NodeBalancer firewall not updated with long service names

[aukevanleeuwen]

I've also typed this in support ticket https://cloud.linode.com/support/tickets/24437831 for those that have access.

I've noticed that firewall updates that should be triggered by changing the service.beta.kubernetes.io/linode-loadbalancer-firewall-acl annotation on my LoadBalancer type service are failing with this event:

9m17s       Warning   SyncLoadBalancerFailed   service/envoy-envoy-gateway-xxxxx-eg-f759fb75                 Error syncing load balancer: failed to ensure load balancer: [400] [rules.inbound[0].description] Length must be 1-100 characters

Below some excerpt from the ticket that explains what I think is causing this:

---

Okay I found the bug (in the CCM code) I think. I've tested with a service with a much shorter name: avl. What happens is the following:

The first time the service is created either this code or this code is triggered (I'm not sure which one). Regardless in both cases the label argument of the called function is set to the (generated) name of the loadbalancer, something like ccm-abcdef123456.

In that function CreateFirewallOptsForSvc the label is used to create a description for the rule of the firewall. So in the avl case that created a rule description:

Created by linode-ccm: ccm-c91b3a6b0e4f, for avl

When the service is updated (the annotations of the firewall) this triggers the code here. This calls the function CreateFirewallOptsForSvc with the label argument service.Name instead. That means that in the avl case my rule now got the description:

Created by linode-ccm: avl, for avl

Back to the issue at hand: my generated service name that started out this ticket is pretty long, and this creates this initial rule description:

Created by linode-ccm: ccm-23b5a57a5801, for envoy-envoy-gateway-xxxxx-eg-f759fb75

Now it call the update code, because that pushes the description field over the limit. Based on the observations above, it will try to put this in the description field:

Created by linode-ccm: envoy-envoy-gateway-xxxxx-eg-f759fb75, for envoy-envoy-gateway-xxxxx-eg-f759fb75

which is 103 characters and is therefore refused by the API.

---

I would say this is a bug that needs fixing. I would say that:

1. It probably should be fixed that after the update the label doesn't change in the way it currently does
2. When calling the Linode API the description should be truncated. Service names can get pretty long (253 chars I think) and CCM should be able to deal with that.

[aukevanleeuwen]

FYI, creating a service called one-two-three-four-five-six-seven-eight-nine-ten-eleven-twelve will fail the initial creation of a Firewall as well:

8s          Normal    EnsuringLoadBalancer     service/one-two-three-four-five-six-seven-eight-nine-ten-eleven-twelve   Ensuring load balancer
8s          Warning   SyncLoadBalancerFailed   service/one-two-three-four-five-six-seven-eight-nine-ten-eleven-twelve   Error syncing load balancer: failed to ensure load balancer: [400] [rules.inbound[0].description] Length must be 1-100 characters
0s          Normal    EnsuringLoadBalancer     service/one-two-three-four-five-six-seven-eight-nine-ten-eleven-twelve   Ensuring load balancer
0s          Warning   SyncLoadBalancerFailed   service/one-two-three-four-five-six-seven-eight-nine-ten-eleven-twelve   Error syncing load balancer: failed to ensure load balancer: [400] [rules.inbound[0].description] Length must be 1-100 characters