Bugfix: Delete unused GCE load-balancer resources on ingress spec change #894
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @skmatti. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/XXL
skmatti
force-pushed
the
resource-leak-fix
branch
2 times, most recently
from
12d20d1 to
e91b460
Compare
skmatti
changed the title
skmatti
force-pushed
the
resource-leak-fix
branch
4 times, most recently
from
57438f3 to
44ce7f8
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
skmatti
force-pushed
the
resource-leak-fix
branch
from
44ce7f8 to
00e45af
Compare
k8s-ci-robot
added
size/L
skmatti
force-pushed
the
resource-leak-fix
branch
from
00e45af to
089c41f
Compare
|
/assign @MrHohn |
skmatti
force-pushed
the
resource-leak-fix
branch
2 times, most recently
from
604ffda to
39471f2
Compare
| } else { | ||
| delete(existing, annotations.TargetHttpsProxyKey) | ||
| } | ||
| if l.ip != nil { |
There was a problem hiding this comment.
The IP is retained for use after it's promoted to static. This will be deleted when load-balancer is deleted or when use specifies a different IP. Added a comment to describe that.
|
/assign @rramkumar1 |
skmatti
force-pushed
the
resource-leak-fix
branch
2 times, most recently
from
18f6887 to
29c25b4
Compare
| @@ -77,6 +77,25 @@ const ( | |||
| // - annotations: | |||
| // networking.gke.io/v1beta1.FrontendConfig: 'my-frontendconfig' | |||
| FrontendConfigKey = "networking.gke.io/v1beta1.FrontendConfig" | |||
|
|
|||
| // UrlMapKey is the annotation key used by controller to record GCP URL map. | |||
| UrlMapKey = StatusPrefix + "/url-map" | |||
There was a problem hiding this comment.
does StatusPrefix need to be exported anymore?
There was a problem hiding this comment.
There are couple of other places where this is referenced.
ingress-gce/pkg/loadbalancers/l7.go
Line 378 in ba81191
pkg/loadbalancers/l7.go
Outdated
| annotations.TargetHttpProxyKey, | ||
| }...) | ||
| default: | ||
| klog.Fatalf("Invalid frontend resource protocol %v", protocol) |
There was a problem hiding this comment.
It would technically be a programming error to ever get to this point so ideally unit tests should catch this but if not, do we want the behavior to be klog.Fatalf? I wonder if we should log this but not do anything since I'm not sure we want the controller to crash because of this?. Worth thinking about alternatives like returning an error.
There was a problem hiding this comment.
Makes sense, modified this to surface an error instead.
| return nil | ||
| } | ||
| staticIPName := l.namer.ForwardingRule(namer.HTTPProtocol) |
There was a problem hiding this comment.
What was the motivation for changing the name of this var?
There was a problem hiding this comment.
I had to move this line to the top of the loop. At that point, we are still nor sure if this is the static IP name. getEffectiveIP may return a different name for static IP.
pkg/loadbalancers/l7.go
Outdated
| if key, err = l.CreateKey(fwsName); err != nil { | ||
| // deleteHttp deletes http forwarding rule and target http proxy. | ||
| func (l *L7) deleteHttp(versions *features.ResourceVersions) error { | ||
| frName := l.namer.ForwardingRule(namer.HTTPProtocol) |
There was a problem hiding this comment.
The first couple lines of this func and deleteHttps are the same. Maybe consider wrapping that logic in a func with unit tests?
| versions := features.GAResourceVersions | ||
| certName1 := feNamer.SSLCertName(GetCertHash("cert1")) | ||
|
|
||
| testCases := []struct { |
There was a problem hiding this comment.
I would add a description to the test case struct itself. That is the typical way it is done.
|
Discussed offline, put it here for reference: The code added here is quite embedded into the workflow. My main concern was that there is no easy way to flag gate this behavior. I would recommend gathering all the logic and move it into a |
skmatti
force-pushed
the
resource-leak-fix
branch
from
29c25b4 to
64dfe18
Compare
+1 |
skmatti
force-pushed
the
resource-leak-fix
branch
from
64dfe18 to
29ac11b
Compare
Done |
| if certErr != nil { | ||
| return certErr | ||
| if err := utils.IgnoreHTTPNotFound(composite.DeleteSslCertificate(l.cloud, key, versions.SslCertificate)); err != nil { | ||
| klog.Errorf("Old cert delete failed - %v", err) |
There was a problem hiding this comment.
Is it necessary to log here if the error is returned? Is the error logged higher up in the stack?
There was a problem hiding this comment.
This is not logged higher up in the stack. Also, this was just refactored from the existing workflow. May be we want to keep this?
skmatti
force-pushed
the
resource-leak-fix
branch
from
29ac11b to
3d188a0
Compare
|
Looks good to me. Will leave final approval to @freehan |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: freehan, skmatti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Fixes: #32, #465, #764
/assign @bowei @freehan
The Ensure workflow of Loadbalancer pool is modified in order to delete unused GCE resources.
This looks at user specified ingress options/annotations to determine if we need to delete specific frontend resources.
if existing ingress annotations has http resources, then those will be deleted.
if existing ingress annotations has https resources, then those will be deleted.
We try to delete Ingress managed static IP if exists. This is performed only when both http and https are enabled.
Note that the existing behavior of load-balancer pool does not update frontend resource annotations for the above mentioned cases. This modifies this behavior to update these annotations which will be used for determining whether we need to delete frontend resources.