[Rebase + Bugfixes] Add support for TCP_UDP Listeners #4161
Conversation
The original PR had a test for mergeServicePortsForListener tacked on. That test has been moved into the test for mergeServicePortsForListener. This also fixes the test to deal with the error checking that was added to mergeServicePortsForListener.
Previously, aws-load-balancer-controller ignored extra overlapping ServicePorts defined in the Kubernetes Service spec if the external port numbers were the same even if the protocols were different (e.g. TCP:53, UDP:53). This behavior prevented users from exposing services that support TCP and UDP on the same external load balancer port number. This patch solves the problem by detecting when a user defines multiple ServicePorts for the same external load balancer port number but using TCP and UDP protocols separately. In such situations, a TCP_UDP TargetGroup and Listener are created and SecurityGroup rules are updated accordingly. If more than two ServicePorts are defined, only the first two mergeable ServicePorts are used. Otherwise, the first ServicePort is used. Note: rebasing errors would be my fault -- Kevin Lyda Signed-off-by: Kevin Lyda <[email protected]>
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
approved
| - <a name="tcp-udp-listener">`service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`</a> allows creation of [TCP_UDP](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#listener-configuration) listener type when the service defines a TCP and UDP port on the same port number. | ||
|
|
||
| !!!note "" | ||
| - To change the default from false to true, use the controller flag `--feature-gates=EnableTCPUDPListener=true` to allow creation of TCP_UDP listeners for all services. |
There was a problem hiding this comment.
Why do we needa controller level feature flag as we have annotation for this feature? I find it a little bit risky since it will affect all the existing services for the customers if they enable it at the controller level and don't specify false on their service annotations. Should we only ask to enable this feature through annotations as its a informed decision made by them to have TCP_UDP on same port instead of affecting all the services.
There was a problem hiding this comment.
It's to make it easy for people to adopt the feature. E.g. a similar ask for using backend security groups: #4145
This way, we give people the flexibility to either specify it per-service that they want the support, or they can specify it at the feature flag level and not have to worry about annotating individual services.
There was a problem hiding this comment.
I always consider feature gates to provide a safe way out if they simply dont want to use that feature. Keeping it default to true so that they get this feature enabled by default and let the customer decide the usage of this feature based on annotation values. This gives them the flexibility to disable the feature once and for all if they don't want it irrespective annotation value eg. NLBSecurityGroup and LBCapacityReservation.
But I get that we are adding this to avoid having them use this annotation on each service to make easy adoption. So we can keep it but then lets give them the ability to get out of this for the services on which they dont want to merge TCP_UDP ports by reading the annotation value. This way they have the ability to disable the TCP_UDP ports for the services if they want to and they dont need to add the annotation on the services where they want to merge it. What do you think?
pkg/service/model_build_listener.go
Outdated
| func (t *defaultModelBuildTask) buildListeners(ctx context.Context, scheme elbv2model.LoadBalancerScheme) error { | ||
| cfg, err := t.buildListenerConfig(ctx) | ||
|
|
||
| if t.enableTCPUDPSupport || t.isTCPUDPEnabledForService(t.service.Annotations) { |
There was a problem hiding this comment.
If the feature flag is enabled, the annotation value wont matter anymore and the services which does not want to merge TCP_UDP ports will have no option but to merge their ports? What if the customers wants the mix of both type of services?
There was a problem hiding this comment.
If they want to control which services get the feature enabled, they have to use the annotation. Setting the controller flag to true should override the annotation value.
There was a problem hiding this comment.
Is the suggestion to make the annotation take precedence, if the annotation is present?
There was a problem hiding this comment.
Yes. Basically if the feature flag is true, all the services will merge the ports unless specified false by annotation. What do you think?
There was a problem hiding this comment.
That sounds reasonable.
There was a problem hiding this comment.
i have a follow-up question, it sounds like when both annotation and feature gate are present, sometimes annotation takes precedence and sometimes feature gate does. I get the idea that this is because each case has unique condition, but will this inconsistent behavior confuses user sometimes? how are we helping them with better documentation?
There was a problem hiding this comment.
Good call out. I will document this feature flag in order to clarify any confusion. I think the differing behavior is based off of the usage of the flag. In some cases, it's controller wide behavior while other features can operate at the individual resource level.
zac-nixon
force-pushed
the
znixon/tcpudp-rebase
branch
3 times, most recently
from
59dc0dd to
dcc1533
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: WestonReed, zac-nixon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
zac-nixon
force-pushed
the
znixon/tcpudp-rebase
branch
from
dcc1533 to
ce478b3
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
This is awesome! Thank you to @zac-nixon @lyda et al. for getting this feature merged into main! I was very excited to wake up to the close notification this morning. |
In a world where there are lots of divisive people, nice to see folks from Turkey, Ireland, Ukraine and Washington state (among others) team up to get something done. More like this. |
Issue
Original PR - #3807
I've cherry-picked the original commits to make sure @lyda gets their due credit.
Description
This PR augments the original PR with some bug fixes found during testing and adding the support for TCP_UDP listeners behind a service annotation, or a feature flag that will enable the default value to be
truefor creating TCP_UDP listeners.Changes:
TestCases:
UDP
TCP
Checklist
README.md, or thedocsdirectory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