Skip to content

Commit

Permalink
CORS-3687: Enhancement proposal for setting EIPs for Ingress Controll…
Browse files Browse the repository at this point in the history
…er via installer
  • Loading branch information
miheer committed Dec 9, 2024
1 parent 58f0eaa commit 8fb6e8e
Showing 1 changed file with 348 additions and 0 deletions.
348 changes: 348 additions & 0 deletions enhancements/ingress/aws-lb-eip-selection.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,348 @@
---
title: aws-lb-eip-selection
authors:
- "@miheer"
reviewers:
- "@gcs278"
- "@alebedev87"
- "@Miciah"
- "@mtulio"
- "@candita"
- "@frobware"
- "@rfredette"
approvers:
- "@patrickdillon"
- "@mtulio"
- "@r4f4"
- "@sadasu"
api-approvers:
- None
creation-date: 2024-09-26
last-updated: 2024-10-28
tracking-link:
- https://issues.redhat.com/browse/CORS-3687
see-also:
- ""
replaces:
- ""
superseded-by:
---

# Installer LoadBalancer EIP Selection for AWS

## Summary

This enhancement extends the OpenShift Installer's install-config, enabling cluster admins to
configure EIPs for AWS NLB load balancer created for their `default` NLB IngressController at install time.

## Definitions and Terminology

### The `default` IngressController

This proposal will refer to the IngressController that gets created automatically during user provisioned installation and handles
the platform routes (console, auth, canary, etc.) as the `default` IngressController.

### CCM
CCM refers to Cloud Controller Manager which calls [AWS LoadBalancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) to create AWS LBs.

### Some more terminologies
EIP = AWS Elastic IP, NLB = AWS Network LoadBalancer, AZ = Availability Zone, LB = LoadBalancer


## Motivation

### User Stories
- As a cluster administrator using installer, I want to configure `default` NLB IngressController to use EIPs.
- As a cluster administrator of OpenShift on AWS (ROSA) using installer, I want to use static IPs (and therefore AWS Elastic IPs) so that
I can configure appropriate firewall rules.
I want the default AWS Load Balancer that they use (NLB) for their router to use these EIPs.
- As a cluster administrator who has purchased a block of public IPv4 addresses, I want to use these IP addresses, so
that I can avoid Amazon's new charge for public IP addresses.

### Goals
- Users are able to use EIPs for a `default` NLB `IngressController` at install time.
- Add validation to the installer to prevent invalid EIP configurations.
For example: Check for unassociated EIPs before passing to CCM.

### Non-Goals
- Creation of EIPs in AWS.
- Static IP usage with NLBs for OpenShift API server, DNS, Nat Gateways, LBs, Instances.
- To assign IPs from a Customer Owned IP (CoIP) Pool when using Outposts.
- Set default EIPs for user-created IngressControllers.

## Proposal
This enhancement adds API fields in the installer and the Ingress Config specification
to set the AWS EIP for the `default` NLB `IngressController`. The cluster ingress operator will then create
the `default` `IngressController` and get the EIP assigned to the service LoadBalancer with the annotation
`service.beta.kubernetes.io/aws-load-balancer-eip-allocations`
Note: `service.beta.kubernetes.io/aws-load-balancer-eip-allocations` is a standard [Kubernetes service annotation](https://kubernetes.io/docs/reference/labels-annotations-taints/#service-beta-kubernetes-io-aws-load-balancer-eip-allocations)

