Skip to content

Allow configuring API server LB rule name and health probe in AzureCluster #5828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow configuring API server LB rule name and health probe in AzureCluster #5828

wants to merge 1 commit into from

Conversation

cPu1
Copy link
Contributor

@cPu1 cPu1 commented Aug 19, 2025
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
This changelist allows configuring the names for the API server load balancer rule and health probe to support cluster adoption scenarios where existing networking resources already exist with different names.

Currently, CAPZ hardcodes the load balancer rule name (LBRuleHTTPS) and health probe name (HTTPSProbe) for the API server load balancer, making it difficult to adopt existing Kubeadm-based clusters using different naming conventions, as users cannot reuse existing load balancer resources without manual intervention. Since the rule name and probe name cannot be changed without destroying and recreating the resource, adopting a Kubeadm cluster into Cluster API can result in some downtime.

This PR adds two new optional fields LoadBalancingRule.Name and HealthProbe.Name to LoadBalancerSpec.

To ensure backward compatibility, the defaulting webhook uses default values that match the previous hardcoded names (LBRuleHTTPS and HTTPSProbe). Since changing the load balancer rule name and health probe name requires resource recreation, a destructive operation, the validating webhook disallows mutations to these fields.

There are no breaking changes as this is a purely additive change that maintains full backward compatibility.

Please note that there's a known bug caused by reusing the same health probe for AdditionalAPIServerLBPorts but this PR keeps the current behavior unchanged.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #5726

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests
  • cherry-pick candidate

Release note:

Allows configuring API server load balancer rule name and health probe name in `AzureCluster`

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 19, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 19, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @cPu1. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov Codecov
Copy link

codecov bot commented Aug 19, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 92.85714% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.02%. Comparing base (e859273) to head (b8e4561).
⚠️ Report is 96 commits behind head on main.

Files with missing lines Patch % Lines
api/v1beta1/azurecluster_validation.go 72.72% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5828      +/-   ##
==========================================
+ Coverage   46.93%   47.02%   +0.09%     
==========================================
  Files         279      279              
  Lines       29687    29721      +34     
==========================================
+ Hits        13934    13977      +43     
+ Misses      14940    14931       -9     
  Partials      813      813

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cPu1 cPu1 force-pushed the feat/customizable-lb-rule-probe-name branch from 4874668 to bc3771f Compare August 19, 2025 12:33
@cPu1 cPu1 force-pushed the feat/customizable-lb-rule-probe-name branch from bc3771f to b8e4561 Compare August 19, 2025 12:39
@cPu1
Copy link
Contributor Author

cPu1 commented Oct 5, 2025

@jsturtevant, @marosset, can you help review this PR?

@jackfrancis
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 6, 2025
@jackfrancis
Copy link
Contributor

/test pull-cluster-api-provider-azure-e2e-workload-upgrade
/test pull-cluster-api-provider-azure-e2e-optional

@jackfrancis
Copy link
Contributor

@nojnhuh @mboersma generally speaking this looks back-compat-friendly, any concerns there?

@k8s-ci-robot
Copy link
Contributor

@cPu1: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-azure-e2e-optional b8e4561 link false /test pull-cluster-api-provider-azure-e2e-optional

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

nojnhuh
nojnhuh reviewed Oct 6, 2025
View reviewed changes
api/v1beta1/types.go
Comment on lines +363 to +365
// LoadBalancingRule defines the load balancer rule configuration.
// +optional
LoadBalancingRule LoadBalancingRule `json:"loadBalancingRule,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love that this introduces an assumption that a load balancer will only ever have one rule. If we ever add more, then this field becomes ambiguous. I don't know why we would ever want to do that, but I'm equally unsure that one is all we'll ever want.

This also adds the field for the other kinds of load balancers CAPZ creates (worker/controlplane outbound) but it does nothing in those cases. I would slightly prefer the approach we took with AdditionalAPIServerLBPorts where it lives up a level and specifically applies only to the API server LB:

cluster-api-provider-azure/api/v1beta1/types.go

Lines 114 to 117 in cc24323

// AdditionalAPIServerLBPorts specifies extra inbound ports for the APIServer load balancer.
// Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
// +optional
AdditionalAPIServerLBPorts []LoadBalancerPort `json:"additionalAPIServerLBPorts,omitempty"`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nojnhuh nojnhuh nojnhuh left review comments

@jsturtevant jsturtevant Awaiting requested review from jsturtevant

@marosset marosset Awaiting requested review from marosset

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

CAPZ Planning
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow configuring the API server load balancer rule name and health probe name in AzureCluster

4 participants

@cPu1 @k8s-ci-robot @jackfrancis @nojnhuh