Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38411

EIP allocation still attached with default ingresscontroller after changing LB type from NLB to CLB

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.17.0
    • Networking / router
    • Moderate
    • None
    • NE Sprint 258, NE Sprint 259, NE Sprint 260, NE Sprint 261, NE Sprint 262, NE Sprint 263, NE Sprint 264
    • 7
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          After changing the default ingresscontroller from NLB to Classic, the eip allocation are still attached with controller and the LB service. EIP is not supported in classic  
      spec:
        clientTLS:
          clientCA:
            name: ""
          clientCertificatePolicy: ""
        endpointPublishingStrategy:
          loadBalancer:
            dnsManagementPolicy: Managed
            providerParameters:
              aws:
                networkLoadBalancer:
                  eipAllocations:
                  - eipalloc-091ce27435555fbd1
                  - eipalloc-0f4b9ac0471b753e2
                  - eipalloc-0acc33fddb09b4471
                type: Classic
              type: AWS
            scope: External
          type: LoadBalancerService

      Version-Release number of selected component (if applicable):

          4.17.0-0.nightly-2024-08-09-031511

      How reproducible:

          100%

      Steps to Reproduce:

          1. Patch the default controller to NLB with EIP allocation
      melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"scope":"External","providerParameters":{"type":"AWS","aws":{"type":"NLB","networkLoadBalancer":{"eipAllocations":["eipalloc-091ce27435555fbd1","eipalloc-0f4b9ac0471b753e2","eipalloc-0acc33fddb09b4471"]}}}}}}}'
      ingresscontroller.operator.openshift.io/default patched
      
      melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress delete svc/router-default
      service "router-default" deleted
      melvinjoseph@mjoseph-mac Downloads %
      
      melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml
      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471
      <----snip---->
      ingress                                    4.17.0-0.nightly-2024-08-09-031511   True        False         False      16s
         
           2. changing default ingresscontroller to Classic 
      melvinjoseph@mjoseph-mac Downloads %  oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"endpointPublishingStrategy":{"type":"LoadBalancerService","loadBalancer":{"providerParameters":{"type":"AWS","aws":{"type":"Classic"}}}}}}' 
      ingresscontroller.operator.openshift.io/default patched
      
          3. check both ingresscontrollers and lB service status    
       ingresscontroller.operator.openshift.io/default patched
      melvinjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc/router-default -oyaml
      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-091ce27435555fbd1,eipalloc-0f4b9ac0471b753e2,eipalloc-0acc33fddb09b4471
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
      <----snip----->
      