### API Extensions

#### Installer Updates
- The first API extension for setting `eipAllocations` is in the installer [Platform](https://github.com/openshift/installer/blob/master/pkg/types/aws/platform.go) type, where the new field `eipAllocations` is added as an optional field.

```go
// Platform stores all the global configuration that all machinesets
// use.
type Platform struct {
...

// eipAllocations contains Elastic IP (EIP) allocations for AWS resources
// within the cluster.
//
// +optional
EIPAllocations *EIPAllocations `json:"eipAllocations,omitempty"`
}

// EIPAllocations contains Elastic IP (EIP) allocations for AWS resources
// within the cluster.
type EIPAllocations struct {
// ingressNetworkLoadBalancer is a list of IDs for Elastic IP (EIP) addresses that
// are assigned to the default AWS NLB IngressController.
// The following restrictions apply:
//
// eipAllocations can only be used with external scope, not internal.
// An EIP can be allocated to only a single IngressController.
// The number of EIP allocations must match the number of subnets that are used for the load balancer.
// Each EIP allocation must be unique.
// A maximum of 10 EIP allocations are permitted.
//
// See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general
// information about configuration, characteristics, and limitations of Elastic IP addresses.
//
// +openshift:enable:FeatureGate=InstallEIPForDefaultNLBIngressController
// +optional
// +listType=atomic
// +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates"
// +kubebuilder:validation:MaxItems=10
IngressNetworkLoadBalancer []EIPAllocation `json:"ingressNetworkLoadBalancer"`
}


// EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment.
// Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters.
// + Explanation of the regex `^eipalloc-[0-9a-fA-F]{17}$` for validating value of the EIPAllocation:
// + ^eipalloc- ensures the string starts with "eipalloc-".
// + [0-9a-fA-F]{17} matches exactly 17 hexadecimal characters (0-9, a-f, A-F).
// + $ ensures the string ends after the 17 hexadecimal characters.
// + Example of Valid and Invalid values:
// + eipalloc-1234567890abcdef1 is valid.
// + eipalloc-1234567890abcde is not valid (too short).
// + eipalloc-1234567890abcdefg is not valid (contains a non-hex character 'g').
// + Max length is calculated as follows:
// + eipalloc- = 9 chars and 17 hexadecimal chars after `-`
// + So, total is 17 + 9 = 26 chars required for value of an EIPAllocation.
//
// +kubebuilder:validation:MinLength=26
// +kubebuilder:validation:MaxLength=26
// +kubebuilder:validation:XValidation:rule=`self.startsWith('eipalloc-')`,message="eipAllocations should start with 'eipalloc-'"
// +kubebuilder:validation:XValidation:rule=`self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$')`,message="eipAllocations must be 'eipalloc-' followed by exactly 17 hexadecimal characters (0-9, a-f, A-F)"
type EIPAllocation string

```

### Workflow Description

Pre-requisites: One must allocate an Elastic IP address from [Amazon's pool of public IPv4 addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-allocating),
or from a custom IP address pool that you have brought to your AWS account. For more information about bringing your own IP address range to your
AWS account, see [Bring your own IP addresses (BYOIP) in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html)
which could be then used in the `ingressNetworkLoadBalancer` field of the install-config.
Note: The AWS account has some cap on the number of EIPs per region. By default, all AWS accounts have a quota of five (5) Elastic IP addresses per Region, because public (IPv4)
internet addresses are a scarce public resource. For more details please check [Elastic IP address quota](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-limit).
When this cap is hit you will get the following error: `Elastic IP address could not be allocated.
The maximum number of addresses has been reached.`
Elastic IP Allocation can only be done for internet-facing NLB.
If you are using an already available eipAllocation then it should be an `UnAssociated` one.

**cluster administrator** is a human user responsible for deploying a
cluster. A cluster administrator also has the rights to modify the cluster level components.

For installer-created-VPCs, a cluster admin can accurately predict how many EIPAllocations to bring so their cluster doesn't fail to install as follows as they might not
know what public subnets will be created by the openshift-installer.

To illustrate further, the workflow could start like:

1. Cluster admin wants to use EIPs, but isn't bringing their own VPC, so they need to know exactly how many EIPs to create.
2. Cluster admin should review https://aws.amazon.com/about-aws/global-infrastructure/regions_az/ to find out how many AZs are in the region they are installing into.
3. Cluster admin should use the same number of EIPs as AZs in their region.

