I'd make this name or addrName. The fact that the controller chooses to use the lbNamd for all related resources seemed irrelevant to this manager.

I think we can make it clear that this manager would only manage (promote, delete) the address with this name

Done

I'd probably make this clear by adding a method. It'd be easier to change in the future too.

func (am *addressManager) isManagedAddress(addr *computebeta.Address) {
  return addr.Name == am.Name
}

Done

If we are willing to spend an extra GET call, we can check whether the address is IN_USE. If yes, it's safe release it. If not, this IP may be lost forever. WDYT?

And we don't have to keep the tryRelease field. Just GET and return if not found.

Remove am.targetIP.

Good catch, thanks

nit (optional). I like less indents.

if err == nil {
    return nil
}
if !isHTTPErrorCode(err, http.StatusConflict) {
   return err
}

Done

Would you consider using github.com/stretchr/testify/assert (for Errorf) and github.com/stretchr/testify/require (for Fatalf). They tend to make the code more succinct .

I'm a fan of testify/assert for personal projects, but haven't seen enormous use of it here in K8s. Happy to use it unless someone says otherwise.

oops... I added the same function in another PR. More rebasing...

Just curious. The external LB ensures a static IP (i.e., creating a new one) even if targetIP == "" because many other components (e.g., firewall, targetpool) needs a target IP. I guess this not the case for ILB?

The firewall and target pool only use the IP for providing some extra info in the description. On first sync the description IP would be empty; but on second sync, it would be filled. I didn't see a need to perform the extra 2 API calls when the forwarding rule will just generate an IP itself, but I'll change the logic to have the description set right from the first sync.

I read the controller change but didn't see where you verify the AddressType of user-owned address.

Did not read the entire ILB file, just want to ask whether you need to defer the ReleaseAddress to reduce the time the controller holds the static IP. Perhaps the IP quota is not a concern for internal IPs?

I'm confused, we discussed this case offline. If the service sync fails for any reason, I thought you said we should hold onto the IP for the next sync, right?

We should hold on to the IP if the forwarding rule is not using it. If the forwarding rule IS using the IP, it's safe to release the it since we can always get it back. This is what the external LB do today for optimization. If there is no need for ILB to do so, we don't have to add more complexity.

Actually, this is not correct. I just found out that if you try to reserve an address with an IP that's already static (but not using the same name), you get a 400 error.

Error 400: Invalid value for field 'resource.address': '1.2.3.4'. Specified IP address is already reserved., invalid

FWIW, I don't think the current external LB controller handle some corner cases because of this....
E.g., if the fwd rule is using an IP that's not specified in the Service object, but is actually owned by the user (e.g., not using the lbName), the controller would just fail to ensure the IP.

Weird, I just tested this again and got 409. Wonder if there's an alpha vs beta difference

{
 "kind": "compute#operation",
 "id": "1599788789319664192",
 "name": "operation-1503706287098-5579ce716c890-3262ae10-677fa2b7",
 "operationType": "insert",
 "targetLink": "https://www.googleapis.com/compute/beta/projects/XYZ/regions/us-central1/addresses/myip2",
 "targetId": "5223319394054898240",
 "status": "DONE",
 "progress": 100,
 "insertTime": "2017-08-25T17:11:27.558-07:00",
 "startTime": "2017-08-25T17:11:28.371-07:00",
 "endTime": "2017-08-25T17:11:31.465-07:00",
 "error": {
  "errors": [
   {
    "code": "IP_IN_USE_BY_ANOTHER_RESOURCE",
    "message": "IP '10.0.0.10' is already being used by another resource. "
   }
  ]
 },
 "httpErrorStatusCode": 409,
 "httpErrorMessage": "CONFLICT",
 "selfLink": "https://www.googleapis.com/compute/beta/projects/XYZ/regions/us-central1/operations/operation-1503706287098-5579ce716c890-3262ae10-677fa2b7",
 "region": "https://www.googleapis.com/compute/beta/projects/XYZ/regions/us-central1"
}

I tested more and it's not about alpha/beta/v1. The function returns 409 if AddressType == INTERNAL. Otherwise, it always returns 400. (sigh...)

We should take this up with the appropriate team - it should be consistent.

Handling both

nit: s/loadBalancerName/addressManager.name

nit: document that the returned string is the IP address reserved.

Can we make this V(2). Would be useful for debugging GKE issues.

Question: Why using V(3) for the majority of the logs? Just curious because I've seen mostly V(2) and V(4) logs in this package

suggestion: factor this out to a function since the manager checks essentially the same thing in line 71. This ensures that they stay consistent. E.g.,

func (am *addressManager) validateAddress(addr *computebeta.Address) error {
...
}

Why using this function? AddressManager doesn't care what targetIP you choose.

nit (optional): the only difference between this test and the previous test is that the targetIP is non-empty. Could consider merging the two.

Another option is moving the code after HoldAddress to a separate function to reuse across tests.

Use require.NoError(t, err)

You use GetRegionAddress in other tests, why using Beta here?

Is this used anywhere?

This is good for debugging, but I would suggest returning a string so that the caller can dump the information wherever it deems appropriate.

Before reaching this point, I assume it's not possible to have an existing forwarding rule with the wrong type of address, e.g., using an EXTERNAL IP. I am relying on the similar logic in external LB.

In the future, if we ever combine external and internal LB code, we'd need to ensure we still check whether the forwarding rule has all the expected attributes (and delete it if not).

We could check to see if the address is RFC 1918? (totally breaks down for IPv6...)

Logic looks correct, and I like the useful log messages.

I do wish we could care (a bit) less about the QPS can make the code simpler.

call validateAddress here as well.

also check the IP if the targetIP is not empty.

can also get rid of this indent

Curious why the Beta keyword is in the middle? Shouldn't it be a prefix or suffix?

We could check to see if the address is RFC 1918? (totally breaks down for IPv6...)