Merge pull request #1466 from shysank/cp_lb_config

Make control plane outbound lb configurable

Author: k8s-ci-robot

api/v1alpha3/azurecluster_conversion.go

@@ -54,6 +54,7 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error { // nolint
 	dst.Spec.NetworkSpec.APIServerLB.FrontendIPsCount = restored.Spec.NetworkSpec.APIServerLB.FrontendIPsCount
 	dst.Spec.NetworkSpec.APIServerLB.IdleTimeoutInMinutes = restored.Spec.NetworkSpec.APIServerLB.IdleTimeoutInMinutes
 	dst.Spec.NetworkSpec.NodeOutboundLB = restored.Spec.NetworkSpec.NodeOutboundLB
+	dst.Spec.NetworkSpec.ControlPlaneOutboundLB = restored.Spec.NetworkSpec.ControlPlaneOutboundLB
 	dst.Spec.CloudProviderConfigOverrides = restored.Spec.CloudProviderConfigOverrides
 	dst.Spec.BastionSpec = restored.Spec.BastionSpec
 

api/v1alpha3/zz_generated.conversion.go

@@ -53,6 +53,7 @@ func (c *AzureCluster) setNetworkSpecDefaults() {
 	c.setSubnetDefaults()
 	c.setAPIServerLBDefaults()
 	c.setNodeOutboundLBDefaults()
+	c.setControlPlaneOutboundLBDefaults()
 }
 
 func (c *AzureCluster) setResourceGroupDefault() {
@@ -196,6 +197,42 @@ func (c *AzureCluster) setNodeOutboundLBDefaults() {
 		lb.FrontendIPsCount = pointer.Int32Ptr(1)
 	}
 
+	c.setOutboundLBFrontendIPs(lb, generateNodeOutboundIPName)
+}
+
+func (c *AzureCluster) setControlPlaneOutboundLBDefaults() {
+	// public clusters don't need control plane outbound lb
+	if c.Spec.NetworkSpec.APIServerLB.Type == Public {
+		return
+	}
+
+	// private clusters can disable control plane outbound lb by setting it to nil.
+	if c.Spec.NetworkSpec.ControlPlaneOutboundLB == nil {
+		return
+	}
+
+	lb := c.Spec.NetworkSpec.ControlPlaneOutboundLB
+	lb.Type = Public
+	lb.SKU = SKUStandard
+
+	if lb.Name == "" {
+		lb.Name = generateControlPlaneOutboundLBName(c.ObjectMeta.Name)
+	}
+
+	if lb.IdleTimeoutInMinutes == nil {
+		lb.IdleTimeoutInMinutes = pointer.Int32Ptr(DefaultOutboundRuleIdleTimeoutInMinutes)
+	}
+
+	if lb.FrontendIPsCount == nil {
+		lb.FrontendIPsCount = pointer.Int32Ptr(1)
+	}
+
+	c.setOutboundLBFrontendIPs(lb, generateControlPlaneOutboundIPName)
+}
+
+// setOutboundLBFrontendIPs sets the frontend ips for the given load balancer.
+// The name of the frontend ip is generated using generatePublicIPName function.
+func (c *AzureCluster) setOutboundLBFrontendIPs(lb *LoadBalancerSpec, generatePublicIPName func(string) string) {
 	switch *lb.FrontendIPsCount {
 	case 0:
 		lb.FrontendIPs = []FrontendIP{}
@@ -204,7 +241,7 @@ func (c *AzureCluster) setNodeOutboundLBDefaults() {
 			{
 				Name: generateFrontendIPConfigName(lb.Name),
 				PublicIP: &PublicIPSpec{
-					Name: generateNodeOutboundIPName(c.ObjectMeta.Name),
+					Name: generatePublicIPName(c.ObjectMeta.Name),
 				},
 			},
 		}
@@ -214,7 +251,7 @@ func (c *AzureCluster) setNodeOutboundLBDefaults() {
 			lb.FrontendIPs[i] = FrontendIP{
 				Name: withIndex(generateFrontendIPConfigName(lb.Name), i+1),
 				PublicIP: &PublicIPSpec{
-					Name: withIndex(generateNodeOutboundIPName(c.ObjectMeta.Name), i+1),
+					Name: withIndex(generatePublicIPName(c.ObjectMeta.Name), i+1),
 				},
 			}
 		}
@@ -294,6 +331,11 @@ func generatePublicLBName(clusterName string) string {
 	return fmt.Sprintf("%s-%s", clusterName, "public-lb")
 }
 
