STORY:

• As an OCP engineer working in platform type External, I would like to make sure the provider's Load Balancer used by API (control plane) does not have the hairpin connection issue, so that we can make sure partners deploying a cluster in their infrastructure is in complaint with requirements of OpenShift Load Balancer for the Kubernetes API server.
•  

DESCRIPTION

Platform type External installations are based in agnostic installations (upi), which means user need to create the infrastructure correctly, and the test tooling assumes it was created according to the documentation. Although some tests depends on it, and would eventually* fail when, for example, the Load Balancer does not support hairpin connections.

We need to find a way to test if the LB provided to the API supports the hairpin connections.

The intention of this spike is to research and map future work, answering some open questions like:

• Is there existing tests in kube-apiserver or e2e conformance tests that could detect hairpin connectivity for the external (non-cluster) LBs?
• If last item does not exists: can we test the same LB provided by control plane/API to validate the hairpin connection?
• How we can make this validation available to partners?

ENGINEERING REFERENCES

When reviewing the VCSP partner evaluating the preview release (Epic OPCT-20), there was found an issues related to the hairpin connection which led to change the architecture of providing an external Load Balancer (haproxy) using HA VMs - outside the cluster, as the cloud-based LB did not supported hairpin connections, and workaround using iptables would be no-go.