1729252 – Default router service annotation doesn't work for aws-load-balancer-internal

Bug 1729252 - Default router service annotation doesn't work for aws-load-balancer-internal

Summary: Default router service annotation doesn't work for aws-load-balancer-internal

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.1.z
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-11 17:04 UTC by Abhishek
Modified:	2023-09-07 20:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-12 04:44:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Abhishek 2019-07-11 17:04:52 UTC

Description of problem: Not able to annotate annotating the default router service with:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0


Version-Release number of selected component (if applicable):
OCP 4.1.z

How reproducible:
Always


Controller logs:

I0708 17:39:21.505447       1 aws_loadbalancer.go:993] Detaching load balancer from removed subnets
E0708 17:39:21.519693       1 service_controller.go:219] error processing service openshift-ingress/router-default (will retry): failed to ensure load balancer for service openshift-ingress/router-default: error detaching AWS loadbalancer from subnets: "InvalidConfigurationRequest: Requested configuration change for LoadBalancer \"a691511f28e8c11e984b106de0a7f80d\" is invalid because you attempted to detach all the subnets for this LoadBalancer and a LoadBalancer cannot be attached to zero subnets in VPC.\n\tstatus code: 409, request id: 51c62087-a1a7-11e9-aadf-e1b8e9c97c80"
I0708 17:39:21.519825       1 event.go:221] Event(v1.ObjectReference{Kind:"Service", Namespace:"openshift-ingress", Name:"router-default", UID:"691511f2-8e8c-11e9-84b1-06de0a7f80d2", APIVersion:"v1", ResourceVersion:"8124781", FieldPath:""}): type: 'Warning' reason: 'CreatingLoadBalancerFailed' Error creating load balancer (will retry): failed to ensure load balancer for service openshift-ingress/router-default: error detaching AWS loadbalancer from subnets: "InvalidConfigurationRequest: Requested configuration change for LoadBalancer \"a691511f28e8c11e984b106de0a7f80d\" is invalid because you attempted to detach all the subnets for this LoadBalancer and a LoadBalancer cannot be attached to zero subnets in VPC.\n\tstatus code: 409, request id: 51c62087-a1a7-11e9-aadf-e1b8e9c97c80"

Comment 1 Dan Mace 2019-07-11 17:43:22 UTC

What are the steps to reproduce? From the logs and the comment, I'm guessing the user is trying to manually annotate the Service that sits in front of the default ingress controller. Mutating that service is not supported. The supported way to make an ingress controller internal is to specify a scope when creating a new ingress controller using the LoadBalancer publishing strategy[1]. The publishing strategy of an ingress controller is currently declared in the API as immutable, and the default ingress controller has an external scope — so, an internal default ingress controller is not yet supported. However, allowing the scope of the strategy to be mutable is a feature we're considering.

Please confirm my understanding of the situation. If what I've said is accurate, my intent is to close this bug as "working as designed" and would ask that we move the conversation to an RFE, as we will not be accepting the immutability of scope as a bug.

I hope this helps clarify, please let me know if there's more information I can provide.

[1] https://github.com/openshift/api/blob/master/operator/v1/types_ingress.go#L192

Note You need to log in before you can comment on or make changes to this bug.