-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.17.0
-
Moderate
-
None
-
NE Sprint 258, NE Sprint 259, NE Sprint 260, NE Sprint 261, NE Sprint 262, NE Sprint 263, NE Sprint 264
-
7
-
Rejected
-
False
-
Description of problem:
After changing the default ingresscontroller from NLB to Classic, the eip allocation are still attached with controller and the LB service. EIP is not supported in classic spec: clientTLS: clientCA: name: "" clientCertificatePolicy: "" endpointPublishingStrategy: loadBalancer: dnsManagementPolicy: Managed providerParameters: aws: networkLoadBalancer: eipAllocations: - eipalloc-091ce27435555fbd1 - eipalloc-0f4b9ac0471b753e2 - eipalloc-0acc33fddb09b4471 type: Classic type: AWS scope: External type: LoadBalancerService
Version-Release number of selected component (if applicable):
4.17.0-0.nightly-2024-08-09-031511
How reproducible:
100%
Steps to Reproduce:
1. Patch the default controller to NLB with EIP allocation melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"scope":"External","providerParameters":{"type":"AWS","aws":{"type":"NLB","networkLoadBalancer":{"eipAllocations":["eipalloc-091ce27435555fbd1","eipalloc-0f4b9ac0471b753e2","eipalloc-0acc33fddb09b4471"]}}}}}}}' ingresscontroller.operator.openshift.io/default patched melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress delete svc/router-default service "router-default" deleted melvinjoseph@mjoseph-mac Downloads % melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471 <----snip----> ingress 4.17.0-0.nightly-2024-08-09-031511 True False False 16s 2. changing default ingresscontroller to Classic melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"providerParameters":{"type":"AWS","aws":{"type":"Classic"}}}}}}' ingresscontroller.operator.openshift.io/default patched 3. check both ingresscontrollers and lB service status ingresscontroller.operator.openshift.io/default patched melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471 service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2" <----snip-----> melvinjoseph@mjoseph-mac Downloads % oc get ingresscontroller default -n openshift-ingress-operator -o yaml apiVersion: operator.openshift.io/v1 kind: IngressController metadata: creationTimestamp: "2024-08-13T04:26:24Z" finalizers: - ingresscontroller.operator.openshift.io/finalizer-ingresscontroller generation: 3 name: default namespace: openshift-ingress-operator resourceVersion: "107431" uid: 83894ae2-385c-4dc1-8913-f8d405778f1a spec: clientTLS: clientCA: name: "" clientCertificatePolicy: "" endpointPublishingStrategy: loadBalancer: dnsManagementPolicy: Managed providerParameters: aws: networkLoadBalancer: eipAllocations: - eipalloc-091ce27435555fbd1 - eipalloc-0f4b9ac0471b753e2 - eipalloc-0acc33fddb09b4471 type: Classic type: AWS scope: External type: LoadBalancerService httpCompression: {} httpEmptyRequestsPolicy: Respond httpErrorCodePages: name: "" replicas: 2 tuningOptions: reloadInterval: 0s unsupportedConfigOverrides: null status: availableReplicas: 2 conditions: - lastTransitionTime: "2024-08-13T04:26:25Z" reason: Valid status: "True" type: Admitted - lastTransitionTime: "2024-08-13T04:37:34Z" message: The deployment has Available status condition set to True reason: DeploymentAvailable status: "True" type: DeploymentAvailable - lastTransitionTime: "2024-08-13T04:37:34Z" message: Minimum replicas requirement is met reason: DeploymentMinimumReplicasMet status: "True" type: DeploymentReplicasMinAvailable - lastTransitionTime: "2024-08-13T08:44:39Z" message: All replicas are available reason: DeploymentReplicasAvailable status: "True" type: DeploymentReplicasAllAvailable - lastTransitionTime: "2024-08-13T08:44:39Z" message: Deployment is not actively rolling out reason: DeploymentNotRollingOut status: "False" type: DeploymentRollingOut - lastTransitionTime: "2024-08-13T04:26:25Z" message: The endpoint publishing strategy supports a managed load balancer reason: WantedByEndpointPublishingStrategy status: "True" type: LoadBalancerManaged - lastTransitionTime: "2024-08-13T08:40:58Z" message: The LoadBalancer service is provisioned reason: LoadBalancerProvisioned status: "True" type: LoadBalancerReady - lastTransitionTime: "2024-08-13T08:40:55Z" message: LoadBalancer is not progressing reason: LoadBalancerNotProgressing status: "False" type: LoadBalancerProgressing - lastTransitionTime: "2024-08-13T04:26:25Z" message: DNS management is supported and zones are specified in the cluster DNS config. reason: Normal status: "True" type: DNSManaged - lastTransitionTime: "2024-08-13T04:26:42Z" message: The record is provisioned in all reported zones. reason: NoFailedZones status: "True" type: DNSReady - lastTransitionTime: "2024-08-13T08:40:58Z" status: "True" type: Available - lastTransitionTime: "2024-08-13T08:44:39Z" status: "False" type: Progressing - lastTransitionTime: "2024-08-13T08:46:46Z" status: "False" type: Degraded - lastTransitionTime: "2024-08-13T04:26:25Z" message: IngressController is upgradeable. reason: Upgradeable status: "True" type: Upgradeable - lastTransitionTime: "2024-08-13T04:26:25Z" message: No evaluation condition is detected. reason: NoEvaluationCondition status: "False" type: EvaluationConditionsDetected - lastTransitionTime: "2024-08-13T08:46:46Z" message: Canary route checks for the default ingress controller are successful reason: CanaryChecksSucceeding status: "True" type: CanaryChecksSucceeding domain: apps.mjoseph-df.qe.devcluster.openshift.com endpointPublishingStrategy: loadBalancer: dnsManagementPolicy: Managed providerParameters: aws: classicLoadBalancer: connectionIdleTimeout: 0s networkLoadBalancer: eipAllocations: - eipalloc-091ce27435555fbd1 - eipalloc-0f4b9ac0471b753e2 - eipalloc-0acc33fddb09b4471 type: Classic type: AWS scope: External type: LoadBalancerService observedGeneration: 3 selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default tlsProfile: ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS12
Actual results:
spec: clientTLS: clientCA: name: "" clientCertificatePolicy: "" endpointPublishingStrategy: loadBalancer: dnsManagementPolicy: Managed providerParameters: aws: networkLoadBalancer: eipAllocations: - eipalloc-091ce27435555fbd1 - eipalloc-0f4b9ac0471b753e2 - eipalloc-0acc33fddb09b4471 type: Classic type: AWS scope: External type: LoadBalancerService httpCompression: {} httpEmptyRequestsPolicy: Respond httpErrorCodePages: name: "" replicas: 2 tuningOptions: reloadInterval: 0s unsupportedConfigOverrides: null
Expected results:
spec should be spec: clientTLS: clientCA: name: "" clientCertificatePolicy: "" httpCompression: {} httpEmptyRequestsPolicy: Respond httpErrorCodePages: name: "" replicas: 2 tuningOptions: reloadInterval: 0s unsupportedConfigOverrides: null status should be endpointPublishingStrategy: loadBalancer: dnsManagementPolicy: Managed providerParameters: aws: classicLoadBalancer: connectionIdleTimeout: 0s type: Classic type: AWS scope: External type: LoadBalancerService observedGeneration: 1 selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
Additional info:
Deleting the LB service will remove the annotation from the svc, but no change in ingresscontroller config
- relates to
-
OCPBUGS-38217 the "classicLoadBalancer" is still in ingresscontroller status after changing LB type from CLB to NLB
- Verified
- links to