WIP: Application load balancer controller#3
Conversation
ske-prow
Bot
added
do-not-merge/needs-kind
nschad
changed the title
ske-prow
Bot
added
the
do-not-merge/work-in-progress
|
@fischerman either mark the PR as "Draft" or use "WIP" as the title. The PR will then automatically marked as WIP/Draft |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ske-prow
Bot
added
the
needs-rebase
Co-authored-by: Kamil Przybyl <Kamil.Przybyl@digits.schwarz>
| WithRule("my-host.local", WithPath("/", new(networkingv1.PathTypePrefix), service.Name, networkingv1.ServiceBackendPort{Number: 80})), | ||
| ) | ||
| testutil.CreateKubernetesResourceAndDeferDeletion(ctx, k8sClient, &ingress) | ||
|
|
There was a problem hiding this comment.
We also shpuld check that the IP is set in the status of the ingress.
| expected: true, | ||
| }, | ||
| { | ||
| name: "https certificates changed", |
There was a problem hiding this comment.
we should add the same but with also 2 Ids.
| expected: true, | ||
| }, | ||
| { | ||
| name: "target pool tls validation changed", |
There was a problem hiding this comment.
We should also add targets itself and test.
| @@ -0,0 +1,302 @@ | |||
| package ingress | |||
There was a problem hiding this comment.
In the update.go are multiple functions which also should be tested, like getServicesForIngresses, getTLSSecretsFromIngresses, getCertificatesForIngressClass. But also the logic for duplicateCerts should get tested.
| "k8s.io/utils/ptr" | ||
| ) | ||
|
|
||
| func Test_updateNeeded(t *testing.T) { |
| ) | ||
|
|
||
| Expect(errs).To(HaveLen(1)) | ||
| Expect(errs[0].Description).To(Equal("invalid certificate: tls: failed to find any PEM data in certificate input")) |
There was a problem hiding this comment.
Same as in test should return an error when the TLS secret isn't of type TLS
| Expect(tree.GetMissingCertificates(nil)).To(ConsistOf( | ||
| WorkTreeCertificate{ | ||
| PublicKey: testdata.FixtureTLS1PublicKey, | ||
| PrivateKey: testdata.FixtureTLS1PrivateKey, |
There was a problem hiding this comment.
This test is failing as the reutrn also contains Ports: {443: nil},
| PrivateKey: testdata.FixtureTLS1PrivateKey, | |
| PrivateKey: testdata.FixtureTLS1PrivateKey, | |
| Ports: map[int16]any{443: nil}, |
|
|
||
| tree := &WorkTreeALB{ | ||
| ingressClass: ingressClass, | ||
| planID: GetAnnotation(AnnotationPlanID, "", ingressClass), |
There was a problem hiding this comment.
Should we validate that we only get working PlanIDs. For NLBs we check that in cloud-provider-stackit
| @@ -0,0 +1,658 @@ | |||
| package spec | |||
There was a problem hiding this comment.
We should also add tests for:
- the
AnnotationHTTPSOnlyand that it not serves HTTP. - the sorting based on
AnnotationPriorityand creation timestamp. AnnotationPlanID- the handling when setting not allowed values in annotation (like no valid int/port, not valid cidr in source range)
GetUnusedCertificates
| @@ -0,0 +1,85 @@ | |||
| apiVersion: apps/v1 | |||
There was a problem hiding this comment.
We should align this with the deploy of CSI and CCM in cloud-provider-stackit (which are also not perfect, see stackitcloud/cloud-provider-stackit#1162).
For example:
- we can use also the kube-system namespace as this is also a system component like CSI and CCM
- the cloud config don't need to be a secret
- the mount path of the service account and cloud config
- the
apiEndpointsdon't need to be in the example (this is only internally needed) - lets also create a
/deployfolder instead if the/samples/deploy/ - we need to find a image tag which is working and don't need to be updated like
latest(not sure if this will be tagged on release)
There was a problem hiding this comment.
With #6 we get a latest tag for tagged versions. Lets use that in the deployment.
| // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch | ||
| // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses,verbs=get;list;watch;update;patch | ||
| // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch | ||
| // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses/status,verbs=get;update;patch | ||
|
|
There was a problem hiding this comment.
We don't use anything from kubebuilder in that repo, lets not add this here.
| ConditionNodeTermination corev1.NodeConditionType = "Terminating" | ||
| ) | ||
|
|
||
| func isNodeTerminating(node *corev1.Node) bool { |
There was a problem hiding this comment.
That changes also need to be added to the nodePredicate().
| if !httpsOnly && (httpPort <= 0 || httpPort > math.MaxUint16) { | ||
| errors = append(errors, ErrorEvent{ | ||
| Ingress: ingress, | ||
| Description: "HTTP port is out of range.", | ||
| }) | ||
| continue | ||
| } | ||
| if len(ingress.Spec.TLS) > 0 && (httpsPort <= 0 || httpsPort > math.MaxUint16) { | ||
| errors = append(errors, ErrorEvent{ | ||
| Ingress: ingress, | ||
| Description: "HTTPS port is out of range.", | ||
| }) | ||
| continue | ||
| } | ||
|
|
There was a problem hiding this comment.
We should add a test for that.
Avoid the use of underscores at the beginning of variable names
|
@fischerman: The following test failed, say
Full PR test history. Your PR dashboard. Command help for this repository. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| albOpts := []sdkconfig.ConfigurationOption{ | ||
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | ||
| } |
There was a problem hiding this comment.
The SDK client should use the instrumented HTTP client that collects metrics about API requests, especially failed requests.
| albOpts := []sdkconfig.ConfigurationOption{ | |
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | |
| } | |
| albOpts := []sdkconfig.ConfigurationOption{ | |
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | |
| sdkconfig.WithHTTPClient(metrics.NewInstrumentedHTTPClient()), | |
| } |
(stackitcloud/cloud-provider-stackit#1228 will extend the coverage of the metrics soon)
| certOpts := []sdkconfig.ConfigurationOption{ | ||
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | ||
| } |
There was a problem hiding this comment.
(see my comment above for albOpts)
| certOpts := []sdkconfig.ConfigurationOption{ | |
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | |
| } | |
| certOpts := []sdkconfig.ConfigurationOption{ | |
| sdkconfig.WithHTTPClient(metrics.NewInstrumentedHTTPClient()), | |
| sdkconfig.WithUserAgent("application-load-balancer-controller"), | |
| } |
8 participants
No description provided.