OCPSTRAT-886: Support dual-stack LB in service disruption monitor

[alebedev87]

Configure the service load balancer disruption test to use NLB with RequireDualStack IP family policy when the Infrastructure CR indicates dual-stack IP families on AWS, matching the primary IP family order.

Failure on IPv6Primary cluster:

: [Monitor:service-type-load-balancer-availability][Jira:"Networking / router"] monitor test service-type-load-balancer-availability preparation expand_less	15m0s
{  failed during preparation
error waiting for load balancer: timed out waiting for service "service-test" to have a load balancer: context deadline exceeded}

Example of a failed job: link.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 008f6c27-d275-4eab-a424-69ab48b25db7

📥 Commits

Reviewing files that changed from the base of the PR and between ffa7b5a and ed71c18.

📒 Files selected for processing (1)

• pkg/monitortests/network/disruptionserviceloadbalancer/monitortest.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/monitortests/network/disruptionserviceloadbalancer/monitortest.go

---

Walkthrough

Inspect Infrastructure CR AWS IPFamily and, when dual-stack, annotate TCP LoadBalancer services for NLB and set Service.Spec.IPFamilyPolicy to RequireDualStack with IPFamilies ordered per AWS primary IP family (IPv4-primary or IPv6-primary).

Changes

Cohort / File(s)	Summary
AWS Dual-Stack LoadBalancer Configuration pkg/monitortests/network/disruptionserviceloadbalancer/monitortest.go	On TCP Service creation, if infra.Status.PlatformStatus.AWS is non-nil and IPFamily is DualStackIPv4Primary or DualStackIPv6Primary, set service.beta.kubernetes.io/aws-load-balancer-type: "nlb", Spec.IPFamilyPolicy = RequireDualStack, and Spec.IPFamilies to [IPv4, IPv6] or [IPv6, IPv4] respectively. No dual-stack fields are set for other/undefined values.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[alebedev87]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview openshift/cloud-provider-aws#135

[openshift-ci]

@alebedev87, testwith: could not generate prow job. ERROR:

no ref for requested test included in command. The org, repo, and branch containing the requested test need to be targeted by at least one of the included PRs

[alebedev87]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview openshift/cloud-provider-aws#135

[openshift-ci]

@alebedev87, testwith: could not generate prow job. ERROR:

no ref for requested test included in command. The org, repo, and branch containing the requested test need to be targeted by at least one of the included PRs

[alebedev87]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview openshift/cloud-provider-aws#135

[openshift-ci]

@alebedev87, testwith: could not generate prow job. ERROR:

no ref for requested test included in command. The org, repo, and branch containing the requested test need to be targeted by at least one of the included PRs

[alebedev87]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview openshift/cloud-provider-aws#135 openshift/installer#10380

[nrb]

Minor and shouldn't block merging if it's passing tests, but could we move these 3 lines out of the case statements so it's more clear that the only variable is the order of IP families?

[alebedev87]

Yeah, the boilerplate bothered me too. I tried a couple of approaches but they brought even more code. If you have an idea, I'm open for suggestions.

[tthvo]

I am a little late to the party, but we probably can try something like:

// Configure dual-stack if the Infrastructure CR indicates dual-stack IP families.
// NLB is required on AWS for dual-stack load balancers.
if infra.Status.PlatformStatus.AWS != nil {                                                                                                                                
      var ipFamilies []corev1.IPFamily                                                                                                                                       
                                                                                                                                                                             
      switch infra.Status.PlatformStatus.AWS.IPFamily {                                                                                                                      
      case configv1.DualStackIPv4Primary:                                                                                                                                    
          ipFamilies = []corev1.IPFamily{corev1.IPv4Protocol, corev1.IPv6Protocol}                                                                                           
      case configv1.DualStackIPv6Primary:                                                                                                                                    
          ipFamilies = []corev1.IPFamily{corev1.IPv6Protocol, corev1.IPv4Protocol}                                                                                           
      }                                                                                                                                                                      
                                                                                                                                                                             
      if len(ipFamilies) > 1 {                                                                                                                                               
          s.Annotations["service.beta.kubernetes.io/aws-load-balancer-type"] = "nlb"
          dualStack := corev1.IPFamilyPolicyRequireDualStack                                                                                                                 
          s.Spec.IPFamilyPolicy = &dualStack                                                                                                                                 
          s.Spec.IPFamilies = ipFamilies                                                                                                                                     
      }                                                                                                                                                                      
  }                   

Not blocking though as tests passed 😁

[alebedev87]

Good idea! Thanks @tthvo! Updated the PR.

