feat(loadbalancers): add feature gate for pn selector label

andreaswachs · andreaswachs · commit deb6e498e3b3 · 2026-04-15T13:52:13.000+02:00
Signed-off-by: Andreas Wachs &lt;awa@corti.ai&gt;
diff --git a/docs/loadbalancer-annotations.md b/docs/loadbalancer-annotations.md
@@ -247,14 +247,21 @@ The possible formats are:
 
 ### `service.beta.kubernetes.io/scw-loadbalancer-pn-names`
 
+> **Feature gate:** This annotation requires the `SCW_ENABLE_LB_PN_NAME_SELECTOR` environment variable
+> to be set to `"true"` on the cloud controller manager. When the environment variable is not set or set
+> to any other value, this annotation is ignored.
+
 This is the annotation to configure the Private Networks by name instead of ID.
 The private network names will be resolved to IDs at runtime. This is useful when
 you want to specify private networks without hardcoding their IDs, which can change
 when clusters are recreated.
 
+When enabled, IPAM-based node IP resolution is also activated, providing precise IP
+lookup for nodes connected to the configured private networks.
+
 **Priority order:**
 1. `service.beta.kubernetes.io/scw-loadbalancer-pn-ids` (highest priority)
-2. `service.beta.kubernetes.io/scw-loadbalancer-pn-names`
+2. `service.beta.kubernetes.io/scw-loadbalancer-pn-names` (requires `SCW_ENABLE_LB_PN_NAME_SELECTOR=true`)
 3. `PN_ID` environment variable (fallback)
 
 If both `pn-ids` and `pn-names` are set, `pn-ids` takes precedence and `pn-names` is ignored.
diff --git a/scaleway/cloud.go b/scaleway/cloud.go
@@ -53,6 +53,11 @@ const (
 	loadBalancerDefaultTypeEnv = "LB_DEFAULT_TYPE"
 
 	privateNetworkID = "PN_ID"
+
+	// enableLBPNNameSelectorEnv enables the selector-style annotation for LB to VPC/PN association.
+	// When set to "true", the pn-names annotation and IPAM-based node IP resolution are enabled.
+	// This feature is gated because it can cause issues on the Scaleway backend at scale.
+	enableLBPNNameSelectorEnv = "SCW_ENABLE_LB_PN_NAME_SELECTOR"
 )
 
 type cloud struct {
diff --git a/scaleway/loadbalancers.go b/scaleway/loadbalancers.go
@@ -41,6 +41,12 @@ import (
 
 const MaxEntriesPerACL = 60
 
+// lbPNNameSelectorEnabled returns true if the PN name selector feature is enabled
+// via the SCW_ENABLE_LB_PN_NAME_SELECTOR environment variable.
+func lbPNNameSelectorEnabled() bool {
+	return strings.EqualFold(os.Getenv(enableLBPNNameSelectorEnv), "true")
+}
+
 type loadbalancers struct {
 	api           LoadBalancerAPI
 	instance      LBInstanceAPI
@@ -163,7 +169,7 @@ func (l *loadbalancers) EnsureLoadBalancer(ctx context.Context, clusterName stri
 		return nil, fmt.Errorf("invalid value for annotation %s: expected boolean", serviceAnnotationLoadBalancerPrivate)
 	}
 
-	if lbPrivate && l.pnID == "" && len(getPrivateNetworkIDs(service)) == 0 && len(getPrivateNetworkNames(service)) == 0 {
+	if lbPrivate && l.pnID == "" && len(getPrivateNetworkIDs(service)) == 0 && (lbPNNameSelectorEnabled() && len(getPrivateNetworkNames(service)) == 0) {
 		return nil, fmt.Errorf("scaleway-cloud-controller-manager cannot create private load balancers without a private network")
 	}
 
@@ -621,9 +627,13 @@ func (l *loadbalancers) updateLoadBalancer(ctx context.Context, loadbalancer *sc
 	}
 
 	// Discover the project ID from the cluster nodes for accurate VPC/PN lookup
-	nodeProjectID, err := l.getProjectIDFromNodes(nodes, region)
-	if err != nil {
-		klog.V(3).Infof("could not determine project ID from nodes: %v, falling back to default", err)
+	// (only needed when the PN name selector feature is enabled)
+	var nodeProjectID string
+	if lbPNNameSelectorEnabled() {
+		nodeProjectID, err = l.getProjectIDFromNodes(nodes, region)
+		if err != nil {
+			klog.V(3).Infof("could not determine project ID from nodes: %v, falling back to default", err)
+		}
 	}
 
 	configuredPNIDs, err := l.attachPrivateNetworks(loadbalancer, service, lbExternallyManaged, region, nodeProjectID)
@@ -632,7 +642,7 @@ func (l *loadbalancers) updateLoadBalancer(ctx context.Context, loadbalancer *sc
 	}
 
 	var targetIPs []string
-	if len(configuredPNIDs) > 0 {
+	if lbPNNameSelectorEnabled() && len(configuredPNIDs) > 0 {
 		// Use precise IPAM-based lookup to find node IPs on the configured private networks
 		targetIPs, err = l.getNodeIPsForPrivateNetworks(nodes, configuredPNIDs, region)
 		if err != nil {
@@ -868,8 +878,8 @@ func (l *loadbalancers) attachPrivateNetworks(loadbalancer *scwlb.LB, service *v
 			for _, pnID := range explicitIDs {
 				pnIDs[pnID] = false
 			}
-		} else {
-			// Priority 2: Names annotation - resolve to IDs
+		} else if lbPNNameSelectorEnabled() {
+			// Priority 2: Names annotation - resolve to IDs (requires SCW_ENABLE_LB_PN_NAME_SELECTOR=true)
 			pnNames := getPrivateNetworkNames(service)
 			if len(pnNames) > 0 {
 				resolvedIDs, err := l.resolvePrivateNetworkNames(pnNames, region, projectID)
diff --git a/scaleway/loadbalancers_pn_test.go b/scaleway/loadbalancers_pn_test.go
@@ -27,6 +27,107 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+func TestLBPNNameSelectorGate(t *testing.T) {
+	vpcAPI := &fakeVPCAPI{
+		vpcs: []*scwvpc.VPC{
+			{ID: "vpc-default", Name: "default", Region: scw.RegionFrPar, ProjectID: "proj-1"},
+		},
+		privateNetworks: []*scwvpc.PrivateNetwork{
+			{ID: "pn-resolved-1", Name: "my-cluster", VpcID: "vpc-default"},
+		},
+	}
+
+	testLB := &scwlb.LB{
+		ID:   "lb-1",
+		Zone: scw.ZoneFrPar2,
+	}
+
+	t.Run("pn-names ignored when gate is disabled", func(t *testing.T) {
+		// Do NOT set SCW_ENABLE_LB_PN_NAME_SELECTOR (gate off by default)
+		t.Setenv(enableLBPNNameSelectorEnv, "")
+
+		lbAPI := &fakeLBAPI{}
+		lb := newTestLB(lbAPI, vpcAPI, "pn-from-env")
+
+		service := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"service.beta.kubernetes.io/scw-loadbalancer-pn-names": "default/my-cluster",
+				},
+			},
+		}
+
+		gotIDs, err := lb.attachPrivateNetworks(testLB, service, false, scw.RegionFrPar, "proj-1")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		// pn-names should be ignored; should fall back to env var PN_ID
+		if len(gotIDs) != 1 || gotIDs[0] != "pn-from-env" {
+			t.Errorf("expected fallback to env var PN_ID [pn-from-env], got %v", gotIDs)
+		}
+		if len(lbAPI.attachCalls) != 1 || lbAPI.attachCalls[0] != "pn-from-env" {
+			t.Errorf("expected attach call for pn-from-env, got %v", lbAPI.attachCalls)
+		}
+	})
+
+	t.Run("pn-names used when gate is enabled", func(t *testing.T) {
+		t.Setenv(enableLBPNNameSelectorEnv, "true")
+
+		lbAPI := &fakeLBAPI{}
+		lb := newTestLB(lbAPI, vpcAPI, "pn-from-env")
+
+		service := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"service.beta.kubernetes.io/scw-loadbalancer-pn-names": "default/my-cluster",
+				},
+			},
+		}
+
+		gotIDs, err := lb.attachPrivateNetworks(testLB, service, false, scw.RegionFrPar, "proj-1")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		// pn-names should resolve, taking precedence over env var
+		if len(gotIDs) != 1 || gotIDs[0] != "pn-resolved-1" {
+			t.Errorf("expected resolved PN [pn-resolved-1], got %v", gotIDs)
+		}
+		if len(lbAPI.attachCalls) != 1 || lbAPI.attachCalls[0] != "pn-resolved-1" {
+			t.Errorf("expected attach call for pn-resolved-1, got %v", lbAPI.attachCalls)
+		}
+	})
+
+	t.Run("pn-names only with no env var returns nil when gate disabled", func(t *testing.T) {
+		t.Setenv(enableLBPNNameSelectorEnv, "")
+
+		lbAPI := &fakeLBAPI{}
+		lb := newTestLB(lbAPI, vpcAPI, "") // no env var PN_ID
+
+		service := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"service.beta.kubernetes.io/scw-loadbalancer-pn-names": "default/my-cluster",
+				},
+			},
+		}
+
+		gotIDs, err := lb.attachPrivateNetworks(testLB, service, false, scw.RegionFrPar, "proj-1")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		// pn-names ignored + no env var = no PNs configured
+		if gotIDs != nil {
+			t.Errorf("expected nil configured IDs when gate disabled and no env var, got %v", gotIDs)
+		}
+		if len(lbAPI.attachCalls) != 0 {
+			t.Errorf("expected no attach calls, got %v", lbAPI.attachCalls)
+		}
+	})
+}
+
 // fakeLBAPI implements the subset of LoadBalancerAPI needed for attachPrivateNetworks tests.
 type fakeLBAPI struct {
 	privateNetworks []*scwlb.PrivateNetwork
@@ -391,6 +492,9 @@ func TestAttachPrivateNetworks(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			// Enable the PN name selector feature for all tests in this suite
+			t.Setenv(enableLBPNNameSelectorEnv, "true")
+
 			lbAPI := &fakeLBAPI{
 				privateNetworks: tt.existingPNs,
 			}