      melvinjoseph@mjoseph-mac Downloads % oc get ingresscontroller default -n openshift-ingress-operator -o yaml
      apiVersion: operator.openshift.io/v1
      kind: IngressController
      metadata:
        creationTimestamp: "2024-08-13T04:26:24Z"
        finalizers:
        - ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
        generation: 3
        name: default
        namespace: openshift-ingress-operator
        resourceVersion: "107431"
        uid: 83894ae2-385c-4dc1-8913-f8d405778f1a
      spec:
        clientTLS:
          clientCA:
            name: ""
          clientCertificatePolicy: ""
        endpointPublishingStrategy:
          loadBalancer:
            dnsManagementPolicy: Managed
            providerParameters:
              aws:
                networkLoadBalancer:
                  eipAllocations:
                  - eipalloc-091ce27435555fbd1
                  - eipalloc-0f4b9ac0471b753e2
                  - eipalloc-0acc33fddb09b4471
                type: Classic
              type: AWS
            scope: External
          type: LoadBalancerService
        httpCompression: {}
        httpEmptyRequestsPolicy: Respond
        httpErrorCodePages:
          name: ""
        replicas: 2
        tuningOptions:
          reloadInterval: 0s
        unsupportedConfigOverrides: null
      status:
        availableReplicas: 2
        conditions:
        - lastTransitionTime: "2024-08-13T04:26:25Z"
          reason: Valid
          status: "True"
          type: Admitted
        - lastTransitionTime: "2024-08-13T04:37:34Z"
          message: The deployment has Available status condition set to True
          reason: DeploymentAvailable
          status: "True"
          type: DeploymentAvailable
        - lastTransitionTime: "2024-08-13T04:37:34Z"
          message: Minimum replicas requirement is met
          reason: DeploymentMinimumReplicasMet
          status: "True"
          type: DeploymentReplicasMinAvailable
        - lastTransitionTime: "2024-08-13T08:44:39Z"
          message: All replicas are available
          reason: DeploymentReplicasAvailable
          status: "True"
          type: DeploymentReplicasAllAvailable
        - lastTransitionTime: "2024-08-13T08:44:39Z"
          message: Deployment is not actively rolling out
          reason: DeploymentNotRollingOut
          status: "False"
          type: DeploymentRollingOut
        - lastTransitionTime: "2024-08-13T04:26:25Z"
          message: The endpoint publishing strategy supports a managed load balancer
          reason: WantedByEndpointPublishingStrategy
          status: "True"
          type: LoadBalancerManaged
        - lastTransitionTime: "2024-08-13T08:40:58Z"
          message: The LoadBalancer service is provisioned
          reason: LoadBalancerProvisioned
          status: "True"
          type: LoadBalancerReady
        - lastTransitionTime: "2024-08-13T08:40:55Z"
          message: LoadBalancer is not progressing
          reason: LoadBalancerNotProgressing
          status: "False"
          type: LoadBalancerProgressing
        - lastTransitionTime: "2024-08-13T04:26:25Z"
          message: DNS management is supported and zones are specified in the cluster DNS
            config.
          reason: Normal
          status: "True"
          type: DNSManaged
        - lastTransitionTime: "2024-08-13T04:26:42Z"
          message: The record is provisioned in all reported zones.
          reason: NoFailedZones
          status: "True"
          type: DNSReady
        - lastTransitionTime: "2024-08-13T08:40:58Z"
          status: "True"
          type: Available
        - lastTransitionTime: "2024-08-13T08:44:39Z"
          status: "False"
          type: Progressing
        - lastTransitionTime: "2024-08-13T08:46:46Z"
          status: "False"
          type: Degraded
        - lastTransitionTime: "2024-08-13T04:26:25Z"
          message: IngressController is upgradeable.
          reason: Upgradeable
          status: "True"
          type: Upgradeable
        - lastTransitionTime: "2024-08-13T04:26:25Z"
          message: No evaluation condition is detected.
          reason: NoEvaluationCondition
          status: "False"
          type: EvaluationConditionsDetected
        - lastTransitionTime: "2024-08-13T08:46:46Z"
          message: Canary route checks for the default ingress controller are successful
          reason: CanaryChecksSucceeding
          status: "True"
          type: CanaryChecksSucceeding
        domain: apps.mjoseph-df.qe.devcluster.openshift.com
        endpointPublishingStrategy:
          loadBalancer:
            dnsManagementPolicy: Managed
            providerParameters:
              aws:
                classicLoadBalancer:
                  connectionIdleTimeout: 0s
                networkLoadBalancer:
                  eipAllocations:
                  - eipalloc-091ce27435555fbd1
                  - eipalloc-0f4b9ac0471b753e2
                  - eipalloc-0acc33fddb09b4471
                type: Classic
              type: AWS
            scope: External
          type: LoadBalancerService
        observedGeneration: 3
        selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
        tlsProfile:
          ciphers:
          - ECDHE-ECDSA-AES128-GCM-SHA256
          - ECDHE-RSA-AES128-GCM-SHA256
          - ECDHE-ECDSA-AES256-GCM-SHA384
          - ECDHE-RSA-AES256-GCM-SHA384
          - ECDHE-ECDSA-CHACHA20-POLY1305
          - ECDHE-RSA-CHACHA20-POLY1305
          - DHE-RSA-AES128-GCM-SHA256
          - DHE-RSA-AES256-GCM-SHA384
          - TLS_AES_128_GCM_SHA256
          - TLS_AES_256_GCM_SHA384
          - TLS_CHACHA20_POLY1305_SHA256
          minTLSVersion: VersionTLS12
      

      Actual results:

          spec:
        clientTLS:
          clientCA:
            name: ""
          clientCertificatePolicy: ""
        endpointPublishingStrategy:
          loadBalancer:
            dnsManagementPolicy: Managed
            providerParameters:
              aws:
                networkLoadBalancer:
                  eipAllocations:
                  - eipalloc-091ce27435555fbd1
                  - eipalloc-0f4b9ac0471b753e2
                  - eipalloc-0acc33fddb09b4471
                type: Classic
              type: AWS
            scope: External
          type: LoadBalancerService
        httpCompression: {}
        httpEmptyRequestsPolicy: Respond
        httpErrorCodePages:
          name: ""
        replicas: 2
        tuningOptions:
          reloadInterval: 0s
        unsupportedConfigOverrides: null

      Expected results:

      spec should be 
      spec:
        clientTLS:
          clientCA:
            name: ""
          clientCertificatePolicy: ""
        httpCompression: {}
        httpEmptyRequestsPolicy: Respond
        httpErrorCodePages:
          name: ""
        replicas: 2
        tuningOptions:
          reloadInterval: 0s
        unsupportedConfigOverrides: null
      
          
      status should be
        endpointPublishingStrategy:
          loadBalancer:
            dnsManagementPolicy: Managed
            providerParameters:
              aws:
                classicLoadBalancer:
                  connectionIdleTimeout: 0s
                type: Classic
              type: AWS
            scope: External
          type: LoadBalancerService
        observedGeneration: 1
        selector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default

      Additional info:

          Deleting the LB service will remove the annotation from the svc, but no change in ingresscontroller config

              rhn-support-misalunk Miheer Salunke
              rhn-support-mjoseph Melvin Joseph
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: