Move to backend service-based network load balancers (#2628)

julientinguely-da · web-flow · commit f03e4a5b4299 · 2025-10-13T15:08:49.000+02:00
Signed-off-by: Julien Tinguely &lt;julien.tinguely@digitalasset.com&gt;
diff --git a/build-tools/cncluster b/build-tools/cncluster
@@ -696,6 +696,9 @@ function subcmd_create() {
         #### Enable Firewall Access
         subcmd_cluster_update_access
 
+        ### Enable Http Load Balancing
+        subcmd_cluster_enable_http_load_balancing
+
         #### Delete default firewall rules, if they exist.
         if (gcloud compute firewall-rules delete\
                          default-allow-rdp \
@@ -911,6 +914,19 @@ function subcmd_cluster_enable_workload_identity() {
         --cluster "cn-${GCP_CLUSTER_BASENAME}net" \
         --workload-metadata=GKE_METADATA
 }
+
+subcommand_whitelist[cluster_enable_http_load_balancing]='Enable http load balancing for the cluster.'
+
+function subcmd_cluster_enable_http_load_balancing() {
+    if ! gcloud container clusters describe "${GCP_CLUSTER_NAME}" --format="value(addonsConfig.httpLoadBalancing)" | grep -q "disabled=True"; then
+        _info "Http Load Balancing is already enabled for the cluster."
+        return
+    fi
+
+    _info "Enabling http load balancing for the cluster ${GCP_CLUSTER_NAME}."
+    gcloud container clusters update "${GCP_CLUSTER_NAME}" --update-addons=HttpLoadBalancing=ENABLED
+}
+
 ###
 
 subcommand_whitelist[ci_warn_lock_expiry]='Run only by CircleCI'
diff --git a/cluster/expected/infra/expected.json b/cluster/expected/infra/expected.json
@@ -1683,6 +1683,9 @@
             }
           }
         },
+        "annotations": {
+          "cloud.google.com/l4-rbs": "enabled"
+        },
         "autoscaling": {
           "maxReplicas": 15
         },
@@ -1861,6 +1864,9 @@
             }
           }
         },
+        "annotations": {
+          "cloud.google.com/l4-rbs": "enabled"
+        },
         "autoscaling": {
           "maxReplicas": 15
         },
diff --git a/cluster/pulumi/infra/src/istio.ts b/cluster/pulumi/infra/src/istio.ts
@@ -359,10 +359,16 @@ function configureGatewayService(
           ].concat(ingressPorts),
         },
         ...infraAffinityAndTolerations,
+        // The httpLoadBalancing addon needs to be enabled to use backend service-based network load balancers.
+        annotations: {
+          'cloud.google.com/l4-rbs': 'enabled',
+        },
       },
       maxHistory: HELM_MAX_HISTORY_SIZE,
     },
     {
+      replaceOnChanges: ['values.annotations'],
+      deleteBeforeReplace: true,
       dependsOn: istioPolicies
         ? istioPolicies.apply(policies => {
             const base: pulumi.Resource[] = [ingressNs, istiod];

Original file line number	Diff line number	Diff line change
`@@ -1683,6 +1683,9 @@`
`1683`	`1683`	`}`
`1684`	`1684`	`}`
`1685`	`1685`	`},`
	`1686`	`+ "annotations": {`
	`1687`	`+ "cloud.google.com/l4-rbs": "enabled"`
	`1688`	`+ },`
`1686`	`1689`	`"autoscaling": {`
`1687`	`1690`	`"maxReplicas": 15`
`1688`	`1691`	`},`
`@@ -1861,6 +1864,9 @@`
`1861`	`1864`	`}`
`1862`	`1865`	`}`
`1863`	`1866`	`},`
	`1867`	`+ "annotations": {`
	`1868`	`+ "cloud.google.com/l4-rbs": "enabled"`
	`1869`	`+ },`
`1864`	`1870`	`"autoscaling": {`
`1865`	`1871`	`"maxReplicas": 15`
`1866`	`1872`	`},`