feat: add label 'exclude-from-external-load-balancers' for cp nodes

Fixes #8749 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
siderolabs · Jul 16, 2024 · ea626a9 · ea626a9
1 parent 1cf76cf
commit ea626a9
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 0 deletions.
diff --git a/hack/release.toml b/hack/release.toml
@@ -95,6 +95,12 @@ Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by defaul
         title = "Custom Trusted Roots"
         description = """\
 Talos Linux now supports adding [custom trusted roots](https://www.talos.dev/v1.8/talos-guides/configuration/certificate-authorities/) (CA certificates) via `TrustedRootsConfig` configuration documents.
+"""
+
+    [notes.labels]
+        title = "Default Node Labels"
+        description = """\
+Talos Linux on config generation now adds a label `node.kubernetes.io/exclude-from-external-load-balancers` by default for the control plane nodes.
 """
 
 [make_deps]

diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go
@@ -157,3 +157,9 @@ func (contract *VersionContract) ClusterNameForWorkers() bool {
 func (contract *VersionContract) HostDNSForwardKubeDNSToHost() bool {
 	return contract.Greater(TalosVersion1_7)
 }
+
+// AddExcludeFromExternalLoadBalancer returns true if the label 'node.kubernetes.io/exclude-from-external-load-balancers' is automatically added
+// for controlplane nodes.
+func (contract *VersionContract) AddExcludeFromExternalLoadBalancer() bool {
+	return contract.Greater(TalosVersion1_7)
+}
diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go
@@ -63,6 +63,7 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
 	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.True(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_8(t *testing.T) {
@@ -84,6 +85,7 @@ func TestContract1_8(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
 	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.True(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_7(t *testing.T) {
@@ -105,6 +107,7 @@ func TestContract1_7(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_6(t *testing.T) {
@@ -126,6 +129,7 @@ func TestContract1_6(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_5(t *testing.T) {
@@ -147,6 +151,7 @@ func TestContract1_5(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_4(t *testing.T) {
@@ -168,6 +173,7 @@ func TestContract1_4(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_3(t *testing.T) {
@@ -189,6 +195,7 @@ func TestContract1_3(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_2(t *testing.T) {
@@ -210,6 +217,7 @@ func TestContract1_2(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_1(t *testing.T) {
@@ -231,6 +239,7 @@ func TestContract1_1(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
 
 func TestContract1_0(t *testing.T) {
@@ -252,4 +261,5 @@ func TestContract1_0(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
diff --git a/pkg/machinery/config/generate/init.go b/pkg/machinery/config/generate/init.go
@@ -100,6 +100,14 @@ func (in *Input) init() ([]config.Document, error) {
 		}
 	}
 
+	if in.Options.VersionContract.AddExcludeFromExternalLoadBalancer() {
+		if machine.MachineNodeLabels == nil {
+			machine.MachineNodeLabels = map[string]string{}
+		}
+
+		machine.MachineNodeLabels[constants.LabelExcludeFromExternalLB] = ""
+	}
+
 	certSANs := in.GetAPIServerSANs()
 
 	controlPlaneURL, err := url.Parse(in.ControlPlaneEndpoint)

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
@@ -26,6 +26,8 @@ machine:
         hostDNS:
             enabled: true
             forwardKubeDNSToHost: true
+    nodeLabels:
+        node.kubernetes.io/exclude-from-external-load-balancers: ""
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=

diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
@@ -45,6 +45,8 @@ machine:
         hostDNS:
             enabled: true
             forwardKubeDNSToHost: true
+    nodeLabels:
+        node.kubernetes.io/exclude-from-external-load-balancers: ""
 cluster:
     id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
     secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -375,6 +375,9 @@ const (
 	// LabelNodeRoleControlPlane is the node label required by a control plane node.
 	LabelNodeRoleControlPlane = "node-role.kubernetes.io/control-plane"
 
+	// LabelExcludeFromExternalLB can be set on a node to exclude it from external load balancers.
+	LabelExcludeFromExternalLB = "node.kubernetes.io/exclude-from-external-load-balancers"
+
 	// ManifestsDirectory is the directory that contains all static manifests.
 	ManifestsDirectory = KubernetesConfigBaseDir + "/" + "manifests"