cilium icon indicating copy to clipboard operation
cilium copied to clipboard
Published 3 months ago verified publisher icon cilium

CFP: IngressController configurable cloud provider related LoadBalancer

Open therapy-lf opened this issue 3 years ago • 5 comments

Cilium Feature Proposal

Is your feature request related to a problem?

Cilium adds ingress service without any option to pass additional annotations to it. These annotations are used for various cloud and other controllers. For instance, configuring AWS LoadBalancer or cert-manager:

service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "TCP"
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"

Also, there's no way to re-use the same cloud LoadBalancer for multiple ingress services. It'd be great to have just a few types(e.g. public and internal) LoadBalancers for different purposes shared across multiple services. Currently, for each service controller runs a separate service backed by a dedicated LoadBalancer.

Controller should respect ingress object annotations and pass its annotations to the ingress service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "TCP"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"

(Optional) Describe your proposed solution

I see a few options:

  • have an option to create a static service used for cilium ingress and disable service auto-creation
  • pass all annotations from the ingress object to the auto-created ingress service

therapy-lf avatar Jul 25 '22 09:07 therapy-lf

I also need it.

lostz avatar Aug 04 '22 07:08 lostz

+1

devopstales avatar Aug 08 '22 07:08 devopstales

Sorry for late reply, this seems reasonable to me, one simple approach to to propagate the (all or filtered) annotations from Ingress objects to (at least) Service child resource.

PR is very much welcome, feel free to let us know if you are keen to work on this. Also, please don't hesitate to reach out in #development Cilium slack channel.

sayboras avatar Aug 08 '22 07:08 sayboras

@sayboras I would like to work on this. Actually, I am new to the code base, so could you please share some idea or code pointers for adding this feature.

NikhilSharmaWe avatar Aug 09 '22 11:08 NikhilSharmaWe

Basically, CIlium Ingress Controller will create below child resources for each Ingress object:

  • LB service
  • Kubernetes Endpoint
  • CiliumEnvoyConfig

This issue is mainly about propagating required annotations from Ingress to LB service. This docs can give you some idea of which annotations are used, from the first look, below annotations prefixes are useful:

  • service.beta.kubernetes.io/*
  • service.kubernetes.io/*
  • cloud.google.com (only used in GCP)

Thanks for your interest, I have assigned the issue to you, feel free to reach out in #development Cilium OSS slack channel.

Related code to start with https://github.com/cilium/cilium/blob/bea793bbc6e8489a308d0bcb6fd796b368d2494c/operator/pkg/ingress/service.go#L186

sayboras avatar Aug 10 '22 08:08 sayboras

How to reuse the loadbalancer? From the PR and the helm docs it is not clear for me how to configure it properly @NikhilSharmaWe @aditighag

batistein avatar Sep 15 '22 17:09 batistein

👋

LB reuse work is actively under development now, it's tracked by https://github.com/cilium/cilium/issues/21270. Please feel free to subscribe to this github issue for update. Thanks.

sayboras avatar Sep 16 '22 02:09 sayboras