Create an Internal Load Balancer if configured

Provide the ability to configure the types of Load Balancers
to be created (Internal and/or External). By default, an External
Proxy Load Balancer will be created per the current implementation.
If set for an Internal Load Balancer, an Internal Passthrough
Load Balancer will be created using resources in the specified
region.

Author: bfournie

api/v1beta1/gcpcluster_webhook.go

@@ -85,6 +85,13 @@ func (c *GCPCluster) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings,
 		)
 	}
 
+	if !reflect.DeepEqual(c.Spec.LoadBalancer, old.Spec.LoadBalancer) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "LoadBalancer"),
+				c.Spec.LoadBalancer, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}

api/v1beta1/labels.go

@@ -111,6 +111,9 @@ const (
 
 	// APIServerRoleTagValue describes the value for the apiserver role.
 	APIServerRoleTagValue = "apiserver"
+
+	// InternalRoleTagValue describes the value for the internal role.
+	InternalRoleTagValue = "api-internal"
 )
 
 // ClusterTagKey generates the key for resources associated with a cluster.

api/v1beta1/types.go

@@ -85,6 +85,26 @@ type Network struct {
 	// created for the API Server.
 	// +optional
 	APIServerForwardingRule *string `json:"apiServerForwardingRule,omitempty"`
+
+	// APIInternalAddress is the IPV4 regional address assigned to the
+	// internal Load Balancer.
+	// +optional
+	APIInternalAddress *string `json:"apiInternalIpAddress,omitempty"`
+
+	// APIInternalHealthCheck is the full reference to the health check
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalHealthCheck *string `json:"apiInternalHealthCheck,omitempty"`
+
+	// APIInternalBackendService is the full reference to the backend service
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalBackendService *string `json:"apiInternalBackendService,omitempty"`
+
+	// APIInternalForwardingRule is the full reference to the forwarding rule
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalForwardingRule *string `json:"apiInternalForwardingRule,omitempty"`
 }
 
 // NetworkSpec encapsulates all things related to a GCP network.
@@ -114,6 +134,24 @@ type NetworkSpec struct {
 	LoadBalancerBackendPort *int32 `json:"loadBalancerBackendPort,omitempty"`
 }
 
+// LoadBalancerType defines the Load Balancer that should be created.
+type LoadBalancerType string
+
+var (
+	// External creates a Global External Proxy Load Balancer
+	// to manage traffic to backends in multiple regions. This is the default Load
+	// Balancer and will be created if no LoadBalancerType is defined.
+	External = LoadBalancerType("External")
+
+	// Internal creates a Regional Internal Passthrough Load
+	// Balancer to manage traffic to backends in the configured region.
+	Internal = LoadBalancerType("Internal")
+
+	// InternalExternal creates both External and Internal Load Balancers to provide
+	// separate endpoints for managing both external and internal traffic.
+	InternalExternal = LoadBalancerType("InternalExternal")
+)
+
 // LoadBalancerSpec contains configuration for one or more LoadBalancers.
 type LoadBalancerSpec struct {
 	// APIServerInstanceGroupTagOverride overrides the default setting for the
@@ -123,6 +161,15 @@ type LoadBalancerSpec struct {
 	// +kubebuilder:validation:Pattern=`(^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$)`
 	// +optional
 	APIServerInstanceGroupTagOverride *string `json:"apiServerInstanceGroupTagOverride,omitempty"`
+
+	// LoadBalancerType defines the type of Load Balancer that should be created.
+	// If not set, a Global External Proxy Load Balancer will be created by default.
+	// +optional
+	LoadBalancerType *LoadBalancerType `json:"loadBalancerType,omitempty"`
+
+	// InternalLoadBalancer is the configuration for an Internal Passthrough Network Load Balancer.
+	// +optional
+	InternalLoadBalancer *LoadBalancer `json:"internalLoadBalancer,omitempty"`
 }
 
 // SubnetSpec configures an GCP Subnet.
@@ -278,3 +325,19 @@ type ObjectReference struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 }
+
+// LoadBalancer specifies the configuration of a LoadBalancer.
+type LoadBalancer struct {
+	// Name is the name of the Load Balancer. If not set a default name
+	// will be used. For an Internal Load Balancer service the default
+	// name is "api-internal".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern=`(^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$)`
+	// +optional
+	Name *string `json:"name,omitempty"`
+
+	// Subnet is the name of the subnet to use for a regional Load Balancer. A subnet is
+	// required for the Load Balancer, if not defined the first configured subnet will be
+	// used.
+	Subnet *string `json:"subnet,omitempty"`
+}

api/v1beta1/zz_generated.deepcopy.go

@@ -290,18 +290,18 @@ func (s *ClusterScope) FirewallRulesSpec() []*compute.Firewall {
 // ANCHOR: ClusterControlPlaneSpec
 
 // AddressSpec returns google compute address spec.
-func (s *ClusterScope) AddressSpec() *compute.Address {
+func (s *ClusterScope) AddressSpec(lbname string) *compute.Address {
 	return &compute.Address{
-		Name:        fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:        fmt.Sprintf("%s-%s", s.Name(), lbname),
 		AddressType: "EXTERNAL",
 		IpVersion:   "IPV4",
 	}
 }
 
 // BackendServiceSpec returns google compute backend-service spec.
-func (s *ClusterScope) BackendServiceSpec() *compute.BackendService {
+func (s *ClusterScope) BackendServiceSpec(lbname string) *compute.BackendService {
 	return &compute.BackendService{
-		Name:                fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:                fmt.Sprintf("%s-%s", s.Name(), lbname),
 		LoadBalancingScheme: "EXTERNAL",
 		PortName:            "apiserver",
 		Protocol:            "TCP",
@@ -310,24 +310,24 @@ func (s *ClusterScope) BackendServiceSpec() *compute.BackendService {
 }
 
 // ForwardingRuleSpec returns google compute forwarding-rule spec.
-func (s *ClusterScope) ForwardingRuleSpec() *compute.ForwardingRule {
+func (s *ClusterScope) ForwardingRuleSpec(lbname string) *compute.ForwardingRule {
 	port := int32(443)
 	if c := s.Cluster.Spec.ClusterNetwork; c != nil {
 		port = ptr.Deref(c.APIServerPort, 443)
 	}
 	portRange := fmt.Sprintf("%d-%d", port, port)
 	return &compute.ForwardingRule{
-		Name:                fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:                fmt.Sprintf("%s-%s", s.Name(), lbname),
 		IPProtocol:          "TCP",
 		LoadBalancingScheme: "EXTERNAL",
 		PortRange:           portRange,
 	}
 }
 
 // HealthCheckSpec returns google compute health-check spec.
-func (s *ClusterScope) HealthCheckSpec() *compute.HealthCheck {
+func (s *ClusterScope) HealthCheckSpec(lbname string) *compute.HealthCheck {
 	return &compute.HealthCheck{
-		Name: fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name: fmt.Sprintf("%s-%s", s.Name(), lbname),
 		Type: "HTTPS",
 		HttpsHealthCheck: &compute.HTTPSHealthCheck{
 			Port:              6443,