From 15e6c31570f7f5f8499e431c512ea11b8436c79f Mon Sep 17 00:00:00 2001 From: Julien Tinguely Date: Thu, 9 Oct 2025 13:19:09 +0000 Subject: [PATCH 1/2] [static] init Signed-off-by: Julien Tinguely --- cluster/expected/infra/expected.json | 10 ++++++++-- cluster/pulumi/infra/src/istio.ts | 6 +++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/cluster/expected/infra/expected.json b/cluster/expected/infra/expected.json index acf9b4e3f4..c9a52c5410 100644 --- a/cluster/expected/infra/expected.json +++ b/cluster/expected/infra/expected.json @@ -1557,7 +1557,7 @@ "chart": "gateway", "compat": "true", "maxHistory": 10, - "name": "istio-ingress-cometbft", + "name": "istio-ingress-cometbft-test", "namespace": "cluster-ingress", "repositoryOpts": { "repo": "https://istio-release.storage.googleapis.com/charts" @@ -1579,6 +1579,9 @@ } } }, + "annotations": { + "cloud.google.com/l4-rbs": "enabled" + }, "autoscaling": { "maxReplicas": 15 }, @@ -1735,7 +1738,7 @@ "chart": "gateway", "compat": "true", "maxHistory": 10, - "name": "istio-ingress", + "name": "istio-ingress-test", "namespace": "cluster-ingress", "repositoryOpts": { "repo": "https://istio-release.storage.googleapis.com/charts" @@ -1757,6 +1760,9 @@ } } }, + "annotations": { + "cloud.google.com/l4-rbs": "enabled" + }, "autoscaling": { "maxReplicas": 15 }, diff --git a/cluster/pulumi/infra/src/istio.ts b/cluster/pulumi/infra/src/istio.ts index 4b600ff098..6c7ba3e462 100644 --- a/cluster/pulumi/infra/src/istio.ts +++ b/cluster/pulumi/infra/src/istio.ts @@ -320,7 +320,7 @@ function configureGatewayService( const gateway = new k8s.helm.v3.Release( `istio-ingress${suffix}`, { - name: `istio-ingress${suffix}`, + name: `istio-ingress${suffix}-test`, chart: 'gateway', version: istioVersion.istio, namespace: ingressNs.metadata.name, @@ -359,10 +359,14 @@ function configureGatewayService( ].concat(ingressPorts), }, ...infraAffinityAndTolerations, + annotations: { + 'cloud.google.com/l4-rbs': 'enabled', + }, }, maxHistory: HELM_MAX_HISTORY_SIZE, }, { + deleteBeforeReplace: true, dependsOn: istioPolicies ? istioPolicies.apply(policies => { const base: pulumi.Resource[] = [ingressNs, istiod]; From 1a4ca2a0613ff4cf3e0e5a248984269271697035 Mon Sep 17 00:00:00 2001 From: Julien Tinguely Date: Fri, 10 Oct 2025 12:25:49 +0000 Subject: [PATCH 2/2] [static] automatic load balancer release replacement Signed-off-by: Julien Tinguely --- build-tools/cncluster | 16 ++++++++++++++++ cluster/expected/infra/expected.json | 4 ++-- cluster/pulumi/infra/src/istio.ts | 4 +++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/build-tools/cncluster b/build-tools/cncluster index a0507b16c5..9fc8a04855 100755 --- a/build-tools/cncluster +++ b/build-tools/cncluster @@ -696,6 +696,9 @@ function subcmd_create() { #### Enable Firewall Access subcmd_cluster_update_access + ### Enable Http Load Balancing + subcmd_cluster_enable_http_load_balancing + #### Delete default firewall rules, if they exist. if (gcloud compute firewall-rules delete\ default-allow-rdp \ @@ -911,6 +914,19 @@ function subcmd_cluster_enable_workload_identity() { --cluster "cn-${GCP_CLUSTER_BASENAME}net" \ --workload-metadata=GKE_METADATA } + +subcommand_whitelist[cluster_enable_http_load_balancing]='Enable http load balancing for the cluster.' + +function subcmd_cluster_enable_http_load_balancing() { + if ! gcloud container clusters describe "${GCP_CLUSTER_NAME}" --format="value(addonsConfig.httpLoadBalancing)" | grep -q "disabled=True"; then + _info "Http Load Balancing is already enabled for the cluster." + return + fi + + _info "Enabling http load balancing for the cluster ${GCP_CLUSTER_NAME}." + gcloud container clusters update "${GCP_CLUSTER_NAME}" --update-addons=HttpLoadBalancing=ENABLED +} + ### subcommand_whitelist[ci_warn_lock_expiry]='Run only by CircleCI' diff --git a/cluster/expected/infra/expected.json b/cluster/expected/infra/expected.json index c9a52c5410..9a085a8405 100644 --- a/cluster/expected/infra/expected.json +++ b/cluster/expected/infra/expected.json @@ -1557,7 +1557,7 @@ "chart": "gateway", "compat": "true", "maxHistory": 10, - "name": "istio-ingress-cometbft-test", + "name": "istio-ingress-cometbft", "namespace": "cluster-ingress", "repositoryOpts": { "repo": "https://istio-release.storage.googleapis.com/charts" @@ -1738,7 +1738,7 @@ "chart": "gateway", "compat": "true", "maxHistory": 10, - "name": "istio-ingress-test", + "name": "istio-ingress", "namespace": "cluster-ingress", "repositoryOpts": { "repo": "https://istio-release.storage.googleapis.com/charts" diff --git a/cluster/pulumi/infra/src/istio.ts b/cluster/pulumi/infra/src/istio.ts index 6c7ba3e462..775ecf992f 100644 --- a/cluster/pulumi/infra/src/istio.ts +++ b/cluster/pulumi/infra/src/istio.ts @@ -320,7 +320,7 @@ function configureGatewayService( const gateway = new k8s.helm.v3.Release( `istio-ingress${suffix}`, { - name: `istio-ingress${suffix}-test`, + name: `istio-ingress${suffix}`, chart: 'gateway', version: istioVersion.istio, namespace: ingressNs.metadata.name, @@ -359,6 +359,7 @@ function configureGatewayService( ].concat(ingressPorts), }, ...infraAffinityAndTolerations, + // The httpLoadBalancing addon needs to be enabled to use backend service-based network load balancers. annotations: { 'cloud.google.com/l4-rbs': 'enabled', }, @@ -366,6 +367,7 @@ function configureGatewayService( maxHistory: HELM_MAX_HISTORY_SIZE, }, { + replaceOnChanges: ['values.annotations'], deleteBeforeReplace: true, dependsOn: istioPolicies ? istioPolicies.apply(policies => {