Merge pull request #455 from kubernetes-sigs/leverage-common-subnet-tags

Adopt the  kubernetes.io/role/internal-elb and kubernetes.io/role/elb tags

Author: bigkraig

docs/configuration.md

@@ -13,7 +13,7 @@ A sample IAM policy, with the minimum permissions to run the controller, can be
 
 By default, all ingress resources in your cluster are seen by the controller. However, only ingress resources that contain the [required annotations](https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/ingress-resources.md#required-annotations) will be satisfied by the ALB Ingress Controller.
 
-You can further limit the ingresses your controller has access to. The options available are limiting the ingress class  (`ingress.class`) or limiting the namespace watched (`--watch-namespace=`). Each approach is detailed below.
+You can further limit the ingresses your controller has access to. The options available are limiting the ingress class (`ingress.class`) or limiting the namespace watched (`--watch-namespace=`). Each approach is detailed below.
 
 ### Limiting Ingress Class
 
@@ -40,8 +40,6 @@ metadata:
   namespace: echoserver
   annotations:
     alb.ingress.kubernetes.io/port: "8080,9000"
-    alb.ingress.kubernetes.io/subnets: subnet-63bf6318,subnet-0b20aa62
-    alb.ingress.kubernetes.io/security-groups: sg-1f84f776
     kubernetes.io/ingress.class: "alb"
 spec:
 	...
@@ -76,5 +74,4 @@ metadata:
   name: alb-ingress-controller-internet-facing-ingresses
 ```
 
-
 That ConfigMap is kept in `default` if unspecified, but can moved to another with the `ALB_CONTROLLER_RESTRICT_SCHEME_CONFIG_NAMESPACE` environment variable. This can also be passed to the command line via the `restrict-scheme-namespace` flag.

docs/ingress-resources.md

@@ -17,8 +17,6 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: alb
     alb.ingress.kubernetes.io/scheme: internal
-    alb.ingress.kubernetes.io/subnets: subnet-1234
-    alb.ingress.kubernetes.io/security-groups: sg-1234
   labels:
     app: 2048-nginx-ingress
 spec:

docs/setup.md

@@ -18,19 +18,24 @@ An example policy with the minimum rights can be found at [examples/iam-policy.j
 
 The controller determines subnets to deploy each ALB to based on an annotation or auto-detection.
 
-- annotation: `alb.ingress.kubernetes.io/subnets` may be specified in each ingress resource with the subnet IDs or `Name` tags. This allows for flexibility in where ALBs land. This list of subnets must include 2 or more that exist in unique availability zones. See the [annotations documentation](ingress-resources.md#annotations) for more details.
+##### Via annotation
+`alb.ingress.kubernetes.io/subnets` may be specified in each ingress resource with the subnet IDs or `Name` tags. This allows for flexibility in where ALBs land. This list of subnets must include 2 or more that exist in unique availability zones. See the [annotations documentation](ingress-resources.md#annotations) for more details.
 
-- auto-detection: When subnet annotations are not present, the controller will attempt to choose the best subnets for deploying the ALBs. It uses the following tag criteria to determine the subnets it should use.
+##### Via tags on the subnets
+When subnet annotations are not present, the controller will attempt to choose the best subnets for deploying the ALBs. It uses the following tag criteria to determine the subnets it should use.
 
-	- `kubernetes.io/cluster/$CLUSTER_NAME`=`shared` where `$CLUSTER_NAME` matches the `CLUSTER_NAME` environment variable from the `alb-ingress-controller.yaml` manifest.
+- `kubernetes.io/cluster/$CLUSTER_NAME` equal to `shared` or `owned`. `$CLUSTER_NAME` must match the `CLUSTER_NAME` environment variable on the controller.
 
-	- `kubernetes.io/role/alb-ingress`=` ` where the value is empty.
+And one of the following:
+
+- `kubernetes.io/role/internal-elb: ""` For internal load balancers
+- `kubernetes.io/role/elb = ""` For internet-facing load balancers
 
 ### Security Group Selection
 
 The controller determines if it should create and manage security groups or use existing ones in AWS based on the presence of an annotation. When `alb.ingress.kubernetes.io/security-groups` is present, the list of security groups is assigned to the ALB instance. When the annotation is not present, the controller will create a security group with appropriate ports allowing access to `0.0.0.0/0` and attached to the ALB. It will also create a security group for instances that allows all TCP traffic when the source is the security group created for the ALB.
 
-## helm Deployments
+## Helm Deployments
 
 You must have the [Helm App Registry plugin](https://coreos.com/apps) installed for these instructions to work.
 
@@ -40,100 +45,98 @@ helm registry install quay.io/coreos/alb-ingress-controller-helm
 
 ## kubectl Deployments
 
-1. Setup default-backend-service
+1.  Setup default-backend-service
+
+    A default backend service is required for every ingress controller. The alb-ingress-controller does not make use of it, but will not be able to run the ingress libraries without it. To get around this, deploy a dummy default backend to the cluster. The following example will deploy one in `kube-system`; you may wish to adjust it.
 
-	A default backend service is required for every ingress controller. The alb-ingress-controller does not make use of it, but will not be able to run the ingress libraries without it. To get around this, deploy a dummy default backend to the cluster. The following example will deploy one in `kube-system`; you may wish to adjust it.
- 
-	```
-	$ kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/default-backend.yaml
-	```
+    ```
+    $ kubectl create -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/default-backend.yaml
+    ```
 
-1. Configure the alb-ingress-controller manifest.
+1.  Configure the alb-ingress-controller manifest.
 
-	A sample manifest can be found below.
+    A sample manifest can be found below.
 
