Adding supports for air gapped regions through feature gate.

Author: haouc

docs/deploy/configurations.md

@@ -83,7 +83,7 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |enable-waf                             | boolean                         | true            | Enable WAF addon for ALB |
 |enable-wafv2                           | boolean                         | true            | Enable WAF V2 addon for ALB |
 |external-managed-tags                  | stringList                      |                 | AWS Tag keys that will be managed externally. Specified Tags are ignored during reconciliation |
-|feature-gate                         | string                          | true             | A set of key=value pairs to enable or disable features |
+|feature-gate                           | string                          | boolean         | A set of key=value pairs to enable or disable features |
 |ingress-class                          | string                          | alb             | Name of the ingress class this controller satisfies |
 |ingress-max-concurrent-reconciles      | int                             | 3               | Maximum number of concurrently running reconcile loops for ingress |
 |kubeconfig                             | string                          | in-cluster config | Path to the kubeconfig file containing authorization and API server information |
@@ -102,6 +102,12 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |webhook-cert-file                      | string                          | tls.crt | The server certificate name |
 |webhook-key-file                       | string                          | tls.key | The server key name |
 
+|Feature-gate Supported Key             | Type                            | Default Value   | Description |
+|---------------------------------------|---------------------------------|-----------------|-------------|
+|enable-listener-rules-tagging          | string                          | true            | Enable tagging load balancer listeners |
+|enforce-single-target-group            | string                          | false           | Enforce using only one target group |
+
+
 ### disable-ingress-class-annotation
 `--disable-ingress-class-annotation` controls whether to disable new usage of the `kubernetes.io/ingress.class` annotation.
 

pkg/config/feature_gate.go

@@ -11,6 +11,7 @@ type Feature string
 
 const (
 	EnableListenerRulesTagging Feature = "enable-listener-rules-tagging"
+	EnforceSingleTargetGroup   Feature = "enforce-single-target-group"
 )
 
 type FeatureGate interface {
@@ -39,6 +40,7 @@ func NewFeatureGate() FeatureGate {
 	return &defaultFeatureGate{
 		featureState: map[Feature]bool{
 			EnableListenerRulesTagging: true,
+			EnforceSingleTargetGroup:   false,
 		},
 	}
 }

pkg/deploy/elbv2/listener_manager.go

@@ -57,7 +57,7 @@ type defaultListenerManager struct {
 }
 
 func (m *defaultListenerManager) Create(ctx context.Context, resLS *elbv2model.Listener) (elbv2model.ListenerStatus, error) {
-	req, err := buildSDKCreateListenerInput(resLS.Spec)
+	req, err := buildSDKCreateListenerInput(resLS.Spec, m.featureGate)
 	if err != nil {
 		return elbv2model.ListenerStatus{}, err
 	}
@@ -128,7 +128,7 @@ func (m *defaultListenerManager) updateSDKListenerWithTags(ctx context.Context,
 }
 
 func (m *defaultListenerManager) updateSDKListenerWithSettings(ctx context.Context, resLS *elbv2model.Listener, sdkLS ListenerWithTags) error {
-	desiredDefaultActions, err := buildSDKActions(resLS.Spec.DefaultActions)
+	desiredDefaultActions, err := buildSDKActions(resLS.Spec.DefaultActions, m.featureGate)
 	if err != nil {
 		return err
 	}
@@ -156,6 +156,13 @@ func (m *defaultListenerManager) updateSDKListenerWithSettings(ctx context.Conte
 // currentExtraCertificates is the current extra certificates, if it's nil, the current extra certificates will be fetched from AWS.
 func (m *defaultListenerManager) updateSDKListenerWithExtraCertificates(ctx context.Context, resLS *elbv2model.Listener,
 	sdkLS ListenerWithTags, isNewSDKListener bool) error {
+	// if TLS is not supported, we shouldn't update
+	if sdkLS.Listener.SslPolicy == nil {
+		m.logger.Info("SDK Listner doesn't have SSL Policy set, we skip updating extra certs.")
+		return nil
+	}
+
+
 	desiredExtraCertARNs := sets.NewString()
 	_, desiredExtraCerts := buildSDKCertificates(resLS.Spec.Certificates)
 	for _, cert := range desiredExtraCerts {
@@ -262,7 +269,7 @@ func isSDKListenerSettingsDrifted(lsSpec elbv2model.ListenerSpec, sdkLS Listener
 	return false
 }
 
