Merge pull request #1222 from bfournie/internal-load-balancer

Create an Internal Load Balancer if configured
kubernetes-sigs · May 29, 2024 · e5efa79 · e5efa79
2 parents 47f0958 + 1a8192b
commit e5efa79
Show file tree

Hide file tree

Showing 12 changed files with 1,315 additions and 100 deletions.
diff --git a/api/v1beta1/gcpcluster_webhook.go b/api/v1beta1/gcpcluster_webhook.go
@@ -85,6 +85,13 @@ func (c *GCPCluster) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings,
 		)
 	}
 
+	if !reflect.DeepEqual(c.Spec.LoadBalancer, old.Spec.LoadBalancer) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "LoadBalancer"),
+				c.Spec.LoadBalancer, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}

diff --git a/api/v1beta1/labels.go b/api/v1beta1/labels.go
@@ -111,6 +111,9 @@ const (
 
 	// APIServerRoleTagValue describes the value for the apiserver role.
 	APIServerRoleTagValue = "apiserver"
+
+	// InternalRoleTagValue describes the value for the internal role.
+	InternalRoleTagValue = "api-internal"
 )
 
 // ClusterTagKey generates the key for resources associated with a cluster.

diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
@@ -85,6 +85,26 @@ type Network struct {
 	// created for the API Server.
 	// +optional
 	APIServerForwardingRule *string `json:"apiServerForwardingRule,omitempty"`
+
+	// APIInternalAddress is the IPV4 regional address assigned to the
+	// internal Load Balancer.
+	// +optional
+	APIInternalAddress *string `json:"apiInternalIpAddress,omitempty"`
+
+	// APIInternalHealthCheck is the full reference to the health check
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalHealthCheck *string `json:"apiInternalHealthCheck,omitempty"`
+
+	// APIInternalBackendService is the full reference to the backend service
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalBackendService *string `json:"apiInternalBackendService,omitempty"`
+
+	// APIInternalForwardingRule is the full reference to the forwarding rule
+	// created for the internal Load Balancer.
+	// +optional
+	APIInternalForwardingRule *string `json:"apiInternalForwardingRule,omitempty"`
 }
 
 // NetworkSpec encapsulates all things related to a GCP network.
@@ -114,6 +134,24 @@ type NetworkSpec struct {
 	LoadBalancerBackendPort *int32 `json:"loadBalancerBackendPort,omitempty"`
 }
 
+// LoadBalancerType defines the Load Balancer that should be created.
+type LoadBalancerType string
+
+var (
+	// External creates a Global External Proxy Load Balancer
+	// to manage traffic to backends in multiple regions. This is the default Load
+	// Balancer and will be created if no LoadBalancerType is defined.
+	External = LoadBalancerType("External")
+
+	// Internal creates a Regional Internal Passthrough Load
+	// Balancer to manage traffic to backends in the configured region.
+	Internal = LoadBalancerType("Internal")
+
+	// InternalExternal creates both External and Internal Load Balancers to provide
+	// separate endpoints for managing both external and internal traffic.
+	InternalExternal = LoadBalancerType("InternalExternal")
+)
+
 // LoadBalancerSpec contains configuration for one or more LoadBalancers.
 type LoadBalancerSpec struct {
 	// APIServerInstanceGroupTagOverride overrides the default setting for the
@@ -123,6 +161,15 @@ type LoadBalancerSpec struct {
 	// +kubebuilder:validation:Pattern=`(^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$)`
 	// +optional
 	APIServerInstanceGroupTagOverride *string `json:"apiServerInstanceGroupTagOverride,omitempty"`
+
+	// LoadBalancerType defines the type of Load Balancer that should be created.
+	// If not set, a Global External Proxy Load Balancer will be created by default.
+	// +optional
+	LoadBalancerType *LoadBalancerType `json:"loadBalancerType,omitempty"`
+
+	// InternalLoadBalancer is the configuration for an Internal Passthrough Network Load Balancer.
+	// +optional
+	InternalLoadBalancer *LoadBalancer `json:"internalLoadBalancer,omitempty"`
 }
 
 // SubnetSpec configures an GCP Subnet.
@@ -278,3 +325,19 @@ type ObjectReference struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 }
+
+// LoadBalancer specifies the configuration of a LoadBalancer.
+type LoadBalancer struct {
+	// Name is the name of the Load Balancer. If not set a default name
+	// will be used. For an Internal Load Balancer service the default
+	// name is "api-internal".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern=`(^[1-9][0-9]{0,31}$)|(^[a-z][a-z0-9-]{4,28}[a-z0-9]$)`
+	// +optional
+	Name *string `json:"name,omitempty"`
+
+	// Subnet is the name of the subnet to use for a regional Load Balancer. A subnet is
+	// required for the Load Balancer, if not defined the first configured subnet will be
+	// used.
+	Subnet *string `json:"subnet,omitempty"`
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/cloud/scope/cluster.go b/cloud/scope/cluster.go
@@ -290,18 +290,18 @@ func (s *ClusterScope) FirewallRulesSpec() []*compute.Firewall {
 // ANCHOR: ClusterControlPlaneSpec
 
 // AddressSpec returns google compute address spec.
-func (s *ClusterScope) AddressSpec() *compute.Address {
+func (s *ClusterScope) AddressSpec(lbname string) *compute.Address {
 	return &compute.Address{
-		Name:        fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:        fmt.Sprintf("%s-%s", s.Name(), lbname),
 		AddressType: "EXTERNAL",
 		IpVersion:   "IPV4",
 	}
 }
 
 // BackendServiceSpec returns google compute backend-service spec.
-func (s *ClusterScope) BackendServiceSpec() *compute.BackendService {
+func (s *ClusterScope) BackendServiceSpec(lbname string) *compute.BackendService {
 	return &compute.BackendService{
-		Name:                fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:                fmt.Sprintf("%s-%s", s.Name(), lbname),
 		LoadBalancingScheme: "EXTERNAL",
 		PortName:            "apiserver",
 		Protocol:            "TCP",
@@ -310,24 +310,24 @@ func (s *ClusterScope) BackendServiceSpec() *compute.BackendService {
 }
 
 // ForwardingRuleSpec returns google compute forwarding-rule spec.
-func (s *ClusterScope) ForwardingRuleSpec() *compute.ForwardingRule {
+func (s *ClusterScope) ForwardingRuleSpec(lbname string) *compute.ForwardingRule {
 	port := int32(443)
 	if c := s.Cluster.Spec.ClusterNetwork; c != nil {
 		port = ptr.Deref(c.APIServerPort, 443)
 	}
 	portRange := fmt.Sprintf("%d-%d", port, port)
 	return &compute.ForwardingRule{
-		Name:                fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name:                fmt.Sprintf("%s-%s", s.Name(), lbname),
 		IPProtocol:          "TCP",
 		LoadBalancingScheme: "EXTERNAL",
 		PortRange:           portRange,
 	}
 }
 
 // HealthCheckSpec returns google compute health-check spec.
-func (s *ClusterScope) HealthCheckSpec() *compute.HealthCheck {
+func (s *ClusterScope) HealthCheckSpec(lbname string) *compute.HealthCheck {
 	return &compute.HealthCheck{
-		Name: fmt.Sprintf("%s-%s", s.Name(), infrav1.APIServerRoleTagValue),
+		Name: fmt.Sprintf("%s-%s", s.Name(), lbname),
 		Type: "HTTPS",
 		HttpsHealthCheck: &compute.HTTPSHealthCheck{
 			Port:              6443,