New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-9404: azure: skip LB creation when not needed #7063
Conversation
@r4f4: This pull request references Jira Issue OCPBUGS-9404, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@r4f4: This pull request references Jira Issue OCPBUGS-9404, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When one creates an IPI Azure cluster with an internal publishing method, it creates a standard load balancer with an empty definition. This load balancer doesn't serve a purpose since the configuration is completely empty. Because it doesn't have a public IP address and backend pools it's not providing any outbound connectivity, and there are no frontend IP configurations for ingress connectivity to the cluster.
It looks like the way we provide outbound connectivity to VMs when the install is private and not using user-defined routing, is by attaching an outbound rule to the load balancer:
installer/data/data/azure/vnet/public-lb.tf
Lines 146 to 157 in ebabc74
resource "azurerm_lb_outbound_rule" "public_lb_outbound_rule_v4" { | |
count = var.use_ipv4 && var.azure_private && ! var.azure_outbound_user_defined_routing ? 1 : 0 | |
name = "outbound-rule-v4" | |
loadbalancer_id = azurerm_lb.public.id | |
backend_address_pool_id = azurerm_lb_backend_address_pool.public_lb_pool_v4[0].id | |
protocol = "All" | |
frontend_ip_configuration { | |
name = local.public_lb_frontend_ip_v4_configuration_name | |
} | |
} |
Which leaves me with the question: how are VMs getting outbound connectivity in this scenario?
I was under the impression that we could only remove the LB if using user-defined routing.
We don't have any CI testing that performs a private install. I am floating openshift/release#38408 as an option. Have you done any local testing of this? I'm not sure what the expectations are for the cloud provider. |
It was pre-merge tested by @jinyunma before I addressed your comments. I haven't found the time to retest it yet after the update. |
Excellent! And sorry I missed that pre-merge testing in the bug. I'm not concerned about testing the recent update. Thank you! |
@jinyunma Thanks for doing the pre-merge testing on this. I see that the testing was done with user-defined routing. That makes sense and it seems like we should be able to remove the LB in that case. Are you able to test without user-defined routing? I believe in that case we still need to keep the LB, because the installer applies it's own rule to enable outbound internet access. If the install succeeds with the current changes, we want to double check to make sure Azure is not enabling default outbound access. |
yes, external LB is removed on fully private cluster (fully private cluster ( publish: Internal + outboundType: UserDefinedRouting), and no function impact.
pre-merge testing on the latest update, install private cluster successfully ( publish: Internal wihtout user-defined routing), external LB is created, and outbound rules is explicitly defined, using the frontend IP address of external LB for outbound.
|
@patrickdillon any other concerns? |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
When one creates an IPI Azure cluster with an `internal` publishing method, it creates a standard load balancer with an empty definition. This load balancer doesn't serve a purpose since the configuration is completely empty. Because it doesn't have a public IP address and backend pools it's not providing any outbound connectivity, and there are no frontend IP configurations for ingress connectivity to the cluster.
Update: no functional changes, just reusing a tf variable. |
/lgtm |
/hold Revision 4c9d13d was retested 3 times: holding |
/hold cancel |
@r4f4: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/hold Revision 4c9d13d was retested 3 times: holding |
/hold cancel |
d3dc62b
into
openshift:master
@r4f4: Jira Issue OCPBUGS-9404: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-9404 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.13 |
@r4f4: new pull request created: #7322 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When one creates an IPI Azure cluster with an
internal
publishing method, it creates a standard load balancer with an empty definition. This load balancer doesn't serve a purpose since the configuration is completely empty. Because it doesn't have a public IP address and backend pools it's not providing any outbound connectivity, and there are no frontend IP configurations for ingress connectivity to the cluster.