#### Configuring EIP for the default IngressController at installation time:
1. Cluster administrator creates `install-config.yaml` and adds their domain, lbType to NLB, AWS region, and EIP allocation ids.
```yaml
apiVersion: v1
baseDomain: example.com
metadata:
name: test-cluster
platform:
aws:
region: <AWS region>
lbType: NLB
ingressNetworkLoadBalancer:
eipAllocations:
- eipalloc-1111
- eipalloc-2222
- eipalloc-3333
- eipalloc-4444
- eipalloc-5555
...
```

2. Installer creates a `default Ingress Controller CR` with the eipAllocations specified.
3. Ingress Operator will create the `default` `IngressController` with the service type load balancer having the service annotation `service.beta.kubernetes.io/aws-load-balancer-eip-allocations` with values from the field `eipAllocations`
from the cluster ingress config object.

#### Updating the default IngressController's EIPs after installation:

The cluster-admin will need to update the eipAllocations in `IngressConfig` and then delete the `default IngressController`.
The cluster-ingress-operator will create a new `default IngressController` with the newly updated eipAllocations.

### API Extensions

This proposal doesn't add any API extensions other than the new field proposed in
[IngressConfig API Updates](#ingressconfig-api-updates).

### Topology Considerations

#### Hypershift / Hosted Control Planes
Currently, there is no unique consideration for making this change work with Hypershift.

#### Standalone Clusters
This proposal does not have any special implications for standalone clusters.

#### Single-node Deployments or MicroShift
This proposal does not have any special implications for single-node
deployments or MicroShift.

### Implementation Details/Notes/Constraints

#### Set EIP through installer for the default IngressController:
1. The admin sets the `eipAllocations` in the installer using the install-config.yaml.
2. The installer then creates a default Ingress Controller resource with the `eipAllocations`.
3. The cluster ingress operator watches the resource and then creates a `default` `IngressController` by:
1. creating an `default` `IngressController` from the `default` `Ingress Controller CR` created by the installer.
2. then scaling a deployment for the `IngressController` CR which has the value of the `eipAllocations`.
3. then creating a service of service type load balancer with the annotation `service.beta.kubernetes.io/aws-load-balancer-eip-allocations`,
which uses the value from the field `eipAllocations` of `IngressController` CR.

#### Field Validation

##### Validation on installer when installing in managed VPC (full-automated) based in the discovered zones used to create the cluster.
Add a function to the installer code to compare the number of Availability Zones in the region to the number of eipAllocations passed in the `install-config.yaml`. This is required because the cluster will select one subnet per AZ, so the number of EIPs must be equal to the number of subnets.

##### The number of public subnets must match the number of `eipAllocations` in an unmanaged VPC (BYO VPC)
We will be comparing if the number of public subnets added to the install-config matches with len(eipAllocations).

##### Ensure that EIPs exist and are not already assigned.
EIPs can be assigned to many resource types, like NAT gateways, load balancers, instances, etc. The attribute `associationId` will be set when the EIP is already associated.
To mitigate this we could add that validation, at least on installer, to provide quick-feedback (fail when validate install-config) to the user when the provided EIP is already associated to another resource.
It would be nice to have a validation before setting the annotation to CCM, keeping the operator Degraded before disrupting the service.

##### EIP Allocation Defaulting Mechanics for Ingress Controller
Traditionally, the Ingress Operator has populated default values from the Ingress Config into the `status`,
making `status` effectively reflect the desired state of the IngressController. However, since
`eipAllocations` in `status` represents the **actual** state, not the **desired** state, the default
`eipAllocations` values must be set in the `spec` when the Ingress Operator initially admits the
IngressController.
This approach is new. The Ingress Operator does not typically set default values in `spec` for load balancer
configurations if the user hasn’t explicitly provided them. While this defaulting pattern is more consistent
with Kubernetes conventions for `spec` and `status` (and is also our only option in this situation), it's
important to acknowledge that this inconsistency in defaulting behavior could cause confusion for users.

##### Validation to check if lbType was to NLB when eipAllocations were provided in the installer
EIPs can provided only for `NLB` type `IngressController` so, the installer will be check for the lbType set to NLB when `eipAllocations` are provided
in the `install-config.yaml`. We can't add a CEL in the Platform API type of the installer so a validation will need to be
added in the installer code.

