Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1908758

Summary: AWS: NLB timeout value is rejected by AWS cloud provider after 1.20 rebase
Product: OpenShift Container Platform Reporter: Stephen Greene <sgreene>
Component: NetworkingAssignee: Stephen Greene <sgreene>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: aiyengar, aos-bugs, hongli
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Create an ingress controller on AWS that uses an NLB. Consequence: The NLB fails to provision since a health check interval of 5 seconds is not permitted for NLBs. Fix: Change the ingress operator to use a default NLB health check interval of 10s instead, as this value is supported by aws. Result: Ingress Controllers on AWS that specify the use of an NLB can be created on OCP 4.7 (with kube 1.20).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:46:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Greene 2020-12-17 14:41:40 UTC 
The `TestNetworkLoadBalancer` test in the ingress-operator's e2e tests is consistently failing as a result of the following error:

"type":"LoadBalancerReady","status":"False","lastTransitionTime":"2020-12-17T13:34:07Z","reason":"SyncLoadBalancerFailed","message":"The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error creating load balancer target group: \"ValidationError: Health check interval '5' not supported for target groups with the TCP protocol. Must be one of the following values '[10, 30]'"

Pulled from https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-ingress-operator/511/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator/1339551761060335616.

More failures available here: https://prow.ci.openshift.org/pr-history/?org=openshift&repo=cluster-ingress-operator&pr=512
Comment 3 Arvind iyengar 2020-12-18 09:08:10 UTC 
Verified in "4.7.0-0.nightly-2020-12-18-031435" release which has the PR merge. It is noted that the error no more occurs with ingresscontrollers having the NLB configuration in place:
-----
$ oc -n openshift-ingress-operator get ingresscontroller internalapps -o yaml
spec:
  domain: internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com
  endpointPublishingStrategy:
    loadBalancer:
      providerParameters:
        aws:
          type: NLB
        type: AWS
      scope: External
    type: LoadBalancerService

$ oc get route
oc NAME               HOST/PORT                                                                                          PATH   SERVICES           PORT   TERMINATION   WILDCARD
service-unsecure   service-unsecure-test1.internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com ... 1 more          service-unsecure   http                 None

$ curl service-unsecure-test1.internalapps.aiyengar-oc47-1908758.qe.devcluster.openshift.com -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 28
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 27 Feb 2018 02:43:29 GMT
Server: Caddy
Date: Fri, 18 Dec 2020 09:07:03 GMT
Set-Cookie: e96c07fa08f2609cadf847f019750244=444143347c5a402b2f6cd7ba774d8b6e; path=/; HttpOnly
Cache-control: private
------

In non-patched version the route goes unreachable.
Comment 6 errata-xmlrpc 2021-02-24 15:46:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633