ingress: Support shared load balancer mode #21386

sayboras · 2022-09-21T12:48:44Z

Description

The current implementation of Ingress reconciliation in Cilium creates a LoadBalancer Service per Ingress resource. This is not the most efficient use of resources, and can be made much more efficient by sharing a single LoadBalancer config across all Ingress resources in the cluster.

The goal of this PR is to support shared and dedicated mode, which are as per below:

dedicated mode (current behavior): each Ingress resource will have its own dedicated Load Balancer.
shared mode: all Ingress resources will use the same LB.

In the shared mode, if there is any conflicting with path/host, the request will be still load balancing to respective backends equally.

Fixes: #21270

Tasks

Documentation tasks can be done in subsequent PRs or after first round of review

Testing

Two conformance tests in GHA give the coverage of running Ingress in one mode.
Manual testing is done to make sure that there is no issue when users toggle LB mode for particular Ingress. Please find below the details

Toggle LB mode from shared to dedicated LB mode

# Basic Ingress is created with shared mode, hence the Ingress IP is same as shared LB service IP in kube-system
$ kg ing                                               
NAME            CLASS    HOSTS   ADDRESS          PORTS   AGE
basic-ingress   cilium   *       10.109.184.158   80      28s
$ ksysg services cilium-ingress                                    
NAME             TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)                      AGE
cilium-ingress   LoadBalancer   10.109.184.158   10.109.184.158   80:30018/TCP,443:31340/TCP   14h

# Sanity check with curl
$ curl http://10.109.184.158/details/1 
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}% 

# Toggle from shared to dedicated mode
$ k annotate ing basic-ingress io.cilium.ingress/loadbalancer-mode="dedicated" --overwrite
ingress.networking.k8s.io/basic-ingress annotated

# New Ingress IP due to new LB
$ kg ing                                                                                  
NAME            CLASS    HOSTS   ADDRESS          PORTS   AGE
basic-ingress   cilium   *       10.105.133.157   80      2m36s

# Checking again with curl, new IP should work
$ curl http://10.105.133.157/details/1              
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}%

Toggle LB mode from dedicate to shared LB mode (Continued from previous testing)

$ k annotate ing basic-ingress io.cilium.ingress/loadbalancer-mode="shared" --overwrite
ingress.networking.k8s.io/basic-ingress annotated

$ curl http://10.109.184.158/details/1
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}%   

# Dedicated LB IP should be timeout
$ curl -v http://10.105.133.157/details/1           
*   Trying 10.105.133.157:80...

maintainer-s-little-helper · 2022-09-21T12:48:46Z

Commit 81d68fcce45337ff943a072f790fa9e39a1bcecf does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

This is to avoid any potential version drift in CI. The setup action (e.g. medyagh/setup-minikube) is maintained by Minikube maintainers. Relates: cilium#21386 (comment) Signed-off-by: Tam Mach <tam.mach@cilium.io>

This is to avoid any potential version drift in CI. The setup action (e.g. medyagh/setup-minikube) is maintained by Minikube maintainers. Relates: #21386 (comment) Signed-off-by: Tam Mach <tam.mach@cilium.io>

[ upstream commit 38b9961 ] This is to avoid any potential version drift in CI. The setup action (e.g. medyagh/setup-minikube) is maintained by Minikube maintainers. Relates: #21386 (comment) Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: André Martins <andre@cilium.io>

This is to avoid any potential version drift in CI. The setup action (e.g. medyagh/setup-minikube) is maintained by Minikube maintainers. [upstream commit] a37c0b4 Relates: cilium#21386 (comment) Signed-off-by: Tam Mach <tam.mach@cilium.io>

This is to avoid any potential version drift in CI. The setup action (e.g. medyagh/setup-minikube) is maintained by Minikube maintainers. [upstream commit] a37c0b4 Relates: #21386 (comment) Signed-off-by: Tam Mach <tam.mach@cilium.io>

Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=false`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: cilium#21386 Fixes: cilium#29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=false`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: cilium#21386 Fixes: cilium#29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: cilium#21386 Fixes: cilium#29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: #21386 Fixes: #29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

[ upstream commit 804d15e ] Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: #21386 Fixes: #29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>

Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: cilium#21386 Fixes: cilium#29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

[ upstream commit 804d15e ] Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: #21386 Fixes: #29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>

The following Ingress annotations aren't actually used by any Ingress related logic. - `ingress.cilium.io/tcp-keep-alive` - `ingress.cilium.io/tcp-keep-alive-idle` - `ingress.cilium.io/tcp-keep-probe-interval` - `ingress.cilium.io/tcp-keep-probe-max-failures` - `ingress.cilium.io/websocket` Support has been removed with cilium#21386, while introducing the shared loadbalancer support. Therefore, this commit uses the unused annotations and their functionality. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

The following Ingress annotations aren't actually used by any Ingress related logic. - `ingress.cilium.io/tcp-keep-alive` - `ingress.cilium.io/tcp-keep-alive-idle` - `ingress.cilium.io/tcp-keep-probe-interval` - `ingress.cilium.io/tcp-keep-probe-max-failures` - `ingress.cilium.io/websocket` Support has been removed with #21386, while introducing the shared loadbalancer support. Therefore, this commit uses the unused annotations and their functionality. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

sayboras linked an issue Sep 21, 2022 that may be closed by this pull request

CFP: Shared Load Balancer for Ingress #21270

Closed

8 tasks

maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Sep 21, 2022

sayboras force-pushed the ft/master/shared-same-lb-ingress branch from b87e15e to 2b81064 Compare September 21, 2022 12:51

maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Sep 21, 2022

sayboras added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Sep 21, 2022

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 21, 2022

sayboras added the area/servicemesh GH issues or PRs regarding servicemesh label Sep 21, 2022

sayboras changed the title ~~Ft/master/shared same lb ingress~~ ingress: Support shared load balancer mode Sep 21, 2022

sayboras added the wip label Sep 21, 2022

sayboras force-pushed the ft/master/shared-same-lb-ingress branch 2 times, most recently from f88e64d to b7b1070 Compare September 24, 2022 17:49

sayboras removed the wip label Sep 26, 2022

sayboras force-pushed the ft/master/shared-same-lb-ingress branch from b693af8 to 993dac6 Compare September 26, 2022 02:58

youngnick mentioned this pull request Sep 26, 2022

CFP: Shared Load Balancer for Ingress #21270

Closed

8 tasks

sayboras force-pushed the ft/master/shared-same-lb-ingress branch 2 times, most recently from a125bd9 to cd01c15 Compare September 26, 2022 05:02

sayboras marked this pull request as ready for review September 26, 2022 05:03

sayboras requested review from a team as code owners September 26, 2022 05:03

sayboras requested review from nebril, youngnick, qmonnet and joestringer September 26, 2022 05:03

sayboras mentioned this pull request Jan 26, 2023

gha: Pin minikube version used in CI #23364

Merged

mhofstetter mentioned this pull request Nov 24, 2023

ingress: fix foreground deletion of Ingress #29367

Merged

mhofstetter mentioned this pull request Feb 13, 2024

ingress: remove unused annotations #30733

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ingress: Support shared load balancer mode #21386

ingress: Support shared load balancer mode #21386

Uh oh!

sayboras commented Sep 21, 2022 •

edited

Loading

Uh oh!

maintainer-s-little-helper bot commented Sep 21, 2022

Uh oh!

Uh oh!

ingress: Support shared load balancer mode #21386

ingress: Support shared load balancer mode #21386

Uh oh!

Conversation

sayboras commented Sep 21, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Tasks

Testing

Uh oh!

maintainer-s-little-helper bot commented Sep 21, 2022

Uh oh!

Uh oh!

sayboras commented Sep 21, 2022 •

edited

Loading