprintf(`the sidecar %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, sidecar.Name, tr.Name, image, sidecar.Waiting.Message)
	message := fmt.Sprintf(`the sidecar %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, sidecar.Name, tr.Name, sidecar.ImageID, sidecar.Waiting.Message)

[aThorp96]

Optional nit: no need to alloc

Suggested change

	image := sidecar.ImageID
	message := fmt.Sprintf(`the sidecar %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, sidecar.Name, tr.Name, image, sidecar.Waiting.Message)
	message := fmt.Sprintf(`the sidecar %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, sidecar.Name, tr.Name, sidecar.ImageID, sidecar.Waiting.Message)

[aThorp96]

Optional suggestion:

Better to be explicit IMO. WDYT?

Suggested change

	default: // Image pull errors
	case "InvalidImageName", "ImagePullBackOff":

[aThorp96]

Potential bug:
IIUC ErrImagePull can happen transiently and is automatically retried before the ImagePullBackoff. If that's the case, would this logic cause TaskRuns to fail instead of the image pull being retried? If I am reading this right, if we include step.Waiting.Reason == "ErrImagePull" then we'll fast fail before we ever allow the retry to get to ErrImagePullBackoff. Is that right? Maybe that's the point of the PR, but I do worry that it could make Tekton seem "flakier" to users if TaskRuns are more prone to fast-fail on transient issues.

[vdemeester]

Ah you are right, I'll remove that one.

[aThorp96]

/lgtm

Two minor suggestions to utilize the new constants

[aThorp96]

Suggested change

	if step.Waiting.Reason == "CreateContainerConfigError" {
	if step.Waiting.Reason == CreateContainerConfigError {

[aThorp96]

Suggested change

	if step.Waiting.Reason == "InvalidImageName" {
	if step.Waiting.Reason == InvalidImageName {

[aThorp96]

Suggested change

	if sidecar.Waiting.Reason == "CreateContainerConfigError" {
	if sidecar.Waiting.Reason == CreateContainerConfigError {

[aThorp96]

Suggested change

	if sidecar.Waiting.Reason == "InvalidImageName" {
	if sidecar.Waiting.Reason == InvalidImageName {

[aThorp96]

🙏🏼

[twoGiants]

Great stuff! Thank you for this 🥇

See my comments below. I would cleanup a bit, add more tests and decompose the big test function to have the container failures tested in its own more concise test functions.

[twoGiants]

Great opportunity to clean this up a bit. You could use the guard pattern twice here (and below for the sidecars) and reduce the nesting of the ifs by 2 and then extract the duplicated checks into a helper 😸 =>

		if step.Waiting == nil {
			continue
		}

		if _, found := podFailureReasons[step.Waiting.Reason]; !found {
			continue
		}

		c.checkContainerFailure(
			ctx,
			tr,
			step.Waiting,
			step.Name,
			step.ImageID,
			"step",
		)

And the waiting reason checks can go into a helper and reused below for the sidecars as well:

func (c *Reconciler) checkContainerFailure(
	ctx context.Context,
	tr *v1.TaskRun,
	waiting *corev1.ContainerStateWaiting,
	name,
	imageID,
	containerType string,
) (bool, v1.TaskRunReason, string) {
	if waiting.Reason == ImagePullBackOff {
		imagePullBackOffTimeOut := config.FromContextOrDefaults(ctx).Defaults.DefaultImagePullBackOffTimeout
		// only attempt to recover from the imagePullBackOff if specified
		if imagePullBackOffTimeOut.Seconds() != 0 {
			p, err := c.KubeClientSet.CoreV1().Pods(tr.Namespace).Get(ctx, tr.Status.PodName, metav1.GetOptions{})
			if err != nil {
				message := fmt.Sprintf(`the %s %q in TaskRun %q failed to pull the image %q. Failed to get pod with error: "%s."`, containerType, name, tr.Name, imageID, err)
				return true, v1.TaskRunReasonImagePullFailed, message
			}
			for _, condition := range p.Status.Conditions {
				// check the pod condition to get the time when the pod was ready to start containers / initialized.
				// keep trying until the pod schedule time has exceeded the specified imagePullBackOff timeout duration
				if slices.Contains(imagePullBackOffTimeoutPodConditions, string(condition.Type)) {
					if c.Clock.Since(condition.LastTransitionTime.Time) < imagePullBackOffTimeOut {
						return false, "", ""
					}
				}
			}
		}
		// ImagePullBackOff timeout exceeded or not configured
		message := fmt.Sprintf(`the %s %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, containerType, name, tr.Name, imageID, waiting.Message)
		return true, v1.TaskRunReasonImagePullFailed, message
	}

	// Handle CreateContainerConfigError (missing ConfigMap/Secret, invalid env vars, etc.)
	if waiting.Reason == CreateContainerConfigError {
		message := fmt.Sprintf(`the %s %q in TaskRun %q failed to start. The pod errored with the message: "%s."`, containerType, name, tr.Name, waiting.Message)
		return true, v1.TaskRunReasonCreateContainerConfigError, message
	}

	// Handle InvalidImageName (unrecoverable error)
	// Note: ErrImagePull is not handled here as it's a transient state that Kubernetes
	// will automatically retry before transitioning to ImagePullBackOff
	if waiting.Reason == InvalidImageName {
		message := fmt.Sprintf(`the %s %q in TaskRun %q failed to pull the image %q. The pod errored with the message: "%s."`, containerType, name, tr.Name, imageID, waiting.Message)
		return true, v1.TaskRunReasonImagePullFailed, message
	}

	// Handle CreateContainerError and other generic failures
	message := fmt.Sprintf(`the %s %q in TaskRun %q failed to start. The pod errored with the message: "%s."`, containerType, name, tr.Name, waiting.Message)
	return true, v1.TaskRunReasonPodCreationFailed, message
}

I also changed this message in the ImagePullBackOff error => the step %q in TaskRun %q failed to pull the image %q and the pod with error, the last part sounds wrong. I used: the %s %q in TaskRun %q failed to pull the image %q. Failed to get pod with error: "%s.

[twoGiants]

But when ErrImagePull is the reason the method returns true in line 304 and the reconciler fails the TaskRun. It looks like we either should not check for this transient state or if we do then return false with a message like retrying pulling image.

[twoGiants]

The same test case for sidecar is missing.

[twoGiants]

If the ErrImagePull case is added in the implementation it must be added here too for both.

[twoGiants]

It took me a while to get this 🥲. But I got it! 🤣

This test is quite complex already with all its conditions down below. The additional switch makes it a even more difficult to understand.

What do you think about extracting the tests for the new container failure logic into it's own table driven test function with a simpler setup, execution and assertions instead of extending this one?

[aThorp96]

+1
Enumerating the almost-entirely-identical message and event strings inside the test cases would certainly be verbose and tedious, but the switch statement and various string formatting does add a lot of mental complexity. I think I'd even prefer setting/updating expectedStatus and wantEvents directly in the switch. It would be a lot more straightforward and clear though to either enumerate the events and strings in the cases or add an entirely different test function for the new behavior

[vdemeester]

It's already in TestReconcileContainerFailures, I forgot to remove that part...

[twoGiants]

Thanks for the rework! Makes the logic easier to follow 😸 👍

/approve
/lgtm
/meow

[tekton-robot]

@twoGiants:

Details

In response to this:

Thanks for the rework! Makes the logic easier to follow 😸 👍

/approve
/lgtm
/meow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aThorp96, twoGiants

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [twoGiants]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment