search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
206 stars 121 forks source link

Service for LoadBalancer seems to not use externalIps properly - using deprecated / removed loadBalancerIP setting #215

Open EugenMayer opened 1 month ago

EugenMayer commented 1 month ago

could be related to the CNI used (in my case it is callico)

deploying via

service:
  type: LoadBalancer
  loadBalancerIP: ${externalIp}
  ipFamilyPolicy: SingleStack

will never actually bind the load-balancer, it will stay pending. AFAICS you are not using externalIPs at all, which makes the difference here.

When i deploy the same service using terraform

resource "kubernetes_service" "externalLdapAccess" {
  metadata {
    name      = "kw-auth-openldap"
    namespace = module.hardened_namespace.namespace.id
  }

  spec {
    type = "LoadBalancer"
    selector = {
      "app.kubernetes.io/component": "openldap"
      "release" : "openldap"
    }
    port {
      port        = var.ldap_port
      name        = "ldap"
      protocol    = "TCP"
      target_port = 1389
    }
    port {
      port        = var.ldaps_port
      name        = "ldap-ssl"
      protocol    = "TCP"
      target_port = 1636
    }
    external_ips = [var.external_ip]
  }

  wait_for_load_balancer = false
}

the service binds instantly.

You are using loadBalancerIP, which has been deprecated and does no longer work with my k8s version (1.30) we should start using https://kubernetes.io/docs/concepts/services-networking/service/#external-ips which is the replacement

loadBalancerIP is no longer part of the spec https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec

jp-gouin commented 1 month ago

What provider are you using for your LoadBalancer ?

It's not provided by default in kubernetes and you need a component that will allocate a load balancer and provide/attach an IP to your service .

EugenMayer commented 1 month ago

i'am not sure in which direction you are arguing? this flag has been deprecated AFAICS 1.21 and has a replacement, externalIPs - it has nothing to do with my CNI(callico) or Ingress (nginx)

jp-gouin commented 1 month ago

Yes the field needs to be updated to reflect the newest spec of kubernetes. But this field is also optional so I wanted to understand why your service type LB stay pending

EugenMayer commented 1 month ago

That i'am not fully able to explain. Since it is not ClusterIP, and we expose a port, i assume it is not possible to understand what ip to bind too. I think this is part of the spec, if found that.

Probably this is related to use driving a multi-eth setup on our k8s, means the decision cannot be made for sure, which one to use, thus it does not make any?

EugenMayer commented 1 day ago

any chance to move this forward? Thanks for your effort