Provide an option to skip private IP in LB Status for public NLBs

add max pods per node for e2e nodepools to preserve private ip's

Author: pranavsriram8

hack/run_e2e_test.sh

@@ -68,7 +68,8 @@ function run_e2e_tests_existing_cluster() {
                     --static-snapshot-compartment-id=${STATIC_SNAPSHOT_COMPARTMENT_ID} \
                     --enable-parallel-run=${ENABLE_PARALLEL_RUN} \
                     --run-uhp-e2e=${RUN_UHP_E2E} \
-                    --add-oke-system-tags="false"
+                    --add-oke-system-tags="false" \
+                    --maxpodspernode=${MAX_PODS_PER_NODE}
     else
         ginkgo -v -progress --trace -nodes=${E2E_NODE_COUNT} "${FOCUS_OPT}" "${FOCUS_SKIP_OPT}" "${FOCUS_FP_OPT}"  \
             ginkgo -v -p -progress --trace "${FOCUS_OPT}" "${FOCUS_FP_OPT}"  \
@@ -91,7 +92,8 @@ function run_e2e_tests_existing_cluster() {
                     --static-snapshot-compartment-id=${STATIC_SNAPSHOT_COMPARTMENT_ID} \
                     --enable-parallel-run=${ENABLE_PARALLEL_RUN} \
                     --run-uhp-e2e=${RUN_UHP_E2E} \
-                    --add-oke-system-tags="false"
+                    --add-oke-system-tags="false" \
+                    --maxpodspernode=${MAX_PODS_PER_NODE}
     fi
     retval=$?
     return $retval

pkg/cloudprovider/providers/oci/load_balancer.go

@@ -212,8 +212,11 @@ func (cp *CloudProvider) GetLoadBalancer(ctx context.Context, clusterName string
 
 		return nil, false, err
 	}
-
-	lbStatus, err := loadBalancerToStatus(lb, nil)
+	skipPrivateIP, err := isSkipPrivateIP(service)
+	if err != nil {
+		return nil, false, err
+	}
+	lbStatus, err := loadBalancerToStatus(lb, nil, skipPrivateIP)
 	return lbStatus, err == nil, err
 }
 
@@ -464,7 +467,12 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 	}
 
 	logger.With("loadBalancerID", *lb.Id).Info("Load balancer created")
-	status, err := loadBalancerToStatus(lb, spec.ingressIpMode)
+
+	skipPrivateIP, err := isSkipPrivateIP(spec.service)
+	if err != nil {
+		return nil, "", err
+	}
+	status, err := loadBalancerToStatus(lb, spec.ingressIpMode, skipPrivateIP)
 
 	if status != nil && len(status.Ingress) > 0 {
 		// If the LB is successfully provisioned then open lb/node subnet seclists egress/ingress.
@@ -903,7 +911,11 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 	dimensionsMap[metrics.BackendSetsCountDimension] = strconv.Itoa(len(lb.BackendSets))
 	metrics.SendMetricData(cp.metricPusher, getMetric(loadBalancerType, Update), syncTime, dimensionsMap)
 
-	return loadBalancerToStatus(lb, spec.ingressIpMode)
+	skipPrivateIP, err := isSkipPrivateIP(service)
+	if err != nil {
+		return nil, err
+	}
+	return loadBalancerToStatus(lb, spec.ingressIpMode, skipPrivateIP)
 }
 
 func getDefaultLBSubnets(subnet1, subnet2 string) []string {
@@ -1954,7 +1966,7 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancerIpVersion(ctx context.Co
 }
 
 // Given an OCI load balancer, return a LoadBalancerStatus
-func loadBalancerToStatus(lb *client.GenericLoadBalancer, ipMode *v1.LoadBalancerIPMode) (*v1.LoadBalancerStatus, error) {
+func loadBalancerToStatus(lb *client.GenericLoadBalancer, ipMode *v1.LoadBalancerIPMode, skipPrivateIp bool) (*v1.LoadBalancerStatus, error) {
 	if len(lb.IpAddresses) == 0 {
 		return nil, errors.Errorf("no ip addresses found for load balancer %q", *lb.DisplayName)
 	}
@@ -1964,6 +1976,12 @@ func loadBalancerToStatus(lb *client.GenericLoadBalancer, ipMode *v1.LoadBalance
 		if ip.IpAddress == nil {
 			continue // should never happen but appears to when EnsureLoadBalancer is called with 0 nodes.
 		}
+
+		if skipPrivateIp {
+			if !pointer.BoolDeref(ip.IsPublic, false) {
+				continue
+			}
+		}
 		ingress = append(ingress, v1.LoadBalancerIngress{IP: *ip.IpAddress, IPMode: ipMode})
 	}
 

pkg/cloudprovider/providers/oci/load_balancer_spec.go

@@ -244,6 +244,9 @@ const (
 
 	// ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled is a service annotation to enable/disable PPv2 feature for the listeners of this NLB.
 	ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled = "oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled"
+
+	// ServiceAnnotationNetworkLoadBalancerExternalIpOnly is a service a boolean annotation to skip private ip when assigning to ingress resource for NLB service
+	ServiceAnnotationNetworkLoadBalancerExternalIpOnly = "oci-network-load-balancer.oraclecloud.com/external-ip-only"
 )
 
 const (
@@ -1583,7 +1586,7 @@ func isServiceDualStack(svc *v1.Service) bool {
 	return false
 }
 
-// patchIngressIpMode reads ingress ipMode specified in the service annotation if exists
+// getIngressIpMode reads ingress ipMode specified in the service annotation if exists
 func getIngressIpMode(service *v1.Service) (*v1.LoadBalancerIPMode, error) {
 	var ipMode, exists = "", false
 
@@ -1602,3 +1605,33 @@ func getIngressIpMode(service *v1.Service) (*v1.LoadBalancerIPMode, error) {
 		return nil, errors.New("IpMode can only be set as Proxy or VIP")
 	}
 }
+
+// isSkipPrivateIP determines if skipPrivateIP annotation is set or not
+func isSkipPrivateIP(svc *v1.Service) (bool, error) {
+	lbType := getLoadBalancerType(svc)
+	annotationValue := ""
+	annotationExists := false
+	annotationString := ""
+	annotationValue, annotationExists = svc.Annotations[ServiceAnnotationNetworkLoadBalancerExternalIpOnly]
+	if !annotationExists {
+		return false, nil
+	}
+
+	if lbType != NLB {
+		return false, nil
+	}
+
+	internal, err := isInternalLB(svc)
+	if err != nil {
+		return false, err
+	}
+	if internal {
+		return false, nil
+	}
+
+	skipPrivateIp, err := strconv.ParseBool(annotationValue)
+	if err != nil {
+		return false, errors.Wrap(err, fmt.Sprintf("invalid value: %s provided for annotation: %s", annotationValue, annotationString))
+	}
+	return skipPrivateIp, nil
+}

pkg/cloudprovider/providers/oci/load_balancer_spec_test.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"k8s.io/utils/pointer"
 	"net/http"
 	"reflect"
 	"testing"
@@ -28,6 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/utils/pointer"
 
 	providercfg "github.com/oracle/oci-cloud-controller-manager/pkg/cloudprovider/providers/oci/config"
 	"github.com/oracle/oci-cloud-controller-manager/pkg/oci/client"
@@ -11858,3 +11858,74 @@ func Test_getLoadBalancerSourceRanges(t *testing.T) {
 		})
 	}
 }
+
+func TestIsSkipPrivateIP_NLB(t *testing.T) {
+	tests := []struct {
+		name           string
+		svcAnnotations map[string]string
+		expected       bool
+		wantErr        bool
+	}{
+		{
+			name: "skip-private-ip-enabled",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "true",
+			},
+			expected: true,
+			wantErr:  false,
+		},
+		{
+			name: "skip-private-ip-disabled",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "false",
+			},
+			expected: false,
+			wantErr:  false,
+		},
+		{
+			name: "skip-private-ip-invalid-value",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "invalid",
+			},
+			expected: false,
+			wantErr:  true,
+		},
+		{
+			name: "skip-private-ip with internal loadbalancer",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerInternal:       "true",
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "true",
+			},
+			expected: false,
+			wantErr:  false,
+		},
+		{
+			name:           "no-skip-private-ip-annotation",
+			svcAnnotations: map[string]string{},
+			expected:       false,
+			wantErr:        false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			svc := &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tt.svcAnnotations,
+				},
+			}
+			got, err := isSkipPrivateIP(svc)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("isSkipPrivateIP() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.expected {
+				t.Errorf("isSkipPrivateIP() = %v, expected %v", got, tt.expected)
+			}
+		})
+	}
+}

