add COIP support for ALB on outpost

Author: M00nF1sh

docs/guide/ingress/annotations.md

@@ -23,6 +23,7 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 |[alb.ingress.kubernetes.io/scheme](#scheme)|internal \| internet-facing|internal|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/subnets](#subnets)|stringList|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/security-groups](#security-groups)|stringList|N/A|Ingress|Exclusive|
+|[alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool)|string|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes)|stringMap|N/A|Ingress|Merge|
 |[alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn)|string|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id)|string|N/A|Ingress|Exclusive|
