fix(status-reconciler): fail closed on config load errors and add operational metrics

[miltalex]

What this PR changes

• Makes status-reconciler fail closed on bad config/state loads:

  • corrupted saved status now fails Load()
  • config-agent load failures are propagated via error handlers
  • on load failure, controller is marked unhealthy and stops reconciling

• Adds status-reconciler metrics:

  • status_reconciler_loaded_presubmit_count (Gauge)
  • status_reconciler_contexts_retired_total{org,repo} (Counter)

• Refactors config-agent wiring for simplicity:

  • ConfigOptions.ConfigAgent(...) now uses options:
    • WithErrorHandler(...)
    • WithAdditionals(...)
    • WithReuseAgent(...)
  • migrates call sites in status-reconciler and deck

• Keeps health wiring explicit with ServeLive(...):

  • status-reconciler uses ServeLive(c.Healthy) for liveness checks
  • other binaries keep the existing explicit ServeLive() approach

• Keeps status-reconciler liveness/readiness probes in starter manifests.

Outcome

• Status-reconciler no longer reconciles from failed/corrupted loads.
• On load failures, liveness/metrics clearly signal degraded state and reconciliation is stopped.

Fixes #540

[netlify]

✅ Deploy Preview for k8s-prow ready!

Name	Link
🔨 Latest commit	642b6eb
🔍 Latest deploy log	https://app.netlify.com/projects/k8s-prow/deploys/69b18af0e4bee50008349f91
😎 Deploy Preview	https://deploy-preview-628--k8s-prow.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

Hi @miltalex. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[petr-muller]

/ok-to-test

[Prucek]

I think this is only one part of the story. Try to add the other recomendations from: #540

Status reconciler should be fixed so never actuate unless it has a provably good config loaded. If its dynamic config loading is failing (like it was in the example above), it should cease reconciling, and strongly signal, through metrics at least, that it is not actuating right now. We may consider flipping its liveness probe endpoint to false, to signal kubernetes that the pod is not healthy and cause it to restart.

[miltalex]

I pushed one commit to setup liveness/readiness for status-reconciler, and flipping it to false when the config Agent is failing. I am looking into pushing another commit to add metrics, since currently there are no metrics will try to cover only metrics related to this functionality. Happy to adjust/rework based on your feedback.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: miltalex
Once this PR has been reviewed and has the lgtm label, please assign smg247 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[petr-muller]

@Prucek I'm leaving this one on you, feel free to ping me when this needs approved

[Prucek]

It is going in the right direction, but we need to improve:

• the healthiness handling- I don't think the config agent should handle it. This is a tricky one: the error comes from the configAgent (,"msg":"Error loading config."), but it comes from a goroutine, so we can't handle it directly in the code. I think we could add a callback onError func(error) to the func (ca *Agent) Start and then a func (o *ConfigOptions) ConfigAgentWithErrorHandling(onError func(error), reuse ...*config.Agent) and have a onError method in the controller, that will flip the healthiness to false. WDYT?
• unit tests
• the metrics - still missing
  Also, could you please update the description to reflect what was done in this PR?

[Prucek]

I think 600s is too long for a health check

[Prucek]

This is not needed

[Prucek]

I wouldn't make changes here

[Prucek]

This is correct, but I would reregister the /healthz endpoint in a single ServeLive method and add the same logic as ServeReady, but with the LivenessCheck
Then this can be called like:

 // in a controller
  var healthy atomic.Bool
  healthy.Store(true)

  health := pjutil.NewHealth()
  health.ServeReady()
  health.ServeLive(healthy.Load)   // passes the method as the check func

  // anywhere in your code:
  healthy.Store(false)  // liveness probe now returns 503
  healthy.Store(true)   // recovers

[miltalex]

Thank you very much for the tip, Indeed this is much cleaner

[Prucek]

I think tests are not needed here.

[Prucek]

These tests are also not needed

[Prucek]

Check other tests in this file, and look at how we write unit tests. Usually, you don't want to write just a single test

[Prucek]

This does not belong here. If you change the code according to the comment in pkg/pjutil/health.go, everything will be simplified.

[stevekuznetsov]

This seems like the wrong place - we should not transmit if we cannot load, or if the load is corrupted. You would risk not catching real deletes with this logic. The go-unavailable-on-failed-load logic mentioned below is a good idea, as well as root-causing why corrupted loads are sending deltas.

[miltalex]

Thank you very much @stevekuznetsov . I moved the logic to the Load instead

[Prucek]

Is the change to StartWatch needed? It is not used anywhere

[Prucek]

I don't understand the purpose of this variable; mostly, it is set to the same as healthy. Could you explain?

[miltalex]

Removed it, was trying to measure when the app was indeed not healthy. Initially when I started was trying to calculate the actuation of each config.

[Prucek]

If other components would like to add live health checks, they can do that on a follow-up PR. I wouldn't put it here.

[miltalex]

As discussed in slack, this is due to the changes in the NewHealthOnPort func

[Prucek]

I think we are adding too many methods here. Also, the name gets pretty long 😄
I'd suggest something like:

type ConfigAgentOption func(*configAgentOptions)

type configAgentOptions struct {
    onError     func(error)
    additionals []func(*config.Config) error
    reuse       *config.Agent
}

func WithErrorHandler(fn func(error)) ConfigAgentOption {
    return func(o *configAgentOptions) {
        o.onError = fn
    }
}

func WithAdditionals(a ...func(*config.Config) error) ConfigAgentOption {
    return func(o *configAgentOptions) {
        o.additionals = a
    }
}

func WithReuseAgent(a *config.Agent) ConfigAgentOption {
    return func(o *configAgentOptions) {
        o.reuse = a
    }
}

Then we could just do:

agent, err := opts.ConfigAgent()

agent, err := opts.ConfigAgent(
    WithErrorHandler(handleErr),
)

agent, err := opts.ConfigAgent(
    WithReuseAgent(existing),
    WithAdditionals(extraFn),
)

[miltalex]

Thank you very much I find this indeed much cleaner

[Prucek]

I think it does not make sense to store healthyness to metrics. With the metrics, we want to measure some value over time. This could be:

1. status_reconciler_loaded_presubmit_count — Gauge
   Set to len(config.PresubmitsStatic) each time a Delta is received.
2. status_reconciler_contexts_retired_total{org, repo} — Counter
   Incremented in retireRemovedContexts() for each context actually retired

[miltalex]

Thanks tbh I wasnt sure what kind of metrics we needed to expose

[Prucek]

/test pull-prow-integration
/lgtm
/label tide/merge-method-squash

@miltalex could you update the PR title and description? Otherwise, it looks OK.

[miltalex]

@Prucek thank you very much for the review. I have updated the title and description, I kept the convo fix(status-reconciler) since the changes are mostly targeted to that package.