From 072eb5b58e8798ce007af10ffdb944da45ca8188 Mon Sep 17 00:00:00 2001 From: dkokkino Date: Mon, 17 Mar 2025 16:06:11 +0100 Subject: [PATCH] Prevent default API and Ingress VIP generation for user-managed load balancers - Previously, when API and Ingress VIPs were not specified, default values were automatically generated for user-managed load balancers.This was unintended behavior. Now, if the user does not explicitly provide API and Ingress VIPs, a fatal error is thrown instead. --- pkg/types/openstack/defaults/platform.go | 56 +++++++++++++----------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/pkg/types/openstack/defaults/platform.go b/pkg/types/openstack/defaults/platform.go index fb87c12aa8..df7c65faf0 100644 --- a/pkg/types/openstack/defaults/platform.go +++ b/pkg/types/openstack/defaults/platform.go @@ -6,6 +6,7 @@ import ( "github.com/apparentlymart/go-cidr/cidr" + configv1 "github.com/openshift/api/config/v1" "github.com/openshift/installer/pkg/types" "github.com/openshift/installer/pkg/types/openstack" ) @@ -25,32 +26,37 @@ func SetPlatformDefaults(p *openstack.Platform, n *types.Networking) { p.Cloud = DefaultCloudName } } - // APIVIP returns the internal virtual IP address (VIP) put in front - // of the Kubernetes API server for use by components inside the - // cluster. The DNS static pods running on the nodes resolve the - // api-int record to APIVIP. - if len(p.APIVIPs) == 0 && p.DeprecatedAPIVIP == "" { - vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 5) - if err != nil { - // This will fail validation and abort the install - p.APIVIPs = []string{fmt.Sprintf("could not derive API VIP from machine networks: %s", err.Error())} - } else { - p.APIVIPs = []string{vip.String()} + + // When using user-managed loadbalancer do not generate default API and Ingress VIPs + if p.LoadBalancer.Type != configv1.LoadBalancerTypeUserManaged { + // APIVIP returns the internal virtual IP address (VIP) put in front + // of the Kubernetes API server for use by components inside the + // cluster. The DNS static pods running on the nodes resolve the + // api-int record to APIVIP. + if len(p.APIVIPs) == 0 && p.DeprecatedAPIVIP == "" { + vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 5) + if err != nil { + // This will fail validation and abort the install + p.APIVIPs = []string{fmt.Sprintf("could not derive API VIP from machine networks: %s", err.Error())} + } else { + p.APIVIPs = []string{vip.String()} + } + } + + // IngressVIP returns the internal virtual IP address (VIP) put in + // front of the OpenShift router pods. This provides the internal + // accessibility to the internal pods running on the worker nodes, + // e.g. `console`. The DNS static pods running on the nodes resolve + // the wildcard apps record to IngressVIP. + if len(p.IngressVIPs) == 0 && p.DeprecatedIngressVIP == "" { + vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 7) + if err != nil { + // This will fail validation and abort the install + p.IngressVIPs = []string{fmt.Sprintf("could not derive Ingress VIP from machine networks: %s", err.Error())} + } else { + p.IngressVIPs = []string{vip.String()} + } } } - // IngressVIP returns the internal virtual IP address (VIP) put in - // front of the OpenShift router pods. This provides the internal - // accessibility to the internal pods running on the worker nodes, - // e.g. `console`. The DNS static pods running on the nodes resolve - // the wildcard apps record to IngressVIP. - if len(p.IngressVIPs) == 0 && p.DeprecatedIngressVIP == "" { - vip, err := cidr.Host(&n.MachineNetwork[0].CIDR.IPNet, 7) - if err != nil { - // This will fail validation and abort the install - p.IngressVIPs = []string{fmt.Sprintf("could not derive Ingress VIP from machine networks: %s", err.Error())} - } else { - p.IngressVIPs = []string{vip.String()} - } - } }