pkg/cloudprovider/providers/oci/load_balancer_test.go

@@ -1359,7 +1359,7 @@ func Test_getGoadBalancerStatus(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			actual, err := loadBalancerToStatus(test.lb, test.setIpMode)
+			actual, err := loadBalancerToStatus(test.lb, test.setIpMode, false)
 			if !assertError(err, test.wantErr) {
 				t.Errorf("Expected error = %v, but got %v", test.wantErr, err)
 				return
@@ -2249,3 +2249,132 @@ func Test_getOciIpVersions(t *testing.T) {
 		})
 	}
 }
+
+func TestLoadBalancerToStatus(t *testing.T) {
+	type testCase struct {
+		name           string
+		lb             *client.GenericLoadBalancer
+		ipMode         v1.LoadBalancerIPMode
+		skipPrivateIp  bool
+		expectedOutput *v1.LoadBalancerStatus
+		expectedError  error
+	}
+
+	testCases := []testCase{
+		{
+			name: "No IP Addresses",
+			lb: &client.GenericLoadBalancer{
+				DisplayName: common.String("test-lb"),
+				IpAddresses: []client.GenericIpAddress{},
+			},
+			ipMode:         v1.LoadBalancerIPModeVIP,
+			skipPrivateIp:  false,
+			expectedOutput: nil,
+			expectedError:  errors1.Errorf("no ip addresses found for load balancer \"test-lb\""),
+		},
+		{
+			name: "Single Public IP Address",
+			lb: &client.GenericLoadBalancer{
+				DisplayName: common.String("test-lb"),
+				IpAddresses: []client.GenericIpAddress{
+					{
+						IpAddress: common.String("192.168.1.100"),
+						IsPublic:  common.Bool(true),
+					},
+				},
+			},
+			ipMode:        v1.LoadBalancerIPModeVIP,
+			skipPrivateIp: false,
+			expectedOutput: &v1.LoadBalancerStatus{
+				Ingress: []v1.LoadBalancerIngress{
+					{
+						IP: "192.168.1.100",
+					},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			name: "Multiple IP Addresses",
+			lb: &client.GenericLoadBalancer{
+				DisplayName: common.String("test-lb"),
+				IpAddresses: []client.GenericIpAddress{
+					{
+						IpAddress: common.String("192.168.1.100"),
+						IsPublic:  common.Bool(true),
+					},
+					{
+						IpAddress: common.String("10.0.0.100"),
+						IsPublic:  common.Bool(false),
+					},
+				},
+			},
+			ipMode:        v1.LoadBalancerIPModeVIP,
+			skipPrivateIp: false,
+			expectedOutput: &v1.LoadBalancerStatus{
+				Ingress: []v1.LoadBalancerIngress{
+					{
+						IP: "192.168.1.100",
+					},
+					{
+						IP: "10.0.0.100",
+					},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			name: "Skip Private IP",
+			lb: &client.GenericLoadBalancer{
+				DisplayName: common.String("test-lb"),
+				IpAddresses: []client.GenericIpAddress{
+					{
+						IpAddress: common.String("192.168.1.100"),
+						IsPublic:  common.Bool(true),
+					},
+					{
+						IpAddress: common.String("10.0.0.100"),
+						IsPublic:  common.Bool(false),
+					},
+				},
+			},
+			ipMode:        v1.LoadBalancerIPModeVIP,
+			skipPrivateIp: true,
+			expectedOutput: &v1.LoadBalancerStatus{
+				Ingress: []v1.LoadBalancerIngress{
+					{
+						IP: "192.168.1.100",
+					},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			name: "Nil IpAddress",
+			lb: &client.GenericLoadBalancer{
+				DisplayName: common.String("test-lb"),
+				IpAddresses: []client.GenericIpAddress{
+					{
+						IpAddress: nil,
+					},
+				},
+			},
+			ipMode:        v1.LoadBalancerIPModeVIP,
+			skipPrivateIp: false,
+			expectedOutput: &v1.LoadBalancerStatus{
+				Ingress: []v1.LoadBalancerIngress{},
+			},
+			expectedError: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actualOutput, actualError := loadBalancerToStatus(tc.lb, &tc.ipMode, tc.skipPrivateIp)
+			reflect.DeepEqual(tc.expectedOutput, actualOutput)
+			if tc.expectedError != nil {
+				reflect.DeepEqual(tc.expectedError.Error(), actualError.Error())
+			}
+		})
+	}
+}