-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.17.0
-
Moderate
-
None
-
NE Sprint 258, NE Sprint 259, NE Sprint 260, NE Sprint 261, NE Sprint 262
-
5
-
Rejected
-
False
-
Description of problem:
After changing the default ingresscontroller from NLB to Classic, the eip allocation are still attached with controller and the LB service. EIP is not supported in classic
spec:
clientTLS:
clientCA:
name: ""
clientCertificatePolicy: ""
endpointPublishingStrategy:
loadBalancer:
dnsManagementPolicy: Managed
providerParameters:
aws:
networkLoadBalancer:
eipAllocations:
- eipalloc-091ce27435555fbd1
- eipalloc-0f4b9ac0471b753e2
- eipalloc-0acc33fddb09b4471
type: Classic
type: AWS
scope: External
type: LoadBalancerService
Version-Release number of selected component (if applicable):
4.17.0-0.nightly-2024-08-09-031511
How reproducible:
100%
Steps to Reproduce:
1. Patch the default controller to NLB with EIP allocation
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"scope":"External","providerParameters":{"type":"AWS","aws":{"type":"NLB","networkLoadBalancer":{"eipAllocations":["eipalloc-091ce27435555fbd1","eipalloc-0f4b9ac0471b753e2","eipalloc-0acc33fddb09b4471"]}}}}}}}'
ingresscontroller.operator.openshift.io/default patched
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress delete svc/router-default
service "router-default" deleted
melvinjoseph@mjoseph-mac Downloads %
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471
<----snip---->
ingress 4.17.0-0.nightly-2024-08-09-031511 True False False 16s
2. changing default ingresscontroller to Classic
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"providerParameters":{"type":"AWS","aws":{"type":"Classic"}}}}}}'
ingresscontroller.operator.openshift.io/default patched
3. check both ingresscontrollers and lB service status
ingresscontroller.operator.openshift.io/default patched
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471
service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
<----snip----->
melvinjoseph@mjoseph-mac Downloads % oc get ingresscontroller default -n openshift-ingress-operator -o yaml
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: "2024-08-13T04:26:24Z"
finalizers:
- ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
generation: 3
name: default
namespace: openshift-ingress-operator
resourceVersion: "107431"
uid: 83894ae2-385c-4dc1-8913-f8d405778f1a
spec:
clientTLS:
clientCA:
name: ""
clientCertificatePolicy: ""
endpointPublishingStrategy:
loadBalancer:
dnsManagementPolicy: Managed
providerParameters:
aws:
networkLoadBalancer:
eipAllocations:
- eipalloc-091ce27435555fbd1
- eipalloc-0f4b9ac0471b753e2
- eipalloc-0acc33fddb09b4471
type: Classic
type: AWS
scope: External
type: LoadBalancerService
httpCompression: {}
httpEmptyRequestsPolicy: Respond
httpErrorCodePages:
name: ""
replicas: 2
tuningOptions:
reloadInterval: 0s
unsupportedConfigOverrides: null
status:
availableReplicas: 2
conditions:
- lastTransitionTime: "2024-08-13T04:26:25Z"
reason: Valid
status: "True"
type: Admitted
- lastTransitionTime: "2024-08-13T04:37:34Z"
message: The deployment has Available status condition set to True
reason: DeploymentAvailable
status: "True"
type: DeploymentAvailable
- lastTransitionTime: "2024-08-13T04:37:34Z"
message: Minimum replicas requirement is met
reason: DeploymentMinimumReplicasMet
status: "True"
type: DeploymentReplicasMinAvailable
- lastTransitionTime: "2024-08-13T08:44:39Z"
message: All replicas are available
reason: DeploymentReplicasAvailable
status: "True"
type: DeploymentReplicasAllAvailable
- lastTransitionTime: "2024-08-13T08:44:39Z"
message: Deployment is not actively rolling out
reason: DeploymentNotRollingOut
status: "False"
type: DeploymentRollingOut
- lastTransitionTime: "2024-08-13T04:26:25Z"
message: The endpoint publishing strategy supports a managed load balancer
reason: WantedByEndpointPublishingStrategy
status: "True"
type: LoadBalancerManaged
- lastTransitionTime: "2024-08-13T08:40:58Z"
message: The LoadBalancer service is provisioned
reason: LoadBalancerProvisioned
status: "True"
type: LoadBalancerReady
- lastTransitionTime: "2024-08-13T08:40:55Z"
message: LoadBalancer is not progressing
reason: LoadBalancerNotProgressing
status: "False"
type: LoadBalancerProgressing
- lastTransitionTime: "2024-08-13T04:26:25Z"
message: DNS management is supported and zones are specified in the cluster DNS
config.
