review goal statements

mtulio · mtulio · commit 83bd957e7771 · 2025-04-30T15:30:16.000-03:00
diff --git a/enhancements/installer/aws-ingress-nlb-security-group.md b/enhancements/installer/aws-ingress-nlb-security-group.md
@@ -78,251 +78,139 @@ Topologies/deployment:
 
 #### Option 1. Opt-in NLB provisioning with Security Groups for Default Ingress with NO SG control by CCM
 
-Users will be able to deploy OpenShift on AWS with the default Ingress using Network Load Balancers with Security Groups when enabled (opt-in) in the install-config.yaml. Installation agent (openshift-install, hypershift) manages the Security Group creation.
+Users will be able to deploy OpenShift on AWS with the default Ingress using Network Load Balancers with Security Groups when enabled (opt-in) in the `install-config.yaml`. The installation agent (`openshift-install`, `hypershift`) manages the Security Group creation.
 
-Hightlights:
-- Focus on short-term resolving security issues when not using SG on NLB
-- Focus on customer scalation of enabling SG on NLB
-- Minimum changes on CCM
+Highlights:
+- Focus on short-term resolution of security issues when not using SG on NLB.
+- Focus on customer scalability when enabling SG on NLB.
+- Minimal changes to CCM.
 
 T-Shirt Sizing/complexity by component:
-| Component | T-Shirt Sz | Complexity | Note |
+| Component | T-Shirt Size | Complexity | Note |
 | -- | -- | -- | -- |
-| CCM   | S | S | No API changes, No SG management, Opt-in |
-| CIO | S | S | API adding SG ID/Name to service Annotation |
-| Installer | S | S | API enabling feature; Creates Ingress SG (SDK) |
-| ROSA CL | M? | M? | TBD:API enabling feature(?); creates Ingress SG; update install-config |
-| ROSA HCP | M? | M? | TBD:API enabling feature(?); SG mgr; create CIO manifests to enable SG |
-| Day-2 | S | M | BYO SG (can managed svc automate through cli?), patch CIO to recreate NLB;  |
-
+| CCM   | S | S | No API changes, No SG management, Opt-in. |
+| CIO | S | S | API adds SG ID/Name to service annotation. |
+| Installer | S | S | API enabling feature; Creates Ingress SG (SDK). |
+| ROSA CL | M? | M? | TBD: API enabling feature(?); creates Ingress SG; updates `install-config`. |
+| ROSA HCP | M? | M? | TBD: API enabling feature(?); SG mgt; creates CIO manifests to enable SG. |
+| Day-2 | S | M | BYO SG (can managed services automate through CLI?), patch CIO to recreate NLB. |
 
 Risk:
-- Upstream CCM changes can take longer than expected (Small change can carry dowstream)
-- Default Ingress changes the port from 80 and 443(happen??) requires manual SG's rules updates
+- Upstream CCM changes can take longer than expected (small changes may propagate downstream).
+- Default Ingress changes to ports 80 and 443 (if they occur) require manual SG rule updates.
 
 Day-2 update:
-- Self-manage: require user to create SG and patch CIO
-- Manage: require to create SG and patch CIO (can be automated by CLI)
-- Updates trigger service recreating NLB
+- Self-managed: Requires the user to create SG and patch CIO.
+- Managed: Requires creating SG and patching CIO (can be automated via CLI).
+- Updates trigger service recreation of NLB.
 
 **Phase 1: Create support on Self-Managed**
 
 Goals:
-- Installer manifest stage: when SG is enabled, set the security group names to the CIO manifest
-- Installer infra stage: when SG is enabled, create security group and rules for ingress (InfraReady hook)
+- Installer manifest stage: When SG is enabled, set the security group names in the CIO manifest.
+- Installer infra stage: When SG is enabled, create the security group and rules for ingress (InfraReady hook).
 - Cluster-Ingress-Operator:
-  - API to receipt the Security Group in the NLB parameters
-  - Service Controller create the annotation `service.beta.kubernetes.io/aws-load-balancer-security-groups` with custom Security Group
-- Enable support of BYO (unmanaged) Security Groups for AWS Cloud Controller Manager (CCM/cloud-provider-aws)
-
+  - API to receive the Security Group in the NLB parameters.
+  - Service Controller creates the annotation `service.beta.kubernetes.io/aws-load-balancer-security-groups` with the custom Security Group.
+- Enable support for BYO (unmanaged) Security Groups for AWS Cloud Controller Manager (CCM/cloud-provider-aws).
 
 **Phase 2: Create support on ROSA Classic**
 
 Goals:
-- TBD how ROSA can enable the option on install-config: `platform.aws.ingressController.SecurityGroupEnabled`
+- TBD: How ROSA can enable the option in `install-config`: `platform.aws.ingressController.SecurityGroupEnabled`.
 