+// generateControlPlaneOutboundLBName generates the name of the control plane outbound LB.
+func generateControlPlaneOutboundLBName(clusterName string) string {
+	return fmt.Sprintf("%s-outbound-lb", clusterName)
+}
+
 // generatePublicIPName generates a public IP name, based on the cluster name and a hash.
 func generatePublicIPName(clusterName string) string {
 	return fmt.Sprintf("pip-%s-apiserver", clusterName)
@@ -309,6 +351,11 @@ func generateNodeOutboundIPName(clusterName string) string {
 	return fmt.Sprintf("pip-%s-node-outbound", clusterName)
 }
 
+// generateControlPlaneOutboundIPName generates a public IP name, based on the cluster name.
+func generateControlPlaneOutboundIPName(clusterName string) string {
+	return fmt.Sprintf("pip-%s-controlplane-outbound", clusterName)
+}
+
 // withIndex appends the index as suffix to a generated name.
 func withIndex(name string, n int) string {
 	return fmt.Sprintf("%s-%d", name, n)

api/v1alpha4/azurecluster_default.go

@@ -916,6 +916,128 @@ func TestNodeOutboundLBDefaults(t *testing.T) {
 	}
 }
 
+func TestControlPlaneOutboundLBDefaults(t *testing.T) {
+	cases := []struct {
+		name    string
+		cluster *AzureCluster
+		output  *AzureCluster
+	}{
+		{
+			name: "no cp lb for public clusters",
+			cluster: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{Type: Public},
+					},
+				},
+			},
+			output: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{
+							Type: Public,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "no cp lb for private clusters",
+			cluster: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{Type: Internal},
+					},
+				},
+			},
+			output: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{
+							Type: Internal,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "frontendIPsCount > 1",
+			cluster: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{Type: Internal},
+						ControlPlaneOutboundLB: &LoadBalancerSpec{
+							FrontendIPsCount:     to.Int32Ptr(2),
+							IdleTimeoutInMinutes: to.Int32Ptr(15),
+						},
+					},
+				},
+			},
+			output: &AzureCluster{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "cluster-test",
+				},
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						APIServerLB: LoadBalancerSpec{
+							Type: Internal,
+						},
+						ControlPlaneOutboundLB: &LoadBalancerSpec{
+							Name: "cluster-test-outbound-lb",
+							SKU:  SKUStandard,
+							FrontendIPs: []FrontendIP{
+								{
+									Name: "cluster-test-outbound-lb-frontEnd-1",
+									PublicIP: &PublicIPSpec{
+										Name: "pip-cluster-test-controlplane-outbound-1",
+									},
+								},
+								{
+									Name: "cluster-test-outbound-lb-frontEnd-2",
+									PublicIP: &PublicIPSpec{
+										Name: "pip-cluster-test-controlplane-outbound-2",
+									},
+								},
+							},
+							Type:                 Public,
+							FrontendIPsCount:     to.Int32Ptr(2),
+							IdleTimeoutInMinutes: to.Int32Ptr(15),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, c := range cases {
+		tc := c
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			tc.cluster.setControlPlaneOutboundLBDefaults()
+			if !reflect.DeepEqual(tc.cluster, tc.output) {
+				expected, _ := json.MarshalIndent(tc.output, "", "\t")
+				actual, _ := json.MarshalIndent(tc.cluster, "", "\t")
+				t.Errorf("Expected %s, got %s", string(expected), string(actual))
+			}
+		})
+	}
+}
+
 func TestBastionDefault(t *testing.T) {
 	cases := map[string]struct {
 		cluster *AzureCluster

api/v1alpha4/azurecluster_default_test.go

@@ -137,6 +137,8 @@ func validateNetworkSpec(networkSpec NetworkSpec, old NetworkSpec, fldPath *fiel
 
 	allErrs = append(allErrs, validateNodeOutboundLB(networkSpec.NodeOutboundLB, old.NodeOutboundLB, networkSpec.APIServerLB, nodeSubnet, fldPath.Child("nodeOutboundLB"))...)
 
