support target node labels for ingress

kishorj · Timothy-Dougherty · commit 924037d4edab · 2023-11-09T11:28:21.000+11:00
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -54,6 +54,7 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 |[alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout)|integer|'604800'|Ingress,Service|N/A|
 |[alb.ingress.kubernetes.io/actions.${action-name}](#actions)|json|N/A|Ingress|N/A|
 |[alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions)|json|N/A|Ingress|N/A|
+|[alb.ingress.kubernetes.io/target-node-labels](#target-node-labels)|stringMap|N/A|Ingress,Service|N/A|
 
 ## IngressGroup
 IngressGroup feature enables you to group multiple Ingress resources together.
@@ -176,6 +177,12 @@ Traffic Routing can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/target-type: instance
         ```
+-<a name="target-node-labels">`alb.ingress.kubernetes.io/target-node-labels`</a> specifies which nodes to include in the target group registration for `instance` target type.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/target-node-labels: label1=value1, label2=value2
+        ```
 
 - <a name="backend-protocol">`alb.ingress.kubernetes.io/backend-protocol`</a> specifies the protocol used when route traffic to pods.
 
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -43,6 +43,7 @@ const (
 	IngressSuffixAuthScope                    = "auth-scope"
 	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
 	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels             = "target-node-labels"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
diff --git a/pkg/ingress/model_build_target_group.go b/pkg/ingress/model_build_target_group.go
@@ -35,19 +35,23 @@ func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context,
 	if err != nil {
 		return nil, err
 	}
+	nodeSelector, err := t.buildTargetGroupBindingNodeSelector(ctx, ing, svc, tgSpec.TargetType)
+	if err != nil {
+		return nil, err
+	}
 	tg := elbv2model.NewTargetGroup(t.stack, tgResID, tgSpec)
 	t.tgByResID[tgResID] = tg
-	_ = t.buildTargetGroupBinding(ctx, tg, svc, port)
+	_ = t.buildTargetGroupBinding(ctx, tg, svc, port, nodeSelector)
 	return tg, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString) *elbv2model.TargetGroupBindingResource {
-	tgbSpec := t.buildTargetGroupBindingSpec(ctx, tg, svc, port)
+func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString, nodeSelector *metav1.LabelSelector) *elbv2model.TargetGroupBindingResource {
+	tgbSpec := t.buildTargetGroupBindingSpec(ctx, tg, svc, port, nodeSelector)
 	tgb := elbv2model.NewTargetGroupBindingResource(t.stack, tg.ID(), tgbSpec)
 	return tgb
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString) elbv2model.TargetGroupBindingResourceSpec {
+func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString, nodeSelector *metav1.LabelSelector) elbv2model.TargetGroupBindingResourceSpec {
 	targetType := elbv2api.TargetType(tg.Spec.TargetType)
 	tgbNetworking := t.buildTargetGroupBindingNetworking(ctx)
 	return elbv2model.TargetGroupBindingResourceSpec{
@@ -63,7 +67,8 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
 					Name: svc.Name,
 					Port: port,
 				},
-				Networking: tgbNetworking,
+				Networking:   tgbNetworking,
+				NodeSelector: nodeSelector,
 			},
 		},
 	}
@@ -400,3 +405,21 @@ func (t *defaultModelBuildTask) buildTargetGroupTags(_ context.Context, svcAndIn
 func (t *defaultModelBuildTask) buildTargetGroupResourceID(ingKey types.NamespacedName, svcKey types.NamespacedName, port intstr.IntOrString) string {
 	return fmt.Sprintf("%s/%s-%s:%s", ingKey.Namespace, ingKey.Name, svcKey.Name, port.String())
 }
+
+func (t *defaultModelBuildTask) buildTargetGroupBindingNodeSelector(_ context.Context, ing *networking.Ingress, svc *corev1.Service, targetType elbv2model.TargetType) (*metav1.LabelSelector, error) {
+	if targetType != elbv2model.TargetTypeInstance {
+		return nil, nil
+	}
+	var targetNodeLabels map[string]string
+	svcAndIngAnnotations := algorithm.MergeStringMap(svc.Annotations, ing.Annotations)
+
+	if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.IngressSuffixTargetNodeLabels, &targetNodeLabels, svcAndIngAnnotations); err != nil {
+		return nil, err
+	}
+	if len(targetNodeLabels) == 0 {
+		return nil, nil
+	}
+	return &metav1.LabelSelector{
+		MatchLabels: targetNodeLabels,
+	}, nil
+}
diff --git a/pkg/ingress/model_build_target_group_test.go b/pkg/ingress/model_build_target_group_test.go
@@ -3,8 +3,10 @@ package ingress
 import (
 	"context"
 	awssdk "github.com/aws/aws-sdk-go/aws"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -510,3 +512,126 @@ func Test_defaultModelBuildTask_buildTargetGroupHealthCheckMatcher(t *testing.T)
 		})
 	}
 }
+
+func Test_defaultModelBuildTask_buildTargetGroupBindingNodeSelector(t *testing.T) {
+	type fields struct {
+		ing        *networking.Ingress
+		svc        *corev1.Service
+		targetType elbv2model.TargetType
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		want    *metav1.LabelSelector
+		wantErr error
+	}{
+		{
+			name: "no annotation",
+			fields: fields{
+				ing: &networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{},
+					},
+				},
+				svc: &corev1.Service{},
+			},
+			want: nil,
+		},
+		{
+			name: "ingress has annotation",
+			fields: fields{
+				ing: &networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "key1=value1, node.label/key2=value.2",
+						},
+					},
+				},
+				svc:        &corev1.Service{},
+				targetType: elbv2model.TargetTypeInstance,
+			},
+			want: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"key1":            "value1",
+					"node.label/key2": "value.2",
+				},
+			},
+		},
+		{
+			name: "service annotation overrides ingress",
+			fields: fields{
+				ing: &networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "key1=value1, node.label/key2=value.2",
+						},
+					},
+				},
+				svc: &corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "service/key1=value1.service, service.node.label/key2=value.2.service",
+						},
+					},
+				},
+				targetType: elbv2model.TargetTypeInstance,
+			},
+			want: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"service/key1":            "value1.service",
+					"service.node.label/key2": "value.2.service",
+				},
+			},
+		},
+		{
+			name: "target type ip",
+			fields: fields{
+				ing: &networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "key1=value1, node.label/key2=value.2",
+						},
+					},
+				},
+				svc: &corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "service/key1=value1.service, service.node.label/key2=value.2.service",
+						},
+					},
+				},
+				targetType: elbv2model.TargetTypeIP,
+			},
+			want: nil,
+		},
+		{
+			name: "annotation parse error",
+			fields: fields{
+				ing: &networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"alb.ingress.kubernetes.io/target-node-labels": "key1",
+						},
+					},
+				},
+				svc: &corev1.Service{},
+				targetType: elbv2model.TargetTypeInstance,
+			},
+			wantErr: errors.New("failed to parse stringMap annotation, alb.ingress.kubernetes.io/target-node-labels: key1"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			task := &defaultModelBuildTask{
+				annotationParser: annotations.NewSuffixAnnotationParser("alb.ingress.kubernetes.io"),
+			}
+			got, err := task.buildTargetGroupBindingNodeSelector(context.Background(), tt.fields.ing, tt.fields.svc, tt.fields.targetType)
+			if tt.wantErr != nil {
+				assert.EqualError(t, err, tt.wantErr.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}