 **Phase 3: Create support on ROSA HCP**
 
 Goals:
-- TBD hypershift creating ingress Security Group for the ingress (after VPC creation)
-- TBD hypershift setting the Security Group in CIO manifests
+- TBD: Hypershift creates the ingress Security Group for the ingress (after VPC creation).
+- TBD: Hypershift sets the Security Group in CIO manifests.
 
+---
 
 #### Option 2. Opt-in NLB provisioning with Security Groups for Default Ingress with FULL SG control by CCM
 
-Users will be able to deploy OpenShift on AWS with the default Ingress using Network Load Balancers with Security Groups when enabled (opt-in) in the install-config.yaml. CCM-AWS full manages the SG lifecycle (similar CLB, but as opt-in through annotation).
-
-Hightlights:
-- Focus on short-term resolving security issues when not using SG on NLB
-- Focus on customer scalation of enabling SG on NLB
-- Medium changes on CCM
+Users will be able to deploy OpenShift on AWS with the default Ingress using Network Load Balancers with Security Groups when enabled (opt-in) in the `install-config.yaml`. CCM-AWS fully manages the SG lifecycle (similar to CLB, but as opt-in through annotation).
 
+Highlights:
+- Focus on short-term resolution of security issues when not using SG on NLB.
+- Focus on customer scalability when enabling SG on NLB.
+- Moderate changes to CCM.
 
 T-Shirt Sizing/complexity by component:
-
-| Component | T-Shirt Sz | Complexity | Note |
+| Component | T-Shirt Size | Complexity | Note |
 | -- | -- | -- | -- |
-| CCM | M | M | API introducing annotation to "create SG on NLB"(default for CLB) |
-| CIO | S | S | API adding SG ID/Name to service Annotation |
-| Installer | S | S | no SG mgr; API enabling feature; |
-| ROSA CL | S? | S? | no SG mgr; update install-config |
-| ROSA HCP | S? | S? | no SG mgr; create CIO manifests to "enable NLB with SG" |
-| Day-2 | S | S | patch CIO to recreate NLB |
-
+| CCM | M | M | API introduces annotation to "create SG on NLB" (default for CLB). |
+| CIO | S | S | API adds SG ID/Name to service annotation. |
+| Installer | S | S | No SG mgt; API enabling feature. |
+| ROSA CL | S? | S? | No SG mgt; updates `install-config`. |
+| ROSA HCP | S? | S? | No SG mgt; creates CIO manifests to "enable NLB with SG". |
+| Day-2 | S | S | Patch CIO to recreate NLB. |
 
 Risk:
 - CCM/upstream:
   - SG management increases controller complexity and scenarios to validate.
-  - API changes 
-  - More changes in upstream increases the consensus/approvals, specially new features in service LB on CCM (prefer ALBC)
-  - More cchanges in CCM making it creates and manage SG lifecycle
+  - API changes.
+  - More changes upstream increase the consensus/approvals required, especially for new features in service LB on CCM (prefer ALBC).
+  - More changes in CCM to create and manage the SG lifecycle.
 - CCM/downstream:
-  - more complex to carry  when not in upstream
+  - More complex to maintain when not upstreamed.
 
 Day-2 update:
-- Self-managed: patch CIO
-- Managed Services: patch CIO
-- Updates trigger service recreating NLB
+- Self-managed: Patch CIO.
+- Managed Services: Patch CIO.
+- Updates trigger service recreation of NLB.
 
+---
 
 #### Option 3. NLB feature parity on CCM with ALBC
 
 T-Shirt Sizing/complexity by component:
-
-| Component | T-Shirt Sz | Complexity | Note |
+| Component | T-Shirt Size | Complexity | Note |
 | -- | -- | -- | -- |
-| CCM | XXL | XXL | NLB Feature parity plan with ALBC. Long-term commitment and support by RH |
-| CIO | S | S | API adding SG ID/Name to service Annotation |
-| Installer | S | S | no SG mgr; API enabling feature; |
-| ROSA CL | S? | S? | no SG mgr; update install-config |
-| ROSA HCP | S? | S? | no SG mgr; create CIO manifests to "enable NLB with SG" |
-| Day-2 | S | S | patch CIO to recreate NLB |
+| CCM | XXL | XXL | NLB feature parity plan with ALBC. Long-term commitment and support by RH. |
+| CIO | S | S | API adds SG ID/Name to service annotation. |
+| Installer | S | S | No SG mgt; API enabling feature. |
+| ROSA CL | S? | S? | No SG mgt; updates `install-config`. |
+| ROSA HCP | S? | S? | No SG mgt; creates CIO manifests to "enable NLB with SG". |
+| Day-2 | S | S | Patch CIO to recreate NLB. |
 