[alebedev87]

: [Monitor:service-type-load-balancer-availability][Jira:"Networking / router"] monitor test service-type-load-balancer-availability preparation

The modified test passed for the dualstack-ipv6primary job but interesting that it failed on the presubmit, all is pointing to some hiccups from AWS, retrying to be sure..

/test e2e-aws-ovn-fips

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[alebedev87]

FIPS job is broken, latest router changes are suspected, Claude Code points to a TLS curve which is not available in FIPS:

Here are the router logs. The root cause is crystal clear at lines 17-26:                                                          
                                      
  error reloading router: exit status 1                                                                                              
  [NOTICE]   (13) : haproxy version is 2.8.18-ae90be6                                                                                
  [ALERT]    (13) : config : Proxy 'fe_sni': unable to set SSL curves list to                                                        
    'X25519MLKEM768:X25519:P-256' for bind 'unix@/var/lib/haproxy/run/haproxy-sni.sock'                                              
  [ALERT]    (13) : config : Proxy 'fe_no_sni': unable to set SSL curves list to                                                     
    'X25519MLKEM768:X25519:P-256' for bind 'unix@/var/lib/haproxy/run/haproxy-no-sni.sock'                                           
  [ALERT]    (13) : config : Fatal errors found in configuration.                                                                    
                                                                                                                                     
  HAProxy cannot start because it's unable to set the SSL curves list to X25519MLKEM768:X25519:P-256. This is a FIPS-specific issue —
   the X25519MLKEM768 curve (a post-quantum key exchange algorithm) is not available in FIPS mode because it's not FIPS-approved.    
  HAProxy exits with a fatal configuration error, so:                                                                                
              
  1. HAProxy never starts -> no socket at /var/lib/haproxy/run/haproxy.sock                                                          
  2. The backend-proxy-http healthz check fails (connection refused on port 80)
  3. Startup probe kills the container after repeated failures                                                                       
  4. Both router pods enter CrashLoopBackOff                                                                                         
  5. Ingress operator reports unavailable -> authentication and console also fail                                                    
  6. Installation times out

[alebedev87]

/test e2e-vsphere-ovn-upi
/test e2e-metal-ipi-ovn-ipv6

[tthvo]

/lgtm

[nrb]

/lgtm

[alebedev87]

/test e2e-aws-ovn-fips

[ShudiLi]

/verified by e2e

[openshift-ci-robot]

@ShudiLi: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/approve

[sadasu]

/retitle NO-JIRA: Support dual-stack LB in service disruption monitor

[openshift-ci-robot]

@alebedev87: This pull request explicitly references no jira issue.

Details

In response to this:

Configure the service load balancer disruption test to use NLB with RequireDualStack IP family policy when the Infrastructure CR indicates dual-stack IP families on AWS, matching the primary IP family order.

Failure on IPv6Primary cluster:

: [Monitor:service-type-load-balancer-availability][Jira:"Networking / router"] monitor test service-type-load-balancer-availability preparation expand_less	15m0s
{  failed during preparation
error waiting for load balancer: timed out waiting for service "service-test" to have a load balancer: context deadline exceeded}

Example of a failed job: link.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@alebedev87: This pull request references OCPSTRAT-886 which is a valid jira issue.

Details

In response to this:

Configure the service load balancer disruption test to use NLB with RequireDualStack IP family policy when the Infrastructure CR indicates dual-stack IP families on AWS, matching the primary IP family order.

Failure on IPv6Primary cluster:

: [Monitor:service-type-load-balancer-availability][Jira:"Networking / router"] monitor test service-type-load-balancer-availability preparation expand_less	15m0s
{  failed during preparation
error waiting for load balancer: timed out waiting for service "service-test" to have a load balancer: context deadline exceeded}

Example of a failed job: link.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[neisw]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, neisw, nrb, sadasu, tthvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [neisw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[alebedev87]

/test e2e-aws-ovn-serial-1of2

[alebedev87]

/test e2e-aws-ovn-fips

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.