OCPBUGS-33311: aws: fix NLB creation in secret regions #8636
Conversation
openshift-ci-robot
added
jira/severity-critical
|
@r4f4: This pull request references Jira Issue OCPBUGS-33311, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold Until the fix is merged upstream. |
openshift-ci
bot
added
the
do-not-merge/hold
openshift-merge-robot
added
the
needs-rebase
r4f4
force-pushed
the
aws-secret-region-nlb-sgs
branch
from
3e22210 to
3e3f56a
Compare
openshift-merge-robot
removed
the
needs-rebase
openshift-merge-robot
added
the
needs-rebase
This is leftover from before CAPA had support for a public LB as the secondary controlPlane load balancer. We had to configure the AWSCluster in such a way the primary load balancer would either be `InternetFacing` if publish was set to "External" or `Internal` otherwise. Now the primary LB is always `Internal` and the secondary LB only exists when publish is "External".
r4f4
force-pushed
the
aws-secret-region-nlb-sgs
branch
from
3e3f56a to
331a4f0
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
The CAPA bump including the fix was done as part of #8676 |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@r4f4: This pull request references Jira Issue OCPBUGS-33311, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (yunjiang@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cc @patrickdillon |
|
@r4f4: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/cc @barbacbd |
| @@ -146,9 +146,6 @@ func (*Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput) | |||
| return fmt.Errorf("failed to find HostedZone ID for NLB: %w", err) | |||
| } | |||
| apiHost := awsCluster.Status.Network.SecondaryAPIServerELB.DNSName | |||
| if awsCluster.Status.Network.APIServerELB.Scheme == capa.ELBSchemeInternetFacing { | |||
| apiHost = awsCluster.Status.Network.APIServerELB.DNSName | |||
| } | |||
| apiIntHost := awsCluster.Spec.ControlPlaneEndpoint.Host | |||
| err = client.CreateOrUpdateRecord(ctx, in.InstallConfig.Config, apiHost, apiIntHost, phzID, aliasZoneID) | |||
There was a problem hiding this comment.
this looks like its going to attempt to make a record for a public zone even when the install is internal. Is this true or did I miss something?
There was a problem hiding this comment.
It was handled by the CreateOrUpdateRecord function but I factored it in later commits in this PR.
This function was doing way more than its name says: it was creating records in both private and public zones. The argument names were also not very descriptive and very hard to decipher at a glance. This change moves the logic out of the function and into the aws `InfraReady` hook. This not only makes the logic more readable, but it also paves the way for the use of Classic Load Balancer types.
Tagging the resource as "owned" should be part of the creation.
This should remove any ambiguity/misunderstanding when the field names are not clear enough.
r4f4
force-pushed
the
aws-secret-region-nlb-sgs
branch
from
d5dbdb9 to
20cd86a
Compare
|
Update: consolidated |
|
/lgtm One of the commit messages says:
Not sure if there is motivation to ever use Classic LBs? But code changes are a marked improvement. Thanks! |
It was the motivation at the beginning but then we realized it was better to have CAPA support NLBs without security groups then to try to use classic LBs for secret regions. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: barbacbd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
3 similar comments
|
@r4f4: Jira Issue OCPBUGS-33311: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-33311 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherry-pick release-4.17 |
|
@r4f4: new pull request created: #9071 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-altinfra |
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-terraform-providers |
|
[ART PR BUILD NOTIFIER] Distgit: ose-baremetal-installer |
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-artifacts |
This PR bumps CAPA to incorporate a fix for creating NLBs in secret regions [1], which do not support security groups.
It also uses the opportunity to do some refactoring in the part of the code that creates route53 records.
[1] kubernetes-sigs/cluster-api-provider-aws#5030