Update Safespring loadbalancer configuration to support kube-vip

[simonklb]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• [kind/adr](set-me)

What does this PR do / why do we need this PR?

Without this the kube-vip setup does not work.

Information to reviewers

1. Not sure if we also should add some default node-selector and tolerations?
2. This will break the Kubespray setup. Do we have any other similar situations where we can configure them differently?

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change updates CRDs
  • The change updates the config and the schema
• Documentation checks:
  • The public documentation required no updates
  • The public documentation required an update - [link to change](set-me)
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
  • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
• Logs checks:
  • The logs do not show any errors after the change
• PodSecurityPolicy checks:
  • Any changed Pod is covered by Kubernetes Pod Security Standards
  • Any changed Pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
• NetworkPolicy checks:
  • Any changed Pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[Xartos]

Suggestion: Also add migration for this to add the old variables as overrides. Since it might break existing clusters that are using these defaults

[simonklb]

1. Not sure if we also should add some default node-selector and tolerations?

2. This will break the Kubespray setup. Do we have any other similar situations where we can configure them differently?

[simonklb]

Suggestion: Also add migration for this to add the old variables as overrides. Since it might break existing clusters that are using these defaults

Do we have any Safespring clusters on CAPI?

[simonklb]

Added @elastisys/goto-cluster-api and @elastisys/goto-safespring as reviewers for extra eyes on this

[vomba]

Suggestion: Also add migration for this to add the old variables as overrides. Since it might break existing clusters that are using these defaults

Do we have any Safespring clusters on CAPI?

I don't think we have any now.

[Xartos]

1. Not sure if we also should add some default node-selector and tolerations?

Nope, that depends on how the cluster is setup and we can't know that in advance

2. This will break the Kubespray setup. Do we have any other similar situations where we can configure them differently?

This is why we need migration scripts, so that existing clusters keeps their old configuration that is currently working. This could be the default going forward, but the migration from 49 -> 50 should at least not break existing clusters.
Then you'll have to start to override if you are using kubespray, but hopefully the main clusters should use capi from here on.

[simonklb]

1. Not sure if we also should add some default node-selector and tolerations?

Nope, that depends on how the cluster is setup and we can't know that in advance

2. This will break the Kubespray setup. Do we have any other similar situations where we can configure them differently?

This is why we need migration scripts, so that existing clusters keeps their old configuration that is currently working. This could be the default going forward, but the migration from 49 -> 50 should at least not break existing clusters. Then you'll have to start to override if you are using kubespray, but hopefully the main clusters should use capi from here on.

I'll try to make it possible to have separate configs for separate installers instead. Feels like as long as we support multiple installers this will be necessary.

[aarnq]

I'm unsure why this is being changed?

Will this mean that we only support Safespring on CAPI from this moment onwards? If so then fine, note that we will then have the additional requirement of always having Elastic IPs available there.

Why this wasn't changed to match how we setup MetalLB (which is the same configuration as this) was due to it requiring internal steps to setup, and Elastic IPs. So it wasn't considered something that someone could pick up and use by default.

[simonklb]

I'm unsure why this is being changed?

Will this mean that we only support Safespring on CAPI from this moment onwards? If so then fine,

Not anymore: b9d990d

note that we will then have the additional requirement of always having Elastic IPs available there.

Someone that has more insight will have to answer this.

Why this wasn't changed to match how we setup MetalLB (which is the same configuration as this) was due to it requiring internal steps to setup, and Elastic IPs. So it wasn't considered something that someone could pick up and use by default.

Someone that has more insight will have to answer this.

[vomba]

🚀

[Zash]

What if the installer-specific one was last and contained only installer-specific overrides? I'm thinking there's a lot of duplication

[simonklb]

Agreed!
Verify: e4753c3
Your requested change: 7edf200

[Zash]

Nice code to test ratio 😃

[simonklb]

Odd... The new commit I pushed should not have caused the tests to fail like this

[simonklb]

Odd... The new commit I pushed should not have caused the tests to fail like this

GitHub had issues so the downloaded yq binary was just the HTML of an error page. 😄 We should start verifying the checksums... 😄

[Xartos]

Neat way of validating hash inline