+	allErrs = append(allErrs, validateControlPlaneOutboundLB(networkSpec.ControlPlaneOutboundLB, networkSpec.APIServerLB, fldPath.Child("controlPlaneOutboundLB"))...)
+
 	allErrs = append(allErrs, validatePrivateDNSZoneName(networkSpec, fldPath)...)
 
 	if len(allErrs) == 0 {
@@ -420,6 +422,34 @@ func validateNodeOutboundLB(lb *LoadBalancerSpec, old *LoadBalancerSpec, apiserv
 	return allErrs
 }
 
+func validateControlPlaneOutboundLB(lb *LoadBalancerSpec, apiserverLB LoadBalancerSpec, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	switch apiserverLB.Type {
+	case Public:
+		if lb != nil {
+			allErrs = append(allErrs, field.Forbidden(fldPath, "Control plane outbound load balancer cannot be set for public clusters."))
+		}
+	case Internal:
+		// Control plane outbound lb can be nil when it's disabled for private clusters.
+		if lb == nil {
+			return nil
+		}
+
+		if lb.FrontendIPsCount != nil && *lb.FrontendIPsCount > MaxLoadBalancerOutboundIPs {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("frontendIPsCount"), *lb.FrontendIPsCount,
+				fmt.Sprintf("Max front end ips allowed is %d", MaxLoadBalancerOutboundIPs)))
+		}
+
+		if lb.IdleTimeoutInMinutes != nil && (*lb.IdleTimeoutInMinutes < MinLBIdleTimeoutInMinutes || *lb.IdleTimeoutInMinutes > MaxLBIdleTimeoutInMinutes) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("idleTimeoutInMinutes"), *lb.IdleTimeoutInMinutes,
+				fmt.Sprintf("Control plane outbound idle timeout should be between %d and %d minutes", MinLBIdleTimeoutInMinutes, MaxLoadBalancerOutboundIPs)))
+		}
+	}
+
+	return allErrs
+}
+
 // validatePrivateDNSZoneName validate the PrivateDNSZoneName.
 func validatePrivateDNSZoneName(networkSpec NetworkSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList

api/v1alpha4/azurecluster_validation.go

@@ -1118,6 +1118,78 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 	}
 }
 
+func TestValidateControlPlaneNodeOutboundLB(t *testing.T) {
+	g := NewWithT(t)
+
+	testcases := []struct {
+		name        string
+		lb          *LoadBalancerSpec
+		old         *LoadBalancerSpec
+		apiServerLB LoadBalancerSpec
+		wantErr     bool
+		expectedErr field.Error
+	}{
+		{
+			name:        "cp outbound lb cannot be set for public clusters",
+			lb:          &LoadBalancerSpec{Name: "foo"},
+			apiServerLB: LoadBalancerSpec{Type: Public},
+			wantErr:     true,
+			expectedErr: field.Error{
+				Type:     "FieldValueForbidden",
+				Field:    "controlPlaneOutboundLB",
+				BadValue: LoadBalancerSpec{Name: "foo"},
+				Detail:   "Control plane outbound load balancer cannot be set for public clusters.",
+			},
+		},
+		{
+			name:        "cp outbound lb can be set for private clusters",
+			lb:          &LoadBalancerSpec{Name: "foo"},
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     false,
+		},
+		{
+			name:        "cp outbound lb can be nil for private clusters",
+			lb:          nil,
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     false,
+		},
+		{
+			name: "frontend ips count exceeds max value",
+			lb: &LoadBalancerSpec{
+				FrontendIPsCount: pointer.Int32Ptr(100),
+			},
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     true,
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "controlPlaneOutboundLB.frontendIPsCount",
+				BadValue: 100,
+				Detail:   "Max front end ips allowed is 16",
+			},
+		},
+	}
+
+	for _, test := range testcases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			err := validateControlPlaneOutboundLB(test.lb, test.apiServerLB, field.NewPath("controlPlaneOutboundLB"))
+			if test.wantErr {
+				g.Expect(err).NotTo(HaveLen(0))
+				found := false
+				for _, actual := range err {
+					if actual.Error() == test.expectedErr.Error() {
+						found = true
+					}
+				}
+				g.Expect(found).To(BeTrue())
+			} else {
+				g.Expect(err).To(HaveLen(0))
+			}
+		})
+	}
+}
+
 func TestValidateCloudProviderConfigOverrides(t *testing.T) {
 	g := NewWithT(t)
 

api/v1alpha4/azurecluster_validation_test.go

@@ -106,6 +106,13 @@ func (c *AzureCluster) ValidateUpdate(oldRaw runtime.Object) error {
 		)
 	}
 
+	if !reflect.DeepEqual(c.Spec.NetworkSpec.ControlPlaneOutboundLB, old.Spec.NetworkSpec.ControlPlaneOutboundLB) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "networkSpec", "controlPlaneOutboundLB"),
+				c.Spec.NetworkSpec.ControlPlaneOutboundLB, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return c.validateCluster(old)
 	}