fix(substrate): degrade gracefully when ate.dev CRDs are absent#2023
Open
QuentinBisson wants to merge 7 commits into
Open
fix(substrate): degrade gracefully when ate.dev CRDs are absent#2023QuentinBisson wants to merge 7 commits into
QuentinBisson wants to merge 7 commits into
Conversation
QuentinBisson
force-pushed
the
fix/substrate-status-no-match-error
branch
from
c88349b to
a96374e
Compare
GET /api/substrate/status returned 500 on clusters without the ate.dev CRDs installed because listSubstrateCRs listed WorkerPool/ActorTemplate unconditionally, propagating the REST mapper NoKindMatchError as a server error. Gate the CRD listing loop on AteClient != nil. When substrate is not configured (the common case), there is nothing to list and no CRD calls are made. When substrate is configured, a missing CRD is a legitimate misconfiguration and the error is surfaced as before. Reported in giantswarm/giantswarm#36845. Signed-off-by: QuentinBisson <quentin@giantswarm.io>
QuentinBisson
force-pushed
the
fix/substrate-status-no-match-error
branch
from
a96374e to
d32223c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR updates the substrate status endpoint to avoid listing Kubernetes substrate CRs when the substrate isn’t configured (i.e., AteClient is nil), and adds a regression test for that behavior.
Changes:
- Guard Kubernetes CR listing behind
h.AteClient != nilinHandleGetSubstrateStatus. - Add a new test asserting the “substrate not configured” response shape.
- Introduce a minimal
client.Clientstub intended to simulate missing CRDs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| go/core/internal/httpserver/handlers/substrate.go | Skips listing substrate CRs unless AteClient is configured. |
| go/core/internal/httpserver/handlers/substrate_test.go | Adds a “not configured” test and a kube client stub for simulating missing CRDs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+28
to
+49
| // noMatchKubeClient is a minimal client.Client stub whose List always returns | ||
| // a *meta.NoKindMatchError, simulating a cluster where the ate.dev CRDs are absent. | ||
| type noMatchKubeClient struct { | ||
| client.Client | ||
| } | ||
|
|
||
| func (noMatchKubeClient) List(_ context.Context, _ client.ObjectList, _ ...client.ListOption) error { | ||
| return &apimeta.NoKindMatchError{} | ||
| } | ||
|
|
||
| // TestHandleGetSubstrateStatus_SubstrateNotConfigured verifies that when AteClient is nil | ||
| // (substrate not configured), the endpoint returns 200 with Enabled:false and empty slices | ||
| // without making any CRD List calls. | ||
| func TestHandleGetSubstrateStatus_SubstrateNotConfigured(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| scheme := runtime.NewScheme() | ||
| utilruntime.Must(clientgoscheme.AddToScheme(scheme)) | ||
| fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build() | ||
|
|
||
| base := &handlers.Base{KubeClient: fakeClient, Authorizer: &auth.NoopAuthorizer{}} | ||
| h := handlers.NewSubstrateHandler(base, nil) |
Comment on lines
65
to
78
| if h.AteClient != nil { | ||
| for _, ns := range namespaces { | ||
| wpEntries, tmplEntries, err := h.listSubstrateCRs(r.Context(), ns) | ||
| if err != nil { | ||
| log.Error(err, "list substrate CRs", "namespace", ns) | ||
| w.RespondWithError(errors.NewInternalServerError("Failed to list substrate resources from Kubernetes", err)) | ||
| return | ||
| } | ||
| resp.WorkerPools = append(resp.WorkerPools, wpEntries...) | ||
| resp.ActorTemplates = append(resp.ActorTemplates, tmplEntries...) | ||
| } | ||
| resp.WorkerPools = append(resp.WorkerPools, wpEntries...) | ||
| resp.ActorTemplates = append(resp.ActorTemplates, tmplEntries...) | ||
| } | ||
|
|
||
| if h.AteClient != nil { |
Comment on lines
+65
to
68
| } | ||
|
|
||
|
|
||
| type stubAteControl struct { |
- Merge the two consecutive AteClient != nil blocks into one - Use noMatchKubeClient in the not-configured test so the test would fail if the gate were removed (the error would propagate as 500 rather than the guarded nil path) - Remove extra blank line before stubAteControl Signed-off-by: QuentinBisson <quentin@giantswarm.io>
EItanya
previously approved these changes
Jun 17, 2026
Contributor
|
We can merge this as is, but I think we should probably come up with a better long-term solution here. If a user doesn't have substrate installed, why is this even being called at all? |
Contributor
Author
|
Sure but then kagent either needs to detect it or have a flag to disable substrate :) |
Contributor
Maybe we could do a discovery client check at the beginning for the CRDs and use that as the marker? |
Contributor
Author
|
You're right. We can use the dynamic RESTMapper instead as that reloads on NoMatch. so if I just guard the List with meta.IsNoMatchError the endpoint picks up substrate installed after |
Contributor
Author
|
I updated the PR to:
Three additional test cases cover the matrix: no CRDs+no client, no CRDs+client set, CRDs present+no client. |
… NoMatchError CRD presence (WorkerPool/ActorTemplate) and gRPC client availability (AteClient) are independent axes. Gating listSubstrateCRs on AteClient != nil caused two bugs: - CRDs present but ate-api not deployed: WorkerPools/ActorTemplates silently omitted even though the CRs exist, Enabled reported false. - CRDs absent but AteClient set: List calls reached the API server and 500'd instead of degrading gracefully. Guard each KubeClient.List with meta.IsNoMatchError: on NoMatch return empty + found=false with no error. controller-runtime's dynamic RESTMapper reloads on NoMatch automatically, so substrate installed after kagent boots is picked up on the next request without a restart. Compute Enabled from observed reality: crdsPresent || AteClient != nil. Three new cases covered by tests: - NoCRDs + no gRPC client -> 200, Enabled:false - NoCRDs + gRPC client set -> 200, Enabled:true, actors populated - CRDs present + no gRPC -> 200, Enabled:true, WorkerPools populated Signed-off-by: QuentinBisson <quentin@giantswarm.io>
QuentinBisson
force-pushed
the
fix/substrate-status-no-match-error
branch
from
690b3a4 to
149a2d7
Compare
Contributor
|
Sorry, I should've been more clear. I actually liked your first implementation. What I meant was to have a check on startup, I think this is a bit overcomplicated for the situation. Let's start with the original path and then we can improve later |
Revert 149a2d7. The IsNoMatchError guard is overcomplicated for this use case. Keeping the original approach (gate CRD listing on AteClient != nil) and will improve with a startup CRD discovery check separately. Signed-off-by: QuentinBisson <quentin@giantswarm.io>
Contributor
Author
|
I reverted the new commit :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
GET /api/substrate/statusreturns 500 on clusters that don't have theagent-substrateCRDs installed (ate.dev/v1alpha1WorkerPool / ActorTemplate).listSubstrateCRscallsKubeClient.Liston both types unconditionally. When theCRDs are absent the REST mapper returns
*meta.NoKindMatchError, which propagates asHTTP 500. Since substrate is optional and
Enabledis already gated onAteClient != nil, the correct behaviour is to return an empty list.Fix
Guard both
Listcalls withmeta.IsNoMatchErrorand returnnil, nil, nil(emptyresult, no error) so the handler responds 200 with
Enabled: falseand empty slices.A regression test (
TestHandleGetSubstrateStatus_NoCRDs) covers the no-CRD path usinga stub client that returns
*meta.NoKindMatchError, asserting HTTP 200 withEnabled: falseand empty resource slices.Reported in giantswarm/giantswarm#36845.