+---
 
 #### Option 4. CIO switches to ALBC
 
 T-Shirt Sizing/complexity by component:
-
-| Component | T-Shirt Sz | Complexity | Note |
+| Component | T-Shirt Size | Complexity | Note |
 | -- | -- | -- | -- |
-| CCM | - | - | CCM will not be used by default router |
-| CIO | XXL | XL | API: (short-term) opt-in NLB provisioning with SG using ALBC; long-term: all new provisioning with ALBC; move imgs to payload; manage oper lifecycle(perms, etc) |
-| Installer | S | S | no SG mgr; API enabling feature; |
-| ROSA CL | S? | S? | no SG mgr; update install-config |
-| ROSA HCP | S? | S? | no SG mgr; create CIO manifests to "enable NLB with SG" |
-| Day-2 | S | S | patch CIO to recreate NLB |
+| CCM | - | - | CCM will not be used by the default router. |
+| CIO | XXL | XL | API: (short-term) opt-in NLB provisioning with SG using ALBC; (long-term) all new provisioning with ALBC; move images to payload; manage operator lifecycle (permissions, etc.). |
+| Installer | S | S | No SG mgt; API enabling feature. |
+| ROSA CL | S? | S? | No SG mgt; updates `install-config`. |
+| ROSA HCP | S? | S? | No SG mgt; creates CIO manifests to "enable NLB with SG". |
+| Day-2 | S | S | Patch CIO to recreate NLB. |
 
+---
 
 #### Option 1+4. Short-term security fixes with long-term Ingress improvements
 
-> Note: can be 2+4 too, but will impact in the resource investiments in feature parity with CCM.
+> Note: Can be 2+4 too, but this will impact resource investments in feature parity with CCM.
 
-In short-term support NLB provisioning with Security Group as opt-in by CCM, resolving security issues,
-and get long-term modernization by inheriting features added in upstream project ALBC which is actively maitained by AWS.
-
-Hightlights:
-- Resolves on short-term resolving security issues when not using SG on NLB
-- Resolves customer scalation of enabling SG on NLB
-- Medium changes on CCM
-- Provide long-term plan to modernize Load Balancer features by inheriting updates from controller on upstream project maitained by Community (and AWS)
+In the short term, support NLB provisioning with Security Groups as opt-in by CCM, resolving security issues, and achieve long-term modernization by inheriting features added in the upstream ALBC project, which is actively maintained by AWS.
 
+Highlights:
+- Resolves short-term security issues when not using SG on NLB.
+- Improves customer scalability when enabling SG on NLB.
+- Moderate changes to CCM.
+- Provides a long-term plan to modernize Load Balancer features by inheriting updates from the controller in the upstream project maintained by the community (and AWS).
 
