-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add support for a secondary control plane load balancer #4733
Conversation
Skipping CI for Draft Pull Request. |
/test pull-cluster-api-provider-aws-test |
/retest-required |
0e71456
to
b08fe0c
Compare
Confirming that nodes within the cluster can reach the load balancer:
|
api/v1beta2/awscluster_webhook.go
Outdated
// TODO(nrb): The validate-on-update default test was failing when newlb was nil | ||
// Upon investigation, both values were nil, which is unlikely in a real world scenario | ||
if oldlb == nil && newlb == nil { | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
newLoadBalancer := &AWSLoadBalancerSpec{}
existingLoadBalancer := &AWSLoadBalancerSpec{}
if r.Spec.ControlPlaneLoadBalancer != nil {
newLoadBalancer = r.Spec.ControlPlaneLoadBalancer.DeepCopy()
}
if oldC.Spec.ControlPlaneLoadBalancer != nil {
existingLoadBalancer = oldC.Spec.ControlPlaneLoadBalancer.DeepCopy()
}
This was previously handled this way
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which to be honest, maybe better to restructure, given that it was a bit confusing
/milestone v2.4.0 |
/milestone v2.4.0 |
* A secondary control plane load balancer can be added. * It will be a network load balancer. * Its scheme must not match that of the ControlPlaneLoadBalancer. Previously, NLBs could not have security groups attached. This has now changed, and an NLB can have a security group attached at creation. If a security group is _not_ present at creation, then the NLB can never have security groups added.
/test pull-cluster-api-provider-aws-e2e |
/test ? |
@vincepri: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-cluster-api-provider-aws-apidiff-main |
Looks like some sort of account lookup issue with Boskos; it fails here with a 404. |
/test pull-cluster-api-provider-aws-e2e-blocking |
/retest |
2 similar comments
/retest |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/assign @Ankitasw @richardcase
cc @JoelSpeed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @nrb . We should try to get this covered via e2e in the future.
@@ -37,6 +37,9 @@ type NetworkStatus struct { | |||
// APIServerELB is the Kubernetes api server load balancer. | |||
APIServerELB LoadBalancer `json:"apiServerElb,omitempty"` | |||
|
|||
// SecondaryAPIServerELB is the secondary Kubernetes api server load balancer. | |||
SecondaryAPIServerELB LoadBalancer `json:"secondaryAPIServerELB,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: would be good to mark it optional
@@ -331,7 +332,8 @@ func (r *AWSMachineReconciler) reconcileDelete(machineScope *scope.MachineScope, | |||
if err := r.reconcileLBAttachment(machineScope, elbScope, instance); err != nil { | |||
// We are tolerating AccessDenied error, so this won't block for users with older version of IAM; | |||
// all the other errors are blocking. | |||
if !elb.IsAccessDenied(err) && !elb.IsNotFound(err) { | |||
// Because we are reconciling all load balancers, attempt to treat the error as a list of errors. | |||
if err = kerrors.FilterOut(err, elb.IsAccessDenied, elb.IsNotFound); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't know about kerrors.FilterOut. Excellent.
This secondary control plane load balancer is primarily meant to be used for internal cluster traffic, for use cases where traffic between nodes and pods should be kept internal to the VPC network. | ||
This adds a layer of privacy to traffic, as well as potentially saving on egress costs for traffic to the Kubernetes API server. | ||
|
||
A dual load balancer topology is not used as a default in order to maintain backward compatibility with existing CAPA clusters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should consider adding a template for this. Also, we should think about whether we think having a 2nd internal LB is a good default for the future (i.e. then you opt out).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'll make an issue for the template.
One thing I'm looking at upstream is to support a slice of ControlPlaneEndpoints, which I think would tend toward a default set up of two LBs, but I'm not positive. This PR is sort of a trial run, though I think CAPZ already supports internal/external LBs.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Certain topologies of clusters may use an internal load balancer for the API server for a few reasons. A primary reason is to keep traffic within the cloud provider in order to reduce egress costs.
This PR adds support for a secondary control plane load balancer, internal to the Kubernetes cluster for such a use case.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #4554
Special notes for your reviewer:
Previously, it was believed that security groups could not be added to a network load balancer, which meant that there were exceptions and exclusions around NLBs in the code. This is only true if the load balancer was created without any security groups - SGs cannot be added after creation. If the network load balancer is created with at least one security group, more can be added or removed.
See the Network Load Balancer docs for more details.
Checklist:
Release note: