Add support for L7-ILB (take 2)

[spencerhance]

This PR supersedes #773

Adds support for the L7 Internal Load Balancer to the controller. A follow up PR with e2e tests will be added.

In the interest of time, I've added the L7-ILB work on top of #788 so that it can be reviewed in tandem. Unless you foresee gigantic changes in that PR, I would review this as well so it can be merged shortly after. The first commit on this PR is from that branch.

Currently, the feature is flag-gated with the '--enable-l7-ilb' flag. Enabling the flag will require resolving #767

[k8s-ci-robot]

Hi @spencerhance. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rramkumar1]

/ok-to-test

[spencerhance]

/cc @freehan

[rramkumar1]

@spencerhance Can you squash commits so that it's easier to see which commits are from the parent PR?

[spencerhance]

@rramkumar1 good call, should be good now

[freehan]

I feel like there is a better way to do this. You should probably fail at validation if there is service backend that does not have NEG enabled.

[spencerhance]

True, but I do need to also handle the default backend case

[freehan]

do we want to have a separate firewall rule for ILB?

[spencerhance]

it's not a separate firewall rule, rather adding the ILB range to the firewall rule since that is a requirement.

[spencerhance]

Oh I think I misunderstood your question. It's possible to add another rule but I'm not sure if that would make much of a difference.

[bowei]

It could make the features more error independent. For instance, you could get an error updating ILB ranges, but still successfully update NEG

[spencerhance]

Hmm, good point, I'll look at adding this today.

[spencerhance]

This looks like it will require non-trivial refactoring since we currently only support one firewall. It's still possible, but it might make more sense to just update the src ranges separately to catch two different errors.

[bowei]

It feels like we need more unit tests?

[spencerhance]

/hold cancel

[bowei]

This still seems quite strange to me that the list operation takes a key that it then only looks @ the scope for.

[spencerhance]

I agree, there's a TODO in pkg/composite/gen/main.go from when we last discussed it. I can update here or in another PR depending on your preference

[bowei]

You could do

var ErrSubnetNotFound = errors.New(""primary subnet not found")

[bowei]

Fix the remaining issues and we can merge this. There are a lot of TODOs, but should pick them up in follow on PRs.

[bowei]

Let's call this "gce-ilb". L7 is already implicit in the API.

[spencerhance]

Changed it to "gce-internal," which I believe was the original name fwiw

[bowei]

for strings that come from input, use %q

[spencerhance]

Done

[bowei]

Add a TODO that this needs to be changed to not take a key

[spencerhance]

Done

[bowei]

// TODO(shance): this all needs to be replaced with `scope` and not key.
globalKey, err := CreateKey(gceCloud, "", meta.Global)
if err != nil {
  return nil, err
}
regionalKey, err := ...

for _, vk := range []struct {
  v meta.Version
  k meta.Key // TODO: change this to scope
} {
  {meta.VersionGA, GlobalKey},
  {meta.VersionAlpha, RegionalKey},
} {
  ...
}

[spencerhance]

Done

[bowei]

flag gate this?

[spencerhance]

Done

[bowei]

this should be if enableILBL7 && utils.IsGCEL7Ingress(ing) so it's completely disabled

[spencerhance]

Done

[bowei]

break

[spencerhance]

Done

[bowei]

I don't like hiding the enablement inside the function. Then when we unit test this, it has different behavior based on a global variable flag

[spencerhance]

Done

[bowei]

no need to append if we are not in a loop

return L7ILBSrcRange, nil

[spencerhance]

Done

[bowei]

you can reduce verbosity here:

makeEntry := func(ga, alpha, beta meta.Version) {
  return &map[meta.Version]{   meta.VersionGA: {ga}, meta.VersionAlpha:{alpha}, meta.VersionBeta:{beta}   }
}
...
UrlMap: ...,
ForwardingRule: makeEntry(fakeGaFeature, fakeAlphaFeature, fakeBetaFeature),

[spencerhance]

Done

[bowei]

you need to add a TODO here so we can find this later

[spencerhance]

Done

[bowei]

Are you going to remove the comment?

[bowei]

either do

{ ... }

or

&blah{\n
  ...\n
},\n

don't do

&blah{\n
   ...},

[bowei]

/lgtm
/approve

there are a ton of TODOs, but let's merge this for now and handle things in addons. The github UI is not handling PRs of this size very easily.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, spencerhance

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bowei]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hach-que]

Is there a way to get this working on Google Kubernetes Engine?

I added the annotation kubernetes.io/ingress.class: "gce-internal" to an ingress on GKE, but it doesn't seem to be doing anything.

Do I have to manually deploy ingress-gce to the cluster, and disable the built-in version?

[hach-que]

For anyone trying to get this working on Google Kubernetes Engine, you need to:

1. Make sure your GKE cluster is on 1.14. 1.13 definitely does not work.
2. Ask your Google support channel or technical account manager to enable Alpha Access on the Compute API for the projects you want to deploy this in. This is because the GA and beta APIs do not yet surface subnets reserved for internal HTTPS load balancing (more on that in a bit).
   • If you're desperate to get around this and you're only using ILBs in one region, you can override the implementation of ILBSubnetSourceRange in i7ilb.go to just straight up return the CIDR of the subnet you reserve in step 5.
3. Before running the setup script linked below, modify glbc.yaml and add the --enable-l7-ilb=true argument after --enable-csm=[ENABLE_CSM].
4. Follow the instructions here: https://github.com/kubernetes/ingress-gce/blob/master/docs/deploy/gke/README.md
5. I had to make some fixes to the script e.g. to support multiple node pools and to make API server detection more reliable, which can be found in our fork: https://github.com/networknext/ingress-gce/blob/master/docs/deploy/gke/gke-self-managed.sh
6. You will need to remove the IAM permission from the GLBC service account and re-add Compute Admin permission. For some reason, the controller kept saying access denied until we did this.
7. In the Google Cloud Console, go to add a new HTTPS load balancer, select "Only between my VMs", select a specific region, then you will be prompted to "Reserve subnet". Click that and choose a CIDR mask that doesn't overlap with an existing subnet (e.g. 10.28.0.0/20). Give it whatever name you like. Finish creating the load balancer (just pick whatever), and then delete it after it's spun up.
8. If you rolled out your ingress before this point, you need to delete it as the GCE ingress controller won't have created it properly.
9. Make sure your ingress is using networking.k8s.io/v1beta1, e.g. it should look something like this:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: blah
  annotations:
    kubernetes.io/ingress.allow-http: "false"   
    kubernetes.io/ingress.class: "gce-internal"
spec:
  backend:
    serviceName: blah
    servicePort: grpc

[spencerhance]

@hach-que I'm glad you were able to to get it working! As you figured out, the feature hasn't been released to GKE yet but can be used if you deploy the controller yourself. As for step 3, you can actually avoid enabling CSM by adding the enable NEG annotation to your k8s service. Here is an example service yaml:

apiVersion: v1
kind: Service
metadata:
  name: internal-lb-svc
  namespace: default
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
spec:
  ports:
  - name: host1
    port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    run: internal-lb-app
  type: ClusterIP

Also feel free to file issues if you notice any bugs 😃