### Risks and Mitigations

- Providing a right number of EIPs same as the number of public subnets as per AWS guidelines is an admin
responsibility.
- Also providing existing available EIPs which are not assigned to any instance is important.
- If the above two points are not followed, the Kubernetes LoadBalancer service for the IngressController
won't get assigned EIPs, which will cause the LoadBalancer service to be in persistently pending state by the
Cloud Controller Manager (CCM). The reason for the persistently pending state is posted to the status of the IngressController.
As of now we are not able to identify any more risks which can affect other components of the EP.

### Drawbacks


## Open Questions
- Q: As per [EP](https://github.com/openshift/enhancements/pull/1634), old subnets field will be deprecated. So, shall we skip the validation for checking
number of `BYO Subnets` provided in the `install-config.yaml` with the number of eipAllocations ? Or shall we compare the old subnets field with the eipAllocations ?

- Q: Should we split Ingress Config into defaulting for the default IngressController and defaulting for user-created IngressControllers?
Reference: https://docs.google.com/document/d/1Y-Z8gaKYv5dczbdwvXanbzBl-HjZ7zasRC0WaJGBWkA/edit?tab=t.0#heading=h.1196heeu6pjk

API PR discussion thread: https://github.com/openshift/api/pull/2043#issuecomment-2440169902

In this EP we no loner use Ingress Config to set `eipAllocations`.

## Test Plan

### Ingress Operator Testing

An E2E test will be created in the Ingress Operator repo to verify the functionality of the new [IngressConfig API](#ingressconfig-api-updates).
This test will follow a similar pattern established in the existing [TestAWSLBTypeDefaulting](https://github.com/openshift/cluster-ingress-operator/blob/4e621359cea8ef2ae8497101ee3daf9f474b4b66/test/e2e/operator_test.go#L1368) test.

### Installer Testing

E2E test(s) will also be added to the installer to verify functionality of the new [Installer API](#installer-updates).
These tests, typically written by QE, will follow existing patterns established for testing installer functionality in
the [openshift-tests-private](https://github.com/openshift/release/tree/master/ci-operator/config/openshift/openshift-tests-private)
directory of the openshift/release repo. These installer tests are run as nightly CI jobs.


## Graduation Criteria

This feature will initially be released as Tech Preview only, behind the `TechPreviewNoUpgrade` feature gate.

### Dev Preview -> Tech Preview

N/A. This feature will be introduced as Tech Preview.

### Tech Preview -> GA

The E2E tests should be consistently passing and a PR will be created
to enable the feature gate by default.

### Removing a deprecated feature

## Upgrade / Downgrade Strategy

No upgrade or downgrade concerns because all changes are compatible or in the installer.

## Version Skew Strategy

N/A. This enhancement will only be supported for new installations and therefore has no version skew concerns.

## Operational Aspects of API Extensions

N/A.

## Support Procedures

CCM - Cloud Controller Manager

- If the service is not getting updated with the EIP annotation and the kubernetes load balancer
service is in `Pending` state then check the `cloud-controller-manager` logs and `IngressController` status.

In the CCM logs search for the `IngressController` name and check if you find any error related EIP allocation failure.
```sh
oc logs <ccm pod name> -n openshift-cloud-controller-manager
```

In the `IngressController` status, check the status for the following:
- Error messages for invalid eips or eips not present in the subnet of the VPC is `The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AllocationIdNotFound:` for status type `LoadBalancerReady` and `Available`.
- Error messages when the number of EIP provided and the number of subnets of VPC ID don't match is `The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error creating load balancer: Must have same number of EIP AllocationIDs (4) and SubnetIDs (5)` for status type `LoadBalancerReady` and `Available`.
- Check the status of `IngressController` controller for LoadBalancer which is LoadBalancerReady, LoadBalancerProgressing, Available.

```sh
oc get ingresscontroller <ingresscontroller name> -o yaml
```

## Alternatives

## Infrastructure Needed

Because EIPs are AWS objects, this proposal is valid only for the AWS environment.

0 comments on commit 8fb6e8e

Please sign in to comment.