-	```  
-	$ wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/alb-ingress-controller.yaml
-	```
+    ```
+    $ wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/alb-ingress-controller.yaml
+    ```
 
-	At minimum, edit the following variables.
+    At minimum, edit the following variables.
 
     - `AWS_REGION`: region in AWS this cluster exists.
 
-		```yaml
-		- name: AWS_REGION
-		  value: us-west-1
-		```
+          	```yaml
+          	- name: AWS_REGION
+          	  value: us-west-1
+          	```
 
-	- `CLUSTER_NAME`: name of the cluster. If doing auto-detection of subnets (described in prerequisites above) `CLUSTER_NAME` must match the AWS tags associated with the subnets you wish ALBs to be provisioned.
+    - `CLUSTER_NAME`: name of the cluster. If doing auto-detection of subnets (described in prerequisites above) `CLUSTER_NAME` must match the AWS tags associated with the subnets you wish ALBs to be provisioned.
 
-		```yaml
-		- name: CLUSTER_NAME
-		  value: devCluster
-		```
+          	```yaml
+          	- name: CLUSTER_NAME
+          	  value: devCluster
+          	```
 
-1. Deploy the alb-ingress-controller manifest.
+1.  Deploy the alb-ingress-controller manifest.
 
-	```  
-	$ kubectl apply -f alb-ingress-controller.yaml	
-	```
+    ```
+    $ kubectl apply -f alb-ingress-controller.yaml
+    ```
 
-1. Verify the deployment was successful and the controller started.
+1.  Verify the deployment was successful and the controller started.
 
-	```bash
-	$ kubectl logs -n kube-system \
-	    $(kubectl get po -n kube-system | \
-	    egrep -o alb-ingress[a-zA-Z0-9-]+) | \
-	    egrep -o '\[ALB-INGRESS.*$'
-	```
+    ```bash
+    $ kubectl logs -n kube-system \
+        $(kubectl get po -n kube-system | \
+        egrep -o alb-ingress[a-zA-Z0-9-]+) | \
+        egrep -o '\[ALB-INGRESS.*$'
+    ```
 
-	Should display output similar to the following.
+    Should display output similar to the following.
 
-	```
-	[ALB-INGRESS] [controller] [INFO]: Log level read as "", defaulting to INFO. To change, set LOG_LEVEL environment variable to WARN, ERROR, or DEBUG.
-	[ALB-INGRESS] [controller] [INFO]: Ingress class set to alb
-	[ALB-INGRESS] [ingresses] [INFO]: Build up list of existing ingresses
-	[ALB-INGRESS] [ingresses] [INFO]: Assembled 0 ingresses from existing AWS resources
-	```
+    ```
+    [ALB-INGRESS] [controller] [INFO]: Log level read as "", defaulting to INFO. To change, set LOG_LEVEL environment variable to WARN, ERROR, or DEBUG.
+    [ALB-INGRESS] [controller] [INFO]: Ingress class set to alb
+    [ALB-INGRESS] [ingresses] [INFO]: Build up list of existing ingresses
+    [ALB-INGRESS] [ingresses] [INFO]: Assembled 0 ingresses from existing AWS resources
+    ```
 
 ## external-dns Deployment
 
 [external-dns](https://github.com/kubernetes-incubator/external-dns) provisions DNS records based on the host information. This project will setup and manage records in Route 53 that point to controller deployed ALBs.
 
+1.  Ensure your instance has the correct IAM permission required for external-dns. See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions.
 
-1. Ensure your instance has the correct IAM permission required for external-dns. See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions.
-
-
-1. Download external-dns to manage Route 53.
+1.  Download external-dns to manage Route 53.
 