-func buildSDKCreateListenerInput(lsSpec elbv2model.ListenerSpec) (*elbv2sdk.CreateListenerInput, error) {
+func buildSDKCreateListenerInput(lsSpec elbv2model.ListenerSpec, featureGate config.FeatureGate) (*elbv2sdk.CreateListenerInput, error) {
 	ctx := context.Background()
 	lbARN, err := lsSpec.LoadBalancerARN.Resolve(ctx)
 	if err != nil {
@@ -272,7 +279,7 @@ func buildSDKCreateListenerInput(lsSpec elbv2model.ListenerSpec) (*elbv2sdk.Crea
 	sdkObj.LoadBalancerArn = awssdk.String(lbARN)
 	sdkObj.Port = awssdk.Int64(lsSpec.Port)
 	sdkObj.Protocol = awssdk.String(string(lsSpec.Protocol))
-	defaultActions, err := buildSDKActions(lsSpec.DefaultActions)
+	defaultActions, err := buildSDKActions(lsSpec.DefaultActions, featureGate)
 	if err != nil {
 		return nil, err
 	}

pkg/deploy/elbv2/listener_rule_manager.go

@@ -54,7 +54,7 @@ type defaultListenerRuleManager struct {
 }
 
 func (m *defaultListenerRuleManager) Create(ctx context.Context, resLR *elbv2model.ListenerRule) (elbv2model.ListenerRuleStatus, error) {
-	req, err := buildSDKCreateListenerRuleInput(resLR.Spec)
+	req, err := buildSDKCreateListenerRuleInput(resLR.Spec, m.featureGate)
 	if err != nil {
 		return elbv2model.ListenerRuleStatus{}, err
 	}
@@ -116,7 +116,7 @@ func (m *defaultListenerRuleManager) Delete(ctx context.Context, sdkLR ListenerR
 }
 
 func (m *defaultListenerRuleManager) updateSDKListenerRuleWithSettings(ctx context.Context, resLR *elbv2model.ListenerRule, sdkLR ListenerRuleWithTags) error {
-	desiredActions, err := buildSDKActions(resLR.Spec.Actions)
+	desiredActions, err := buildSDKActions(resLR.Spec.Actions, m.featureGate)
 	if err != nil {
 		return err
 	}
@@ -161,7 +161,7 @@ func isSDKListenerRuleSettingsDrifted(lrSpec elbv2model.ListenerRuleSpec, sdkLR
 	return false
 }
 
-func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec) (*elbv2sdk.CreateRuleInput, error) {
+func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec, featureGate config.FeatureGate) (*elbv2sdk.CreateRuleInput, error) {
 	ctx := context.Background()
 	lsARN, err := lrSpec.ListenerARN.Resolve(ctx)
 	if err != nil {
@@ -170,7 +170,7 @@ func buildSDKCreateListenerRuleInput(lrSpec elbv2model.ListenerRuleSpec) (*elbv2
 	sdkObj := &elbv2sdk.CreateRuleInput{}
 	sdkObj.ListenerArn = awssdk.String(lsARN)
 	sdkObj.Priority = awssdk.Int64(lrSpec.Priority)
-	actions, err := buildSDKActions(lrSpec.Actions)
+	actions, err := buildSDKActions(lrSpec.Actions, featureGate)
 	if err != nil {
 		return nil, err
 	}

pkg/deploy/elbv2/listener_utils.go

@@ -7,6 +7,7 @@ import (
 	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/pkg/errors"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"time"
 )
 
@@ -15,12 +16,12 @@ const (
 	defaultWaitLSExistenceTimeout      = 20 * time.Second
 )
 
-func buildSDKActions(modelActions []elbv2model.Action) ([]*elbv2sdk.Action, error) {
+func buildSDKActions(modelActions []elbv2model.Action, featureGate config.FeatureGate) ([]*elbv2sdk.Action, error) {
 	var sdkActions []*elbv2sdk.Action
 	if len(modelActions) != 0 {
 		sdkActions = make([]*elbv2sdk.Action, 0, len(modelActions))
 		for index, modelAction := range modelActions {
-			sdkAction, err := buildSDKAction(modelAction)
+			sdkAction, err := buildSDKAction(modelAction, featureGate)
 			sdkAction.Order = awssdk.Int64(int64(index) + 1)
 			if err != nil {
 				return nil, err
@@ -31,7 +32,7 @@ func buildSDKActions(modelActions []elbv2model.Action) ([]*elbv2sdk.Action, erro
 	return sdkActions, nil
 }
 
