feat: Clean up load balancer annotations in EnsureLoadBalancerDeleted

When a service switches from type LoadBalancer to ClusterIP, Kubernetes
calls EnsureLoadBalancerDeleted. Previously this left stale CloudStack
annotations on the service. Now all 6 LB annotations are removed on
successful deletion via the service patcher, but only when the service
is not being deleted (DeletionTimestamp is zero) to avoid unnecessary
API calls on garbage-collected objects.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hrak

cloudstack/cloudstack_loadbalancer.go

@@ -324,9 +324,13 @@ func isFirewallSupported(services []cloudstack.NetworkServiceInternal) bool {
 
 // EnsureLoadBalancerDeleted deletes the specified load balancer if it exists, returning
 // nil if the load balancer specified either didn't exist or was successfully deleted.
-func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName string, service *corev1.Service) error {
+func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName string, service *corev1.Service) (err error) {
 	klog.V(4).InfoS("EnsureLoadBalancerDeleted", "cluster", clusterName, "service", klog.KObj(service))
 
+	// Patch the service to remove annotations after EnsureLoadBalancerDeleted finishes.
+	patcher := newServicePatcher(cs.kclient, service)
+	defer func() { err = patcher.Patch(ctx, err) }()
+
 	// Get the load balancer details and existing rules.
 	name := cs.GetLoadBalancerName(ctx, clusterName, service)
 	legacyName := cs.getLoadBalancerLegacyName(ctx, clusterName, service)
@@ -340,7 +344,17 @@ func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName st
 	if len(lb.rules) == 0 {
 		klog.V(4).Infof("No load balancer rules found for service, checking annotation for orphaned IP")
 
-		return cs.releaseOrphanedIPIfNeeded(lb, service)
+		if err := cs.releaseOrphanedIPIfNeeded(lb, service); err != nil {
+			return err
+		}
+
+		// If the service is not marked for deletion (f.e. when switching from type
+		// LoadBalancer to ClusterIP), remove our annotations.
+		if service.DeletionTimestamp.IsZero() {
+			deleteLoadBalancerAnnotations(service)
+		}
+
+		return nil
 	}
 
 	serviceName := fmt.Sprintf("%s/%s", service.Namespace, service.Name)
@@ -427,6 +441,12 @@ func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName st
 		return fmt.Errorf("load balancer deletion completed with errors: %w", deletionErrors[0])
 	}
 
+	// If the service is not marked for deletion (f.e. when switching from type
+	// LoadBalancer to ClusterIP), remove our annotations.
+	if service.DeletionTimestamp.IsZero() {
+		deleteLoadBalancerAnnotations(service)
+	}
+
 	msg := "Successfully deleted load balancer for service " + serviceName
 	cs.eventRecorder.Event(service, corev1.EventTypeNormal, "DeletedLoadBalancer", msg)
 	klog.Info(msg)
@@ -1421,3 +1441,21 @@ func setServiceAnnotation(service *corev1.Service, key, value string) {
 	}
 	service.ObjectMeta.Annotations[key] = value
 }
+
+// deleteServiceAnnotation removes an annotation from the Service object.
+func deleteServiceAnnotation(service *corev1.Service, key string) {
+	if service.ObjectMeta.Annotations == nil {
+		return
+	}
+	delete(service.ObjectMeta.Annotations, key)
+}
+
+// deleteLoadBalancerAnnotations removes all CloudStack load balancer annotations from the service.
+func deleteLoadBalancerAnnotations(service *corev1.Service) {
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerProxyProtocol)
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerLoadbalancerHostname)
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerAddress)
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerKeepIP)
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerID)
+	deleteServiceAnnotation(service, ServiceAnnotationLoadBalancerNetworkID)
+}

cloudstack/cloudstack_loadbalancer_test.go

@@ -3305,14 +3305,6 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 		mockAddress.EXPECT().NewDisassociateIpAddressParams("ip-orphan").Return(&cloudstack.DisassociateIpAddressParams{})
 		mockAddress.EXPECT().DisassociateIpAddress(gomock.Any()).Return(&cloudstack.DisassociateIpAddressResponse{}, nil)
 
-		cs := &CSCloud{
-			client: &cloudstack.CloudStackClient{
-				LoadBalancer: mockLB,
-				Address:      mockAddress,
-			},
-			eventRecorder: record.NewFakeRecorder(10),
-		}
-
 		service := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "foo",
@@ -3323,6 +3315,15 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 			},
 		}
 
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+				Address:      mockAddress,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
 		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
@@ -3336,19 +3337,21 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 		mockLB := cloudstack.NewMockLoadBalancerServiceIface(ctrl)
 		setupGetLoadBalancerByNameEmpty(mockLB)
 
-		cs := &CSCloud{
-			client: &cloudstack.CloudStackClient{
-				LoadBalancer: mockLB,
-			},
-		}
-
 		service := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "foo",
 				Namespace: "default",
 			},
 		}
 
