feat: add label 'exclude-from-external-load-balancers' for cp nodes

Fixes #8749 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-16 12:22:54 +04:00 · 2024-07-16 12:22:54 +04:00 · ea626a9631
commit ea626a9631
parent 1cf76cfbc2
7 changed files with 37 additions and 0 deletions
--- a/hack/release.toml
+++ b/hack/release.toml
@ -95,6 +95,12 @@ Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by defaul
        title = "Custom Trusted Roots"
        description = """\
 Talos Linux now supports adding [custom trusted roots](https://www.talos.dev/v1.8/talos-guides/configuration/certificate-authorities/) (CA certificates) via `TrustedRootsConfig` configuration documents.
+"""
+
+    [notes.labels]
+        title = "Default Node Labels"
+        description = """\
+Talos Linux on config generation now adds a label `node.kubernetes.io/exclude-from-external-load-balancers` by default for the control plane nodes.
 """

 [make_deps]
--- a/pkg/machinery/config/contract.go
+++ b/pkg/machinery/config/contract.go
@ -157,3 +157,9 @@ func (contract *VersionContract) ClusterNameForWorkers() bool {
 func (contract *VersionContract) HostDNSForwardKubeDNSToHost() bool {
 	return contract.Greater(TalosVersion1_7)
 }
+
+// AddExcludeFromExternalLoadBalancer returns true if the label 'node.kubernetes.io/exclude-from-external-load-balancers' is automatically added
+// for controlplane nodes.
+func (contract *VersionContract) AddExcludeFromExternalLoadBalancer() bool {
+	return contract.Greater(TalosVersion1_7)
+}
--- a/pkg/machinery/config/contract_test.go
+++ b/pkg/machinery/config/contract_test.go
@ -63,6 +63,7 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
 	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.True(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_8(t *testing.T) {
@ -84,6 +85,7 @@ func TestContract1_8(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.True(t, contract.ClusterNameForWorkers())
 	assert.True(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.True(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_7(t *testing.T) {
@ -105,6 +107,7 @@ func TestContract1_7(t *testing.T) {
 	assert.True(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_6(t *testing.T) {
@ -126,6 +129,7 @@ func TestContract1_6(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_5(t *testing.T) {
@ -147,6 +151,7 @@ func TestContract1_5(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_4(t *testing.T) {
@ -168,6 +173,7 @@ func TestContract1_4(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_3(t *testing.T) {
@ -189,6 +195,7 @@ func TestContract1_3(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_2(t *testing.T) {
@ -210,6 +217,7 @@ func TestContract1_2(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_1(t *testing.T) {
@ -231,6 +239,7 @@ func TestContract1_1(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }

 func TestContract1_0(t *testing.T) {
@ -252,4 +261,5 @@ func TestContract1_0(t *testing.T) {
 	assert.False(t, contract.UseRSAServiceAccountKey())
 	assert.False(t, contract.ClusterNameForWorkers())
 	assert.False(t, contract.HostDNSForwardKubeDNSToHost())
+	assert.False(t, contract.AddExcludeFromExternalLoadBalancer())
 }
--- a/pkg/machinery/config/generate/init.go
+++ b/pkg/machinery/config/generate/init.go
@ -100,6 +100,14 @@ func (in *Input) init() ([]config.Document, error) {
 		}
 	}

+	if in.Options.VersionContract.AddExcludeFromExternalLoadBalancer() {
+		if machine.MachineNodeLabels == nil {
+			machine.MachineNodeLabels = map[string]string{}
+		}
+
+		machine.MachineNodeLabels[constants.LabelExcludeFromExternalLB] = ""
+	}
+
 	certSANs := in.GetAPIServerSANs()

 	controlPlaneURL, err := url.Parse(in.ControlPlaneEndpoint)
--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/base-controlplane.yaml
@ -26,6 +26,8 @@ machine:
        hostDNS:
            enabled: true
            forwardKubeDNSToHost: true
+    nodeLabels:
+        node.kubernetes.io/exclude-from-external-load-balancers: ""
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
--- a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.8/overrides-controlplane.yaml
@ -45,6 +45,8 @@ machine:
        hostDNS:
            enabled: true
            forwardKubeDNSToHost: true
+    nodeLabels:
+        node.kubernetes.io/exclude-from-external-load-balancers: ""
 cluster:
    id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
    secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@ -375,6 +375,9 @@ const (
 	// LabelNodeRoleControlPlane is the node label required by a control plane node.
 	LabelNodeRoleControlPlane = "node-role.kubernetes.io/control-plane"

+	// LabelExcludeFromExternalLB can be set on a node to exclude it from external load balancers.
+	LabelExcludeFromExternalLB = "node.kubernetes.io/exclude-from-external-load-balancers"
+
 	// ManifestsDirectory is the directory that contains all static manifests.
 	ManifestsDirectory = KubernetesConfigBaseDir + "/" + "manifests"