Feature request: Support dynamic `healthCheckNodePort` for LoadBalancers

[aslafy-z]

When using a Service type LoadBalancer with externalTrafficPolicy: Local, the Scaleway CCM currently uses:

• the per-port nodePort as the default health check port, and
• a TCP health check.

This breaks the intended Kubernetes behavior, because Kubernetes already provides a dedicated dynamic port in:

spec.healthCheckNodePort

Proposal

Allow the CCM to automatically detect and use spec.healthCheckNodePort instead of relying on:

• the per-port nodePort fallback
• or a manually hardcoded annotation (there's no way of asking to healthcheck on some other port as of today)

Possible approaches

• Change the default behavior to always prefer spec.healthCheckNodePort when present
• Add an annotation that configures the LB to use spec.healthCheckNodePort like:
  service.beta.kubernetes.io/scw-loadbalancer-healthcheck-use-service-healthchecknodeport: "true"
• Add an annotation to let users specify an hardcoded port (additional feature request at Feature request: Support service.beta.kubernetes.io/scw-loadbalancer-healthcheck-port #194, pr available at feat(loadbalancer): add health check port annotation #195)
  • Support a special value that pulls the port from .spec.healthCheckNodePort (pr available at feat(loadbalancer): add healthCheckNodePort opt-in support #196)
• Or expose this through a new healthcheck type like kubeproxy (eg: feat: Add custom LB health check type using healthCheckNodePort #193)

This would align the CCM with native Kubernetes expectations and reduce configuration drift.

References

• https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies
• https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer
• https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/#externaltrafficpolicy-for-loadbalancer-or-nodeport-services