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
 		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
@@ -3370,13 +3373,6 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 			Count: 0, PublicIpAddresses: []*cloudstack.PublicIpAddress{},
 		}, nil)
 
-		cs := &CSCloud{
-			client: &cloudstack.CloudStackClient{
-				LoadBalancer: mockLB,
-				Address:      mockAddress,
-			},
-		}
-
 		service := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "foo",
@@ -3387,6 +3383,15 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 			},
 		}
 
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+				Address:      mockAddress,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
 		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
@@ -3421,13 +3426,6 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 		mockAddress.EXPECT().NewDisassociateIpAddressParams("ip-orphan").Return(&cloudstack.DisassociateIpAddressParams{})
 		mockAddress.EXPECT().DisassociateIpAddress(gomock.Any()).Return(nil, errors.New("release failed"))
 
-		cs := &CSCloud{
-			client: &cloudstack.CloudStackClient{
-				LoadBalancer: mockLB,
-				Address:      mockAddress,
-			},
-		}
-
 		service := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "foo",
@@ -3438,6 +3436,15 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 			},
 		}
 
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+				Address:      mockAddress,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
 		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
 		if err == nil {
 			t.Fatalf("expected error")
@@ -3466,28 +3473,192 @@ func TestEnsureLoadBalancerDeletedOrphanedIP(t *testing.T) {
 		}, nil)
 		// shouldReleaseLoadBalancerIP returns false because keep-ip annotation is set
 
+		service := &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "foo",
+				Namespace: "default",
+				Annotations: map[string]string{
+					ServiceAnnotationLoadBalancerAddress: "10.0.0.1",
+					ServiceAnnotationLoadBalancerKeepIP:  "true",
+				},
+			},
+		}
+
 		cs := &CSCloud{
 			client: &cloudstack.CloudStackClient{
 				LoadBalancer: mockLB,
 				Address:      mockAddress,
 			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
 		}
 
+		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+	})
+}
+
+func TestEnsureLoadBalancerDeletedAnnotationCleanup(t *testing.T) {
+	// allLBAnnotations returns a map with all 6 CloudStack LB annotations set.
+	allLBAnnotations := func() map[string]string {
+		return map[string]string{
+			ServiceAnnotationLoadBalancerProxyProtocol:        "true",
+			ServiceAnnotationLoadBalancerLoadbalancerHostname: "lb.example.com",
+			ServiceAnnotationLoadBalancerAddress:              "10.0.0.1",
+			ServiceAnnotationLoadBalancerKeepIP:               "false",
+			ServiceAnnotationLoadBalancerID:                   "ip-1",
+			ServiceAnnotationLoadBalancerNetworkID:            "net-1",
+		}
+	}
+
+	lbAnnotationKeys := []string{
+		ServiceAnnotationLoadBalancerProxyProtocol,
+		ServiceAnnotationLoadBalancerLoadbalancerHostname,
+		ServiceAnnotationLoadBalancerAddress,
+		ServiceAnnotationLoadBalancerKeepIP,
+		ServiceAnnotationLoadBalancerID,
+		ServiceAnnotationLoadBalancerNetworkID,
+	}
+
+	t.Run("annotations removed after successful deletion", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		t.Cleanup(ctrl.Finish)
+
+		mockLB := cloudstack.NewMockLoadBalancerServiceIface(ctrl)
+		mockAddress := cloudstack.NewMockAddressServiceIface(ctrl)
+		mockFirewall := cloudstack.NewMockFirewallServiceIface(ctrl)
+
+		// getLoadBalancerByName returns one rule
+		mockLB.EXPECT().NewListLoadBalancerRulesParams().Return(&cloudstack.ListLoadBalancerRulesParams{})
+		mockLB.EXPECT().ListLoadBalancerRules(gomock.Any()).Return(&cloudstack.ListLoadBalancerRulesResponse{
+			Count: 1,
+			LoadBalancerRules: []*cloudstack.LoadBalancerRule{
+				{
+					Id: "rule-1", Name: "K8s_svc_cluster_default_foo-tcp-80",
+					Publicip: "10.0.0.1", Publicipid: "ip-1", Publicport: "80",
+					Protocol: "tcp", Networkid: "net-1",
+				},
+			},
+		}, nil)
+
+		// deleteFirewallRule
+		mockFirewall.EXPECT().NewListFirewallRulesParams().Return(&cloudstack.ListFirewallRulesParams{})
+		mockFirewall.EXPECT().ListFirewallRules(gomock.Any()).Return(&cloudstack.ListFirewallRulesResponse{
+			Count: 0, FirewallRules: []*cloudstack.FirewallRule{},
+		}, nil)
+
+		// deleteLoadBalancerRule
+		mockLB.EXPECT().NewDeleteLoadBalancerRuleParams("rule-1").Return(&cloudstack.DeleteLoadBalancerRuleParams{})
+		mockLB.EXPECT().DeleteLoadBalancerRule(gomock.Any()).Return(&cloudstack.DeleteLoadBalancerRuleResponse{}, nil)
+
+		// shouldReleaseLoadBalancerIP: no keep-ip, no other rules
+		mockLB.EXPECT().NewListLoadBalancerRulesParams().Return(&cloudstack.ListLoadBalancerRulesParams{})
+		mockLB.EXPECT().ListLoadBalancerRules(gomock.Any()).Return(&cloudstack.ListLoadBalancerRulesResponse{
+			Count: 0, LoadBalancerRules: []*cloudstack.LoadBalancerRule{},
+		}, nil)
+
+		// releaseLoadBalancerIP
+		mockAddress.EXPECT().NewDisassociateIpAddressParams("ip-1").Return(&cloudstack.DisassociateIpAddressParams{})
+		mockAddress.EXPECT().DisassociateIpAddress(gomock.Any()).Return(&cloudstack.DisassociateIpAddressResponse{}, nil)
+
 		service := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "foo",
-				Namespace: "default",
-				Annotations: map[string]string{
-					ServiceAnnotationLoadBalancerAddress: "10.0.0.1",
-					ServiceAnnotationLoadBalancerKeepIP:  "true",
-				},
+				Name:        "foo",
+				Namespace:   "default",
+				Annotations: allLBAnnotations(),
 			},
 		}
 