reason: Normal
status: "True"
type: DNSManaged
- lastTransitionTime: "2024-08-13T04:26:42Z"
message: The record is provisioned in all reported zones.
reason: NoFailedZones
status: "True"
type: DNSReady
- lastTransitionTime: "2024-08-13T08:40:58Z"
status: "True"
type: Available
- lastTransitionTime: "2024-08-13T08:44:39Z"
status: "False"
type: Progressing
- lastTransitionTime: "2024-08-13T08:46:46Z"
status: "False"
type: Degraded
- lastTransitionTime: "2024-08-13T04:26:25Z"
message: IngressController is upgradeable.
reason: Upgradeable
status: "True"
type: Upgradeable
- lastTransitionTime: "2024-08-13T04:26:25Z"
message: No evaluation condition is detected.
reason: NoEvaluationCondition
status: "False"
type: EvaluationConditionsDetected
- lastTransitionTime: "2024-08-13T08:46:46Z"
message: Canary route checks for the default ingress controller are successful
reason: CanaryChecksSucceeding
status: "True"
type: CanaryChecksSucceeding
domain: apps.mjoseph-df.qe.devcluster.openshift.com
endpointPublishingStrategy:
loadBalancer:
dnsManagementPolicy: Managed
providerParameters:
aws:
classicLoadBalancer:
connectionIdleTimeout: 0s
networkLoadBalancer:
eipAllocations:
- eipalloc-091ce27435555fbd1
- eipalloc-0f4b9ac0471b753e2
- eipalloc-0acc33fddb09b4471
type: Classic
type: AWS
scope: External
type: LoadBalancerService
observedGeneration: 3
selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
tlsProfile:
ciphers:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
minTLSVersion: VersionTLS12
Actual results:
spec:
clientTLS:
clientCA:
name: ""
clientCertificatePolicy: ""
endpointPublishingStrategy:
loadBalancer:
dnsManagementPolicy: Managed
providerParameters:
aws:
networkLoadBalancer:
eipAllocations:
- eipalloc-091ce27435555fbd1
- eipalloc-0f4b9ac0471b753e2
- eipalloc-0acc33fddb09b4471
type: Classic
type: AWS
scope: External
type: LoadBalancerService
httpCompression: {}
httpEmptyRequestsPolicy: Respond
httpErrorCodePages:
name: ""
replicas: 2
tuningOptions:
reloadInterval: 0s
unsupportedConfigOverrides: null
Expected results:
spec should be
spec:
clientTLS:
clientCA:
name: ""
clientCertificatePolicy: ""
httpCompression: {}
httpEmptyRequestsPolicy: Respond
httpErrorCodePages:
name: ""
replicas: 2
tuningOptions:
reloadInterval: 0s
unsupportedConfigOverrides: null
status should be
endpointPublishingStrategy:
loadBalancer:
dnsManagementPolicy: Managed
providerParameters:
aws:
classicLoadBalancer:
connectionIdleTimeout: 0s
type: Classic
type: AWS
scope: External
type: LoadBalancerService
observedGeneration: 1
selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
Additional info:
Deleting the LB service will remove the annotation from the svc, but no change in ingresscontroller config
- relates to
-
-
- Verified
-
- links to
