apache
Remove "CIDR list" from Load Balancer rule
When creating a new load balancer in either Isolated network or VPC Tier there is this option "CIDR list" - supposedly to allow traffic from it automatically. It seems like a nice idea, but it doesn't do anything and it's just confusing people, also hashtag "polish".
Can we remove it from the UI as well as from the createLoadbalancerrule API call ("cidrlist")? BTW, I'm on 4.19.
Hello @NuxRo
The parameter was reintroduced in 4.18: in the API via #6460 and the UI via #6869. Therefore, it should work. Some manual tests and investigations are necessary to understand why it is not working.
@GutoVeronezi ah, ok, I wasn't aware it was a relatively new thing reintroduced by yourselves. It's a nice little feature.
@GutoVeronezi my apologies, I've had another go at this and indeed, the CIDRs do get whitelisted in haproxy.cfg - my problem is that I was looking for the CIDRs in the firewall, didn't realise it's a config thing. /facepalm
That said, I've already found a problem, I added a cidrlist when creating the LB on an isolated network and now I realise I cannot change or remove that, it's set in stone so to say, unless I recreate the LB. I hope this will be addressed in the future. I've tested on 4.19.0.0 btw.
@NuxRo , does this mean the original description of the issue is to be changed?
The API updateLoadBalancerRule also lacks a parameter cidrlist to be able to modify (or indeed: empty) the list.
@NuxRo , does this mean the original description of the issue is to be changed?
@DaanHoogland yes, the issue is more "Allow load balancer rule CIDR list to be modified"
@NuxRo (cc @hrak ) I am not so sure if an update of an LB rule is what we want. It is fairly easy to recreate and we do not want to allow for any overlaps in terms of cidr and or ports.
Is the cidr list not working as an allow list what the complaint is here?
@DaanHoogland - the ticket can be closed.
The feature works as intended, only on my stupidity I misunderstood the details - it's simply just a haproxy config thing.
The feature could benefit from improvements in updating the cidr list, but I would say it's low prio and as you say one could recreate the LB with minimal downtime.
@DaanHoogland @NuxRo What a strange decision. Deleting and recreating a LB rule also involves having to reattach any VMs that were attached to the LB rule. When using the API programmatically (not for UI use, but for a Kubernetes cloud provider f.e.), it would make a lot more sense to have the ability to update the CIDR list with one call, as opposed to at least 4.
- get list of vms associated with rule
- delete the rule (detaches the VMs). In the mean time whatever service is exposed here will be unreachable.
- recreate rule with new CIDR list
- reattach the VMs acquired in step 1
Even from a UI perspective being able to update the list would be an improvement.
Please reconsider this decision.
@DaanHoogland @NuxRo What a strange decision. Deleting and recreating a LB rule also involves having to reattach any VMs that were attached to the LB rule. When using the API programmatically (not for UI use, but for a Kubernetes cloud provider f.e.), it would make a lot more sense to have the ability to update the CIDR list with one call, as opposed to at least 4.
* get list of vms associated with rule * delete the rule (detaches the VMs). In the mean time whatever service is exposed here will be unreachable. * recreate rule with new CIDR list * reattach the VMs acquired in step 1Even from a UI perspective being able to update the list would be an improvement.
Please reconsider this decision.
@hrak , it is closed as not planned, it is not refused, so if you wish to implement it anyway your code won't be refused.
Please note that there are more than 400 issues open so and everybody working on the code has their own priorities. We will be very selective about what we address. Sorry to disappoint you.