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+				Address:      mockAddress,
+				Firewall:     mockFirewall,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
 		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
 		}
+
+		for _, key := range lbAnnotationKeys {
+			if _, ok := service.Annotations[key]; ok {
+				t.Errorf("annotation %q should have been removed", key)
+			}
+		}
+	})
+
+	t.Run("annotations preserved when deletion fails", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		t.Cleanup(ctrl.Finish)
+
+		mockLB := cloudstack.NewMockLoadBalancerServiceIface(ctrl)
+		mockAddress := cloudstack.NewMockAddressServiceIface(ctrl)
+		mockFirewall := cloudstack.NewMockFirewallServiceIface(ctrl)
+
+		// getLoadBalancerByName returns one rule
+		mockLB.EXPECT().NewListLoadBalancerRulesParams().Return(&cloudstack.ListLoadBalancerRulesParams{}).Times(2)
+		mockLB.EXPECT().ListLoadBalancerRules(gomock.Any()).Return(&cloudstack.ListLoadBalancerRulesResponse{
+			Count: 1,
+			LoadBalancerRules: []*cloudstack.LoadBalancerRule{
+				{
+					Id: "rule-1", Name: "K8s_svc_cluster_default_foo-tcp-80",
+					Publicip: "10.0.0.1", Publicipid: "ip-1", Publicport: "80",
+					Protocol: "tcp", Networkid: "net-1",
+				},
+			},
+		}, nil).Times(1)
+
+		// deleteFirewallRule fails
+		mockFirewall.EXPECT().NewListFirewallRulesParams().Return(&cloudstack.ListFirewallRulesParams{})
+		mockFirewall.EXPECT().ListFirewallRules(gomock.Any()).Return(nil, errors.New("firewall error"))
+
+		// deleteLoadBalancerRule fails
+		mockLB.EXPECT().NewDeleteLoadBalancerRuleParams("rule-1").Return(&cloudstack.DeleteLoadBalancerRuleParams{})
+		mockLB.EXPECT().DeleteLoadBalancerRule(gomock.Any()).Return(nil, errors.New("delete rule error"))
+
+		// shouldReleaseLoadBalancerIP is still called (IP cleanup attempted even on rule errors)
+		mockLB.EXPECT().ListLoadBalancerRules(gomock.Any()).Return(&cloudstack.ListLoadBalancerRulesResponse{
+			Count: 0, LoadBalancerRules: []*cloudstack.LoadBalancerRule{},
+		}, nil)
+
+		// releaseLoadBalancerIP also fails
+		mockAddress.EXPECT().NewDisassociateIpAddressParams("ip-1").Return(&cloudstack.DisassociateIpAddressParams{})
+		mockAddress.EXPECT().DisassociateIpAddress(gomock.Any()).Return(nil, errors.New("release failed"))
+
+		service := &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        "foo",
+				Namespace:   "default",
+				Annotations: allLBAnnotations(),
+			},
+		}
+
+		cs := &CSCloud{
+			client: &cloudstack.CloudStackClient{
+				LoadBalancer: mockLB,
+				Address:      mockAddress,
+				Firewall:     mockFirewall,
+			},
+			kclient:       fake.NewSimpleClientset(service),
+			eventRecorder: record.NewFakeRecorder(10),
+		}
+
+		err := cs.EnsureLoadBalancerDeleted(t.Context(), "cluster", service)
+		if err == nil {
+			t.Fatalf("expected error")
+		}
+
+		for _, key := range lbAnnotationKeys {
+			if _, ok := service.Annotations[key]; !ok {
+				t.Errorf("annotation %q should have been preserved on error", key)
+			}
+		}
 	})
 }