Bug 1908758 - AWS: NLB timeout value is rejected by AWS cloud provider after 1.20 rebase
Summary: AWS: NLB timeout value is rejected by AWS cloud provider after 1.20 rebase
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Stephen Greene
QA Contact: Arvind iyengar
Depends On:
TreeView+ depends on / blocked
Reported: 2020-12-17 14:41 UTC by Stephen Greene
Modified: 2022-08-04 22:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Create an ingress controller on AWS that uses an NLB. Consequence: The NLB fails to provision since a health check interval of 5 seconds is not permitted for NLBs. Fix: Change the ingress operator to use a default NLB health check interval of 10s instead, as this value is supported by aws. Result: Ingress Controllers on AWS that specify the use of an NLB can be created on OCP 4.7 (with kube 1.20).
Clone Of:
Last Closed: 2021-02-24 15:46:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 518 0 None closed Bug 1908758: Update AWS LB health check interval annotation 2021-01-20 00:33:22 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:46:50 UTC

Description Stephen Greene 2020-12-17 14:41:40 UTC
The `TestNetworkLoadBalancer` test in the ingress-operator's e2e tests is consistently failing as a result of the following error:

"type":"LoadBalancerReady","status":"False","lastTransitionTime":"2020-12-17T13:34:07Z","reason":"SyncLoadBalancerFailed","message":"The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error creating load balancer target group: \"ValidationError: Health check interval '5' not supported for target groups with the TCP protocol. Must be one of the following values '[10, 30]'"

Pulled from https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-ingress-operator/511/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator/1339551761060335616.

More failures available here: https://prow.ci.openshift.org/pr-history/?org=openshift&repo=cluster-ingress-operator&pr=512

Comment 3 Arvind iyengar 2020-12-18 09:08:10 UTC
Verified in "4.7.0-0.nightly-2020-12-18-031435" release which has the PR merge. It is noted that the error no more occurs with ingresscontrollers having the NLB configuration in place:
$ oc -n openshift-ingress-operator get ingresscontroller internalapps -o yaml
  domain: internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com
          type: NLB
        type: AWS
      scope: External
    type: LoadBalancerService

$ oc get route
oc NAME               HOST/PORT                                                                                          PATH   SERVICES           PORT   TERMINATION   WILDCARD
service-unsecure   service-unsecure-test1.internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com ... 1 more          service-unsecure   http                 None

$ curl service-unsecure-test1.internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 28
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 27 Feb 2018 02:43:29 GMT
Server: Caddy
Date: Fri, 18 Dec 2020 09:07:03 GMT
Set-Cookie: e96c07fa08f2609cadf847f019750244=444143347c5a402b2f6cd7ba774d8b6e; path=/; HttpOnly
Cache-control: private

In non-patched version the route goes unreachable.

Comment 6 errata-xmlrpc 2021-02-24 15:46:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.