 T-Shirt Sizing/complexity by component:
-
-| Component | T-Shirt Sz | Complexity | Note |
+| Component | T-Shirt Size | Complexity | Note |
 | -- | -- | -- | -- |
-| CCM | S | S | No API changes, No SG management, Opt-in |
-| CIO | XXL | XL | API: (short-term): opt-in NLB provisioning with SG using ALBC; (long-term): all new provisioning with ALBC; move imgs to payload; manage oper lifecycle(perms, etc) |
-| Installer | S | S | API enabling feature; Creates Ingress SG (SDK) |
-| ROSA CL | M? | M? | TBD:(short): API enabling feature(?); creates Ingress SG; update install-config; (long):fix many issues |
-| ROSA HCP | M? | M? | TBD: (short): API enabling feature(?); SG mgr; create CIO manifests to enable SG; (long):fix many issues | |
-| Day-2 | S | M | (short): BYO SG (can managed automate through cli?), (short&long): patch CIO to recreate NLB; |
-
-
-
-<!-- 
-===> DRAFT/old notes:
-
-#### Option 1. CCM configures the SG when deploying NLB. (Minimum support)
-
-CCM enable SG when provisioning NLB only when the annotation XXX with SG ID is added.
-
-Pros:
-- Minor changes in CCM (upstream): BYO SG approach (similar [LBC annotation `alb.ingress.kubernetes.io/security-groups`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#security-groups))
-- SG is not created by CCM, and CCM is not adding rules (preserving LBC behavior for annotations security-groups and manage-backend-security-group-rules)
-- Does not required API updates for CCM (right, @joel?)
-- We can stick only the default ingress/router using that approach, requiring any new ingress to use LBC-ish (already supported)
-
-Cons:
-- Installer (or CIO) needs to create the SG, passing to the CCM with required rules
-- BYO SG approach for CCM would require CIO managing SG rules when provisioning new ingress
-    - or at least validate if exists
-    - or not support this feature for other services than the default router, leading user to use ALBO/LBC
-
-
-PROBLEM:
-- installer can't create SG in the manifest phase, so it wont have IDs, only names (candidate)
-
-#### Option 2. CCM manages the SG when deploying NLB. (may require API changes and more complexity)
-
-Pros:
-- Installer (or CIO) does not required to manage the SG
-- Increase UX as users don't need to handle with SG in Day-2 when creating new ingress
-
-Cons:
-
-- Requires more complexity to manage SG when NLB on CCM (upstream). SG management logic already exists in the CLB controller
-- May require API add/change to determine when SG will be enabled for NLB. Example of LBC annotation manage-backend-security-group-rules
-
-
-#### Option 3. Use AWS LBC to deploy Ingress NLB. (more complex downstream, no changes upstream)
-
-Changes:
-- Requires installing ALBO from OLM during installation.
-
-Pros:
-- Unlocks new NLB features added to LBC for OpenShift ingress.
-
-Cons:
-- Defaulting to LBC may introduce unknown issues.
-- Be careful.
-- Create a clear migration path.
-
-Open questions:
-
-- Is there an advantage to using LBC as the default service type LB controller (disabling CCM service-LB capabilities)?
-    - LBC does not support CLBs.
-        - Pros: Improves UX as default service LBs will use the latest controller features for LB.
-        - Cons: Breaking change for apps using default service config (with CLB).
-    - AWS has advised against using CLBs for years. This will prepare OCP to follow cloud-provider best practices. It's important to have a clear deprecation path.
-
-#### Option 1+3. Focus on "enabling" SG on NLB using BYO SG on CCM, and plan the migration to LBC
-
-Laser focus on short-term customer issues and unlock OpenShift's long-term ingress features with NLB.
-
-Pros:
-- Delivers customer requirements ASAP.
-- Reduces changes in upstream CCM.
-- Enables OpenShift to consume features available on LBC.
-- Prevents duplicate maintenance of CCM/LBC codebases.
-
-Cons:
-- ?
-
-Phases for #1+3:
-
-- Phase 1 (TP SGs for NLB using CCM BYO SG):
-    - Patch CCM with required changes for BYO SG when using NLB.
-    - Create APIs for BYO SG on CIO (NLB only).
-    - Installer:
-        - Add a configuration option in `install-config` to "use SG" when `lbType == NLB`.
-        - Provision SG with expected rules (also adding those to nodes' SG).
-
-- Phase 2 (GA SGs for NLB, Dev Preview LBC through CIO):
-    - Enable CIO provisioning using LBC/ALBO when using NLB.
-    - CIO API to enable LBC service provisioning (e.g., manage-backend-security-group-rules).
-        - Retain API added in Phase 1 for future BYO SG use (user-facing, exposed in `install-config`).
-    - Installer:
-        - Add a configuration option in `install-config` to opt-in ingress provisioning with LBC. (or make the flag "Use SG when NLB" to trigger the LBC)
-        - When enabled, do not provision SGs by installer (delegate to CIO->LBC).
-    - Add a validation webhook to inform users about Classic Load Balancer (CLB) desconuation(recommendation to use NLB) when creating type LB services (non-NLB).
-        - Alternatively, provide an informational message advising users to use ingress provisioned with CIO, which uses NLBs, to follow best practices and prevent future deprecations.
-    - Existing NLBs managed by CCM:
-      - How to make controllers aware of this? Can we live with two controllers, making the controllers to know that the NLB has been provisioned by each one.
-
-- Phase 3 (TP LBC on CIO, Dev Preview NLB by default CIO):):
-    - Installer:
-        - Default to provisioning CIO services with LBC (defaults to lbType==NLB <- dev preview this?).
-        - Customers can use CLB as opt-in 
-
-- Phase 4 (GA LBC on CIO, TP NLB by default CIO):
-    - Installer:
-        - Default to provisioning CIO services with LBC (defaults to lbType==NLB <- TP this?).
-
-- Phase 5: (GA )
-    - Make AWS LBC the default controller for service type LoadBalancer.
-    - Classic Load Balancer is no longer available for CIO (only when customers wants to  create service-LB directly)
- -->
+| CCM | S | S | No API changes, No SG management, Opt-in. |
+| CIO | XXL | XL | API: (short-term) opt-in NLB provisioning with SG using ALBC; (long-term) all new provisioning with ALBC; move images to payload; manage operator lifecycle (permissions, etc.). |
+| Installer | S | S | API enabling feature; Creates Ingress SG (SDK). |
+| ROSA CL | M? | M? | TBD: (short-term) API enabling feature(?); creates Ingress SG; updates `install-config`; (long-term) fixes many issues. |
+| ROSA HCP | M? | M? | TBD: (short-term) API enabling feature(?); SG mgt; creates CIO manifests to enable SG; (long-term) fixes many issues. |
+| Day-2 | S | M | (short-term) BYO SG (can managed services automate through CLI?), (short-term & long-term) patch CIO to recreate NLB. |
 
 ### Non-Goals
 