-	```bash
-	$ wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/external-dns.yaml
-	```
+    ```bash
+    $ wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/master/examples/external-dns.yaml
+    ```
 
-1. Edit the `--domain-filter` flag to include your hosted zone(s)
+1.  Edit the `--domain-filter` flag to include your hosted zone(s)
 
-	The following example is for a hosted zone test-dns.com
+    The following example is for a hosted zone test-dns.com
 
-	```yaml
-	args:
-	- --source=service
-	- --source=ingress
-	- --domain-filter=test-dns.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
-	- --provider=aws
-	- --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
-	```
+    ```yaml
+    args:
+    - --source=service
+    - --source=ingress
+    - --domain-filter=test-dns.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+    - --provider=aws
+    - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
+    ```
 
-1. Deploy external-dns
+1.  Deploy external-dns
 
-	```  
-	$ kubectl apply -f external-dns.yaml	
-	```
+    ```
+    $ kubectl apply -f external-dns.yaml
+    ```
 
-1. Verify it deployed successfully.
+1.  Verify it deployed successfully.
 
-	```
-	$ kubectl logs -f -n kube-system $(kubectl get po -n kube-system | egrep -o 'external-dns[A-Za-z0-9-]+')
+    ```
+    $ kubectl logs -f -n kube-system $(kubectl get po -n kube-system | egrep -o 'external-dns[A-Za-z0-9-]+')
 
-	time="2017-09-19T02:51:54Z" level=info msg="config: &{Master: KubeConfig: Sources:[service ingress] Namespace: FQDNTemplate: Compatibility: Provider:aws GoogleProject: DomainFilter:[] AzureConfigFile:/etc/kuberne tes/azure.json AzureResourceGroup: Policy:upsert-only Registry:txt TXTOwnerID:my-identifier TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 Debug:false}"
-	time="2017-09-19T02:51:54Z" level=info msg="Connected to cluster at https://10.3.0.1:443"
-	```
+    time="2017-09-19T02:51:54Z" level=info msg="config: &{Master: KubeConfig: Sources:[service ingress] Namespace: FQDNTemplate: Compatibility: Provider:aws GoogleProject: DomainFilter:[] AzureConfigFile:/etc/kuberne tes/azure.json AzureResourceGroup: Policy:upsert-only Registry:txt TXTOwnerID:my-identifier TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 Debug:false}"
+    time="2017-09-19T02:51:54Z" level=info msg="Connected to cluster at https://10.3.0.1:443"
+    ```

pkg/alb/lb/loadbalancer.go

@@ -38,6 +38,7 @@ type NewDesiredLoadBalancerOptions struct {
 	IngressAnnotations    *map[string]string
 	CommonTags            util.ELBv2Tags
 	IngressRules          []extensions.IngressRule
+	Resources             *albrgt.Resources
 	GetServiceNodePort    func(string, int32) (*int64, error)
 	GetServiceAnnotations func(string, string) (*map[string]string, error)
 	TargetsFunc           func(*string, string, string, *int64) albelbv2.TargetDescriptions
@@ -126,6 +127,7 @@ func NewDesiredLoadBalancer(o *NewDesiredLoadBalancerOptions) (newLoadBalancer *
 		GetServiceAnnotations: o.GetServiceAnnotations,
 		AnnotationFactory:     o.AnnotationFactory,
 		TargetsFunc:           o.TargetsFunc,
+		Resources:             o.Resources,
 	})
 
 	if err != nil {

pkg/alb/tg/targetgroups.go

@@ -122,6 +122,7 @@ type NewDesiredTargetGroupsOptions struct {
 	LoadBalancerID        string
 	ExistingTargetGroups  TargetGroups
 	AnnotationFactory     annotations.AnnotationFactory
+	Resources             *albrgt.Resources
 	IngressAnnotations    *map[string]string
 	ALBNamePrefix         string
 	Namespace             string
@@ -151,6 +152,7 @@ func NewDesiredTargetGroups(o *NewDesiredTargetGroupsOptions) (TargetGroups, err
 				Namespace:             o.Namespace,
 				ServiceName:           path.Backend.ServiceName,
 				GetServiceAnnotations: o.GetServiceAnnotations,
+				Resources:             o.Resources,
 			})
 			if err != nil {
 				return output, err
@@ -196,6 +198,7 @@ type mergeAnnotationsOptions struct {
 	Namespace             string
