✨ Feat: ELBv2/TGs - Add health check customization

[mtulio]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This change exposes the health check configuration for listeners of both load balancers, primary and secondary. When the target group is created for the API, the user will be able to customize only the health check probes, according to the limit ranges allowed by AWS.

It will allow providers to customize the API and additional listeners' target health checks to ensure existing implementations.

A significant improvement will be in the additional listeners which is currently set with basic health checks following the same protocol of the listener (TCP). Exposing this value will allow customized health check.

The example below shows how we are using to customize the API target group (from the default provided by CAPA), alongside setting custom health check parameters for additional listeners, like overriding the protocol to HTTPS, check path /healthz, setting custom probe timers:

awsCluster := &capa.AWSCluster{
  ObjectMeta: metav1.ObjectMeta{
	Name:      clusterID.InfraID,
	Namespace: capiutils.Namespace,
  },
  Spec: capa.AWSClusterSpec{
	ControlPlaneLoadBalancer: &capa.AWSLoadBalancerSpec{
		Name:                ptr.To(clusterID.InfraID + "-int"),
		LoadBalancerType:    capa.LoadBalancerTypeNLB,
		Scheme:              &capa.ELBSchemeInternal,
                HealthCheckProtocol: &capa.ELBProtocolHTTPS,
		HealthCheck: &capa.TargetGroupHealthCheck{
			IntervalSeconds:         ptr.To(int64(10)),
			TimeoutSeconds:          ptr.To(int64(10)),
			ThresholdCount:          ptr.To(int64(2)),
			UnhealthyThresholdCount: ptr.To(int64(2)),
		},
		AdditionalListeners: []capa.AdditionalListenerSpec{
			{
				Port:     22623,
				Protocol: capa.ELBProtocolTCP,
				HealthCheck: &capa.TargetGroupHealthCheck{
					Protocol:                ptr.To("HTTPS"),
					Path:                    ptr.To("/healthz"),
					IntervalSeconds:         ptr.To(int64(10)),
					TimeoutSeconds:          ptr.To(int64(10)),
					ThresholdCount:          ptr.To(int64(2)),
					UnhealthyThresholdCount: ptr.To(int64(2)),
				},
			},
		},
	},
	SecondaryControlPlaneLoadBalancer: &capa.AWSLoadBalancerSpec{
		Name:                ptr.To(clusterID.InfraID + "-ext"),
		LoadBalancerType:    capa.LoadBalancerTypeNLB,
		Scheme:              &capa.ELBSchemeInternetFacing,
                HealthCheckProtocol: &capa.ELBProtocolHTTPS,
		HealthCheck: &capa.TargetGroupHealthCheck{
			IntervalSeconds:         ptr.To(int64(10)),
			TimeoutSeconds:          ptr.To(int64(10)),
			ThresholdCount:          ptr.To(int64(2)),
			UnhealthyThresholdCount: ptr.To(int64(2)),
		},
        },
  },
}

This PR is creating dedicated the health check structures, a more restricted one to API and field-free for additional listeners, protecting to expose the API target group for both load balancers when changing standardized fields like protocol, port and path..

Which issue(s) this PR fixes:

Fixes #4884

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emojis
• adds unit tests
• adds or updates e2e tests

Release note:

Exposing the health check attributes for the target group for the control plane load balancers, allowing customized health checks for API or additional listeners.

[k8s-ci-robot]

Hi @mtulio. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mtulio]

fwiw @vincepri @patrickdillon @r4f4

[mtulio]

The provision of API and additional listeners are working as expected, I am investigating unit failures for fuzzy test TestFuzzyConversion[2]

[1] e2e deployment w/ custom target health check

[2] fuzzy test failures

--- FAIL: TestFuzzyConversion (16.75s)
    --- FAIL: TestFuzzyConversion/for_AWSCluster (3.69s)
        --- FAIL: TestFuzzyConversion/for_AWSCluster/hub-spoke-hub (0.00s)
            conversion.go:241: 
                  &v1beta2.AWSCluster{
...
                - 		Annotations:                nil,
                + 		Annotations:                map[string]string{},
...
                - 			AdditionalControlPlaneIngressRules: []v1beta2.IngressRule{},
                + 			AdditionalControlPlaneIngressRules: nil,
...
                - 			HealthCheck:              &v1beta2.TargetGroupHealthCheck{Path: &"ĆĠ成", Port: &"缆zp%!ʛ(MISSING)(", TimeoutSeconds: &5940725222272119504},
                + 			HealthCheck:              nil,
...
                - 				AvailabilityZones: []string{},
                + 				AvailabilityZones: nil,
...
FAIL
FAIL	sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta1	16.761s

[mtulio]

PR comments addressed.
The issue was already created to formalize the "feature request" flow :)

#4884

cc @nrb @vincepri @faiq

[nrb]

/lgtm as well

[mtulio]

@richardcase would you mind taking a look in this proposal, please?

[richardcase]

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

[richardcase]

Thanks for this @mtulio .

Once both the e2e passes we can unhold

/hold

From my side this looks good, so:

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[richardcase]

Timed out, retrying in case its a flake:

/test pull-cluster-api-provider-aws-e2e

[nrb]

Yet another time out with GPU instances...

/test pull-cluster-api-provider-aws-e2e

[faiq]

@nrb is there a bug/issue for the GPU tests?

[nrb]

@nrb is there a bug/issue for the GPU tests?

Not specifically yet, just #4937 and #4783 (comment)

[mtulio]

Once both the e2e passes we can unhold

/hold

From my side this looks good, so:

/approve

@richardcase @nrb e2e* are now passing. 🎉

[nrb]

/unhold

[r4f4]

@mtulio seems like the same problem here: needs a rebase on top of master.

[mtulio]

@mtulio: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-aws-verify 97489d2 link unknown /test pull-cluster-api-provider-aws-verify

Rebased to fix codegen issue

[mtulio]

@nrb passing now. Would you mind to res-stamp lgtm cleaned after rebase? Thanks :)

[nrb]

/lgtm