Patch kube-vip to retry exponentially on transient 403/401 errors during service watcher initializtion. (#5256)

rahulbabu95 · web-flow · commit 71a94c002305 · 2026-03-21T00:58:45.000+05:30
Signed-off-by: Rahul &lt;rahulgab@amazon.com&gt;
diff --git a/projects/kube-vip/kube-vip/CHECKSUMS b/projects/kube-vip/kube-vip/CHECKSUMS
@@ -1,2 +1,2 @@
-5d0779b8bfffe0a71bbac9b9e4f2a06a7fbce225b7c8bb06d85292f5f1fcbfe5  _output/bin/kube-vip/linux-amd64/kube-vip
-1d49ff52c9589cce99673743a121ed99d9040847c6490426bc16899e5af30892  _output/bin/kube-vip/linux-arm64/kube-vip
+5f784e3a1abd274437359e49fb858df1cb78a90b4ca14f5e78b9f5f92a7784ab  _output/bin/kube-vip/linux-amd64/kube-vip
+1738d010ac96fdca0d0610151eef84b63965595c2a57cc5fcf7fad9782d2660b  _output/bin/kube-vip/linux-arm64/kube-vip
diff --git a/projects/kube-vip/kube-vip/patches/0001-use-hostname-instead-of-kubernetes-to-contact-apiser.patch b/projects/kube-vip/kube-vip/patches/0001-use-hostname-instead-of-kubernetes-to-contact-apiser.patch
@@ -1,7 +1,7 @@
 From 40bf11fd0b44f39ad39de8f65eb664a2172ed983 Mon Sep 17 00:00:00 2001
 From: Abhinav Pandey <abhinavmpandey08@gmail.com>
 Date: Wed, 2 Mar 2022 16:40:11 -0800
-Subject: [PATCH] use hostname instead of "kubernetes" to contact apiserver
+Subject: [PATCH 1/2] use hostname instead of "kubernetes" to contact apiserver
 
 ---
  pkg/kubevip/config_generator.go | 7 -------
diff --git a/projects/kube-vip/kube-vip/patches/0002-retry-on-403-401-in-ServicesWatcher-with-exponential.patch b/projects/kube-vip/kube-vip/patches/0002-retry-on-403-401-in-ServicesWatcher-with-exponential.patch
@@ -0,0 +1,87 @@
+From a39f3f7e30dc36812881e8f43d50b73abb5d2aba Mon Sep 17 00:00:00 2001
+From: Rahul Ganesh <rahulgab@amazon.com>
+Date: Fri, 20 Mar 2026 11:51:16 -0700
+Subject: [PATCH 2/2] retry on 403/401 in ServicesWatcher with exponential backoff
+
+Retry WatchFn with exponential backoff when service watcher starts against
+transient 403 and 401 errors. On joining CP nodes with K8s 1.34+, the local
+etcd may still be a learner when kube-vip starts, causing RBAC data
+to be unavailable through the learner until it graduates.
+
+Signed-off-by: Rahul Ganesh <rahulgab@amazon.com>
+---
+ pkg/services/watch_services.go | 39 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/services/watch_services.go b/pkg/services/watch_services.go
+index 8c27ec6..58631ba 100644
+--- a/pkg/services/watch_services.go
++++ b/pkg/services/watch_services.go
+@@ -3,6 +3,7 @@ package services
+ import (
+ 	"context"
+ 	"fmt"
++	"time"
+ 
+ 	log "log/slog"
+ 
+@@ -14,11 +15,45 @@ import (
+ 	v1 "k8s.io/api/core/v1"
+ 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+ 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
++	"k8s.io/apimachinery/pkg/util/wait"
+ 	"k8s.io/apimachinery/pkg/watch"
+ 	"k8s.io/client-go/tools/cache"
+ 	watchtools "k8s.io/client-go/tools/watch"
+ )
+ 
++// watchWithAuthRetry retries watchFn with exponential backoff on transient 403 Forbidden
++// and 401 Unauthorized errors. On joining control plane nodes with K8s 1.34+, the local
++// etcd may still be a learner when kube-vip starts, causing RBAC data to be unavailable.
++// These auth errors resolve once etcd is promoted to a full member (typically within seconds).
++// Non-auth errors are returned immediately. Context cancellation stops the retry loop.
++func watchWithAuthRetry(ctx context.Context, watchFn func(context.Context) (watch.Interface, error)) (watch.Interface, error) {
++	var w watch.Interface
++	var lastErr error
++	err := wait.ExponentialBackoffWithContext(ctx, wait.Backoff{
++		Duration: 2 * time.Second,
++		Factor:   2.0,
++		Jitter:   0.1,
++		Steps:    10,
++		Cap:      30 * time.Second,
++	}, func(ctx context.Context) (bool, error) {
++		var watchErr error
++		w, watchErr = watchFn(ctx)
++		if watchErr == nil {
++			return true, nil
++		}
++		if !apierrors.IsForbidden(watchErr) && !apierrors.IsUnauthorized(watchErr) {
++			return false, watchErr
++		}
++		lastErr = watchErr
++		log.Warn("(svcs) services watch auth error, retrying", "err", watchErr)
++		return false, nil
++	})
++	if err != nil {
++		return nil, fmt.Errorf("(svcs) services watch failed after retries: %w (last: %v)", err, lastErr)
++	}
++	return w, nil
++}
++
+ // This function handles the watching of a services endpoints and updates a load balancers endpoint configurations accordingly
+ func (p *Processor) ServicesWatcher(ctx context.Context, serviceFunc func(*servicecontext.Context, *v1.Service) error) error {
+ 	// first start port mirroring if enabled
+@@ -44,7 +79,9 @@ func (p *Processor) ServicesWatcher(ctx context.Context, serviceFunc func(*servi
+ 	// Use a restartable watcher, as this should help in the event of etcd or timeout issues
+ 	rw, err := watchtools.NewRetryWatcherWithContext(ctx, "1", &cache.ListWatch{
+ 		WatchFunc: func(_ metav1.ListOptions) (watch.Interface, error) {
+-			return p.rwClientSet.CoreV1().Services(p.config.ServiceNamespace).Watch(ctx, metav1.ListOptions{})
++			return watchWithAuthRetry(ctx, func(ctx context.Context) (watch.Interface, error) {
++				return p.rwClientSet.CoreV1().Services(p.config.ServiceNamespace).Watch(ctx, metav1.ListOptions{})
++			})
+ 		},
+ 	})
+ 	if err != nil {
+-- 
+2.46.0
+