-func buildSDKAction(modelAction elbv2model.Action) (*elbv2sdk.Action, error) {
+func buildSDKAction(modelAction elbv2model.Action, featureGate config.FeatureGate) (*elbv2sdk.Action, error) {
 	sdkObj := &elbv2sdk.Action{}
 	sdkObj.Type = awssdk.String(string(modelAction.Type))
 	if modelAction.AuthenticateCognitoConfig != nil {
@@ -51,7 +52,15 @@ func buildSDKAction(modelAction elbv2model.Action) (*elbv2sdk.Action, error) {
 		if err != nil {
 			return nil, err
 		}
-		sdkObj.ForwardConfig = forwardConfig
+		if featureGate.Enabled(config.EnforceSingleTargetGroup) {
+			if len(forwardConfig.TargetGroups) == 1 {
+				sdkObj.TargetGroupArn = forwardConfig.TargetGroups[0].TargetGroupArn
+			} else {
+				return nil, errors.New("The controller is configured to specify single Target Group but has more than one.")
+			}
+		} else {
+			sdkObj.ForwardConfig = forwardConfig
+		}
 	}
 	return sdkObj, nil
 }
@@ -60,28 +69,28 @@ func buildSDKAuthenticateCognitoActionConfig(modelCfg elbv2model.AuthenticateCog
 	return &elbv2sdk.AuthenticateCognitoActionConfig{
 		AuthenticationRequestExtraParams: awssdk.StringMap(modelCfg.AuthenticationRequestExtraParams),
 		OnUnauthenticatedRequest:         (*string)(modelCfg.OnUnauthenticatedRequest),
-		Scope:                            modelCfg.Scope,
-		SessionCookieName:                modelCfg.SessionCookieName,
-		SessionTimeout:                   modelCfg.SessionTimeout,
-		UserPoolArn:                      awssdk.String(modelCfg.UserPoolARN),
-		UserPoolClientId:                 awssdk.String(modelCfg.UserPoolClientID),
-		UserPoolDomain:                   awssdk.String(modelCfg.UserPoolDomain),
+		Scope:             modelCfg.Scope,
+		SessionCookieName: modelCfg.SessionCookieName,
+		SessionTimeout:    modelCfg.SessionTimeout,
+		UserPoolArn:       awssdk.String(modelCfg.UserPoolARN),
+		UserPoolClientId:  awssdk.String(modelCfg.UserPoolClientID),
+		UserPoolDomain:    awssdk.String(modelCfg.UserPoolDomain),
 	}
 }
 
 func buildSDKAuthenticateOidcActionConfig(modelCfg elbv2model.AuthenticateOIDCActionConfig) *elbv2sdk.AuthenticateOidcActionConfig {
 	return &elbv2sdk.AuthenticateOidcActionConfig{
 		AuthenticationRequestExtraParams: awssdk.StringMap(modelCfg.AuthenticationRequestExtraParams),
 		OnUnauthenticatedRequest:         (*string)(modelCfg.OnUnauthenticatedRequest),
-		Scope:                            modelCfg.Scope,
-		SessionCookieName:                modelCfg.SessionCookieName,
-		SessionTimeout:                   modelCfg.SessionTimeout,
-		ClientId:                         awssdk.String(modelCfg.ClientID),
-		ClientSecret:                     awssdk.String(modelCfg.ClientSecret),
-		Issuer:                           awssdk.String(modelCfg.Issuer),
-		AuthorizationEndpoint:            awssdk.String(modelCfg.AuthorizationEndpoint),
-		TokenEndpoint:                    awssdk.String(modelCfg.TokenEndpoint),
-		UserInfoEndpoint:                 awssdk.String(modelCfg.UserInfoEndpoint),
+		Scope:                 modelCfg.Scope,
+		SessionCookieName:     modelCfg.SessionCookieName,
+		SessionTimeout:        modelCfg.SessionTimeout,
+		ClientId:              awssdk.String(modelCfg.ClientID),
+		ClientSecret:          awssdk.String(modelCfg.ClientSecret),
+		Issuer:                awssdk.String(modelCfg.Issuer),
+		AuthorizationEndpoint: awssdk.String(modelCfg.AuthorizationEndpoint),
+		TokenEndpoint:         awssdk.String(modelCfg.TokenEndpoint),
+		UserInfoEndpoint:      awssdk.String(modelCfg.UserInfoEndpoint),
 	}
 }