Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds annotation kubernetes.io/ingress.reserve-global-static-ip-name to signal GLBC to manage static IP #1182

Closed
wants to merge 3 commits into from
Closed

Adds annotation kubernetes.io/ingress.reserve-global-static-ip-name to signal GLBC to manage static IP #1182

wants to merge 3 commits into from

Conversation

retpolanne
Copy link
Contributor

@retpolanne retpolanne commented Jul 15, 2020
edited
Loading

This PR is a follow-up of #1151

This PR adds the kubernetes.io/ingress.reserve-global-static-ip-name annotation, which is a string that specifies a static IP name and manages it, differing from the behaviour of kubernetes.io/ingress.global-static-ip-name.

Things taken in consideration

The behaviour for kubernetes.io/ingress.global-static-ip-name is still the same: if the static IP doesn't exist on GCE, it will fail. However, kubernetes.io/ingress.reserve-global-static-ip-name will bypass the failure and reserve the static IP with the name provided.

This is different from the default behaviour seen in #1080: even if kubernetes.io/ingress.global-static-ip-name was provided, the static IP was reserved with a namer (that follows the pattern k8s-resource--uid) and if the user reserved the static IP with the name provided, GLBC would flip to using that, causing downtime.

In the approach of this PR, however, if kubernetes.io/ingress.global-static-ip-name is provided, we use its value from the beginning.

To avoid flipping to a managed static IP when already using a static IP, we check if there is already a static IP for an Ingress. If it exists, the kubernetes.io/ingress.global-static-ip-name behaviour is ignored.

Things not taken in consideration

If the user supplies kubernetes.io/ingress.reserve-global-static-ip-name at a later time, the regression will be triggered, causing the IP flip and downtime.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 15, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @vinicyusmacedo. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 15, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vinicyusmacedo
To complete the pull request process, please assign mrhohn
You can assign the PR to them by writing /assign @mrhohn in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from bowei and MrHohn July 15, 2020 12:56
@retpolanne
Copy link
Contributor Author

/cc @prameshj

@k8s-ci-robot k8s-ci-robot requested a review from prameshj July 15, 2020 12:59
@rramkumar1
Copy link
Contributor

@vinicyusmacedo We need to think about how to make sure the regression is not triggered again (as you mention in the "Things not taken in consideration" section).

Can you please provide some options? Ideally, we are able to introduce an API without leaving the user the opportunity to shoot themselves in the foot.

@retpolanne
Copy link
Contributor Author

@rramkumar1 I was thinking about checking if the Ingress already has forwarding rules. If it has one already, the ReserveGlobalStaticIP logic is skipped. This way, we will be sure that ReserveGlobalStaticIP only has effect when the ingress is being created. The problem with this approach: it will probably fail during syncs, since the expected static IP name will differ.

Another approach is checking with the cloud provider if the static IP name points to the same forwarding rules as the ones on the Ingress. If it doesn't, we can fallback to using the default static IP namer.

@retpolanne retpolanne changed the title Adds annotation kubernetes.io/ingress.reserve-global-static-ip to signal GLBC to manage static IP Adds annotation kubernetes.io/ingress.reserve-global-static-ip-name to signal GLBC to manage static IP Jul 18, 2020
@retpolanne
Copy link
Contributor Author

retpolanne commented Jul 18, 2020
edited
Loading

@rramkumar1 I had an idea for ensuring a flip doesn't happen. Please check the last commit.

When l.ip exists (whether it was created when a TLS pre-shared cert or a StaticIPName was specified), we simply ignore ReserveGlobalStaticIPNameKey. This way, we will never flip to its value when it is specified later.

It won't work for Ingresses without TLS/Static IP though, as the IP will be ephemeral.

@rramkumar1
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 19, 2020
@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 30, 2020
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 24, 2020
@retpolanne
- Adds annotation ReserveGlobalStaticIPKey and tests it. When applied…
d32a14e 
…, the annotation kubernetes.io/ingress.reserve-global-static-ip becomes available, but does nothing

- Adds ReserveGlobalStaticIP to L7's runtime info and populates it on controller

- Adds test cases for ReserveGlobalStaticIP, whether with existing and non-existent static ip

- TestReserveGlobalStaticIPExistingValue changed - If the IP already exists and ReserveGlobalStaticIP is set, the behavior shouldn't be different.

- Changes getEffectiveIP behavior to return true for managed if ReserveGlobalStaticIP is provided, changes checkStaticIP to use the provided static IP name

- Changes the annotation ReserveGlobalStaticIPKey – instead of being a boolean, it is now a string specifing a static ip name

- Checks if l.ip is null before using ReserveGlobalStaticIPName, ensuring that if the ingress has a static IP already, it shouldn't flip to using ReserveGlobalStaticIPName
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 24, 2020
prameshj
prameshj reviewed Aug 26, 2020
View reviewed changes
pkg/annotations/ingress.go Outdated
// GCE static ip for its forwarding rules. If specified, the Ingress controller
// reserves and assigns the static ip by this name to the forwarding rules of the
// given ingress. It differs from StaticIPNameKey, since the controller does manage
// this ip.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add that it is the user's responsibility to not use the same value for both "kubernetes.io/ingress.reserve-global-static-ip-name" and "kubernetes.io/ingress.global-static-ip-name" in the same or different ingresses.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does my comment make it clear? Do not use the same value for both this annotation and GlobalStaticIPNameKey.. Or should I change it to It's the user responsibility not to use the same value for both this annotation and GlobalStaticIPNameKey?

pkg/annotations/ingress.go
@@ -117,17 +124,12 @@ func FromIngress(ing *v1beta1.Ingress) *Ingress {
return &Ingress{ing.Annotations}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment

@prameshj
Copy link
Contributor

@spencerhance Can you take a look if this can be supported with ILB staticIP config as well?

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 24, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 25, 2020
@k8s-ci-robot k8s-ci-robot added the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Dec 25, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prameshj prameshj prameshj left review comments

@bowei bowei Awaiting requested review from bowei

@MrHohn MrHohn Awaiting requested review from MrHohn

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@retpolanne @k8s-ci-robot @rramkumar1 @prameshj @fejta-bot