 	ServiceName           string
 	GetServiceAnnotations func(string, string) (*map[string]string, error)
+	Resources             *albrgt.Resources
 }
 
 func mergeAnnotations(o *mergeAnnotationsOptions) (*annotations.Annotations, error) {
@@ -217,6 +220,7 @@ func mergeAnnotations(o *mergeAnnotationsOptions) (*annotations.Annotations, err
 		Annotations: mergedAnnotations,
 		Namespace:   o.Namespace,
 		ServiceName: o.ServiceName,
+		Resources:   o.Resources,
 	})
 
 	if err != nil {

pkg/albingress/albingress.go

@@ -61,6 +61,7 @@ type NewALBIngressFromIngressOptions struct {
 	Recorder              record.EventRecorder
 	ConnectionIdleTimeout *int64
 	AnnotationFactory     annotations.AnnotationFactory
+	Resources             *albrgt.Resources
 }
 
 // NewALBIngressFromIngress builds ALBIngress's based off of an Ingress object
@@ -99,6 +100,7 @@ func NewALBIngressFromIngress(o *NewALBIngressFromIngressOptions) *ALBIngress {
 		Annotations: o.Ingress.Annotations,
 		Namespace:   o.Ingress.Namespace,
 		IngressName: o.Ingress.Name,
+		Resources:   o.Resources,
 	})
 	if err != nil {
 		msg := fmt.Sprintf("Error parsing annotations: %s", err.Error())
@@ -132,6 +134,7 @@ func NewALBIngressFromIngress(o *NewALBIngressFromIngressOptions) *ALBIngress {
 		GetServiceAnnotations: o.GetServiceAnnotations,
 		TargetsFunc:           o.TargetsFunc,
 		AnnotationFactory:     o.AnnotationFactory,
+		Resources:             o.Resources,
 	})
 
 	if err != nil {

pkg/albingress/albingresses.go

@@ -28,6 +28,7 @@ type NewALBIngressesFromIngressesOptions struct {
 	GetServiceAnnotations func(string, string) (*map[string]string, error)
 	TargetsFunc           func(*string, string, string, *int64) albelbv2.TargetDescriptions
 	AnnotationFactory     annotations.AnnotationFactory
+	Resources             *albrgt.Resources
 }
 
 // NewALBIngressesFromIngresses returns a ALBIngresses created from the Kubernetes ingress state.
@@ -59,6 +60,7 @@ func NewALBIngressesFromIngresses(o *NewALBIngressesFromIngressesOptions) ALBIng
 			TargetsFunc:           o.TargetsFunc,
 			Recorder:              o.Recorder,
 			AnnotationFactory:     o.AnnotationFactory,
+			Resources:             o.Resources,
 		})
 
 		// Add the new ALBIngress instance to the new ALBIngress list.
@@ -72,6 +74,7 @@ type AssembleIngressesFromAWSOptions struct {
 	Recorder      record.EventRecorder
 	ClusterName   string
 	ALBNamePrefix string
+	Resources     *albrgt.Resources
 }
 
 // AssembleIngressesFromAWS builds a list of existing ingresses from resources in AWS
@@ -80,26 +83,15 @@ func AssembleIngressesFromAWS(o *AssembleIngressesFromAWSOptions) ALBIngresses {
 	logger.Infof("Building list of existing ALBs")
 	t0 := time.Now()
 
-	// Grab all of the tags for our cluster resources
-	resources, err := albrgt.RGTsvc.GetResources(&o.ClusterName)
-	if err != nil {
-		logger.Fatalf(err.Error())
-	}
-	logger.Debugf("Retrieved tag information on %v load balancers, %v target groups, %v listeners, and %v rules",
-		len(resources.LoadBalancers),
-		len(resources.TargetGroups),
-		len(resources.Listeners),
-		len(resources.ListenerRules))
-
 	// Fetch the list of load balancers
-	loadBalancers, err := albelbv2.ELBV2svc.ClusterLoadBalancers(resources)
+	loadBalancers, err := albelbv2.ELBV2svc.ClusterLoadBalancers(o.Resources)
 	if err != nil {
 		logger.Fatalf(err.Error())
 	}
 	logger.Infof("Fetching information on %d ALBs", len(loadBalancers))
 
 	// Fetch the list of target groups
-	targetGroups, err := albelbv2.ELBV2svc.ClusterTargetGroups(resources)
+	targetGroups, err := albelbv2.ELBV2svc.ClusterTargetGroups(o.Resources)
 	if err != nil {
 		logger.Fatalf(err.Error())
 	}
@@ -109,7 +101,7 @@ func AssembleIngressesFromAWS(o *AssembleIngressesFromAWSOptions) ALBIngresses {
 		LoadBalancers: loadBalancers,
 		ALBNamePrefix: o.ALBNamePrefix,
 		Recorder:      o.Recorder,
-		ResourceTags:  resources,
+		ResourceTags:  o.Resources,
 		TargetGroups:  targetGroups,
 	})