-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clean up ALBs using spec.ingressClassName
and ALB security groups
#6389
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello aaroniscode 馃憢 Thank you for opening a Pull Request in eksctl
project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl
on our website
spec.ingressClassName
spec.ingressClassName
and ALB security groups
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aaroniscode Thanks for the contribution. Can you perhaps write up how you manually tested the changes?
sure @Himangini Testing was straightforward. Created a cluster using eksctl
alb.yaml below:
Installed AWS LB Controller using instructions here: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html. Deploy the example game 2048 application
Then delete the cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have left some suggestions but otherwise it LGTM 馃檪.
pkg/elb/cleanup.go
Outdated
securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application) | ||
cleanup() | ||
if err != nil { | ||
return nil, fmt.Errorf("cannot obtain security groups for ALB %s: %s", name, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, fmt.Errorf("cannot obtain security groups for ALB %s: %s", name, err) | |
return nil, fmt.Errorf("cannot obtain security groups for ALB %s: %w", name, err) |
pkg/elb/cleanup.go
Outdated
for _, tag := range tags { | ||
if aws.ToString(tag.Key) == clusterTagKey { | ||
if aws.ToString(tag.Key) == k8sClusterTagKey || aws.ToString(tag.Key) == elbv2ClusterTagKey { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively:
if aws.ToString(tag.Key) == k8sClusterTagKey || aws.ToString(tag.Key) == elbv2ClusterTagKey { | |
switch aws.ToString(tag.Key) { | |
case k8sClusterTagKey, elbv2ClusterTagKey: |
pkg/elb/cleanup.go
Outdated
ctx, cleanup := context.WithTimeout(ctx, 30*time.Second) | ||
securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application) | ||
cleanup() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this is taken from getServiceLoadBalancer
but a more idiomatic way is:
ctx, cleanup := context.WithTimeout(ctx, 30*time.Second) | |
securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application) | |
cleanup() | |
ctx, cleanup := context.WithTimeout(ctx, 30*time.Second) | |
defer cleanup() | |
securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/elb/cleanup.go
Outdated
|
||
lb, err := getIngressLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterConfig.Metadata.Name, i) | ||
if err != nil { | ||
return fmt.Errorf("cannot obtain information for ALB from Ingress %s/%s: %s", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("cannot obtain information for ALB from Ingress %s/%s: %s", | |
return fmt.Errorf("cannot obtain information for ALB from Ingress %s/%s: %w", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/elb/cleanup.go
Outdated
if loadBalancerKind == network { | ||
elbv2API DescribeLoadBalancersAPIV2, clusterName string, loadBalancerName string, loadBalancerKind loadBalancerKind) (map[string]struct{}, error) { | ||
|
||
groupIds := []string{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nit:
groupIds := []string{} | |
var groupIDs []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done ... I had to rename the variable in a few other places
pkg/elb/cleanup.go
Outdated
Names: []string{name}, | ||
}) | ||
if err != nil { | ||
if isELBNotFoundErr(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A not-found error returned from elbv2API.DescribeLoadBalancers
will not pass isELBNotFoundErr
. The error returned would be of type elasticloadbalancingv2types.LoadBalancerNotFoundException
which is not handled by isELBNotFoundErr
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for catching this ... I added a new isELBv2NotFoundErr
function that looks for the correct exception in the right package.
@cPu1 thanks for the code review and the suggestions! I applied all of your suggestions in a new commit. |
spec.ingressClassName
and ALB security groupsspec.ingressClassName
and ALB security groups
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the great contribution, Aaron! 馃帀
Description
ALBs created using
ingressClassName
in the Ingress spec are not cleaned up today. The code was only looking at the deprecatedkubernetes.io/ingress.class
annotation.The code now checks if
ingressClassName
is set and if not, falls back to checking the annotation.This is my first PR for eksctl so please guide me on required documentation. I didn't see any tests and wasn't sure if it was necessary. Let me know. Thanks.
Edit: added a second commit that fixes deletion of ALB security groups. It doesn't delete them, it just waits for the AWS LB Controller to delete them before deleting the node group.
Checklist
README.md
, or theuserdocs
directory)area/nodegroup
) and kind (e.g.kind/improvement
)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く