Kubernetes Multicloud controller Passing wrong IP to external Kubernetes

The lack of modelling of controller shadow addresses is a current Juju limitation affecting not just k8s controllers. The same would issue apply if the controller were deployed in a lxd container on say aws, or behind a nat etc.

This is a significant feature we'll need to add to the juju roadmap, since any solution will probably involve additions to network spaces modelling, need to account for in cluster vs out of cluster addressing etc etc.

Something which may work...

Maybe create the loadbalancer first, and then bootstrap with a config for controller-external-ips set to the address of the load balancer. It's an extra manual step but might work??

For reference, here's a post describing the available bootstrap options for k8s controllers

https://discourse.juju.is/t/new-features-and-changes-in-juju-2-7/2268

The addresses are correctly discovered by the CAAS provider, and are stored in the cloudservice record for the controller/API server.

I ran up a controller on microk8s with metallb to verify this.

The issue would appear to be the boolean passed to apiHostPortsForCAAS. We *always* do a public scope match for clients, and a local-cloud match for agents.

If we returned *all* of the addresses to agents, then they would connect with one they could access.

I would simply order them preferring local-cloud, which would mean agents attempt to connect those first, and then fall back to the public scope.

We don't yet have a good way to lasso external subnets in spaces (such as shadow IPs), but if/when that was modelled correctly and we instituted space support for CAAS, then enforcing the address range to use could be done with the juju-mgmt-space config option.

But for now, it seems like an easy win to give the agents the info they might need.

I thought for CMR we return public IP addresses for agents based on the same issue. (so if a model isn't in the same space as the controller, then we use the public address instead of the private.)
That feels like it would be true everywhere (on AWS between 2 different VPC, you need to use the public address just the same, 172.* won't be routable.)

@jam, there's no logic yet for handing out different agent api addresses depending on the context. We do it for CMR but the code paths are totally different; it's in the context of populating relation data, and for a cross model relation, we simply punt on always using the public address; we don't / can't check yet to see if a cloud local address will do as we either don't model it or don't interpret it if we do.

Joe had an excellent suggestion which is easy to implement for now even without space support.

https://github.com/juju/juju/pull/11398

So we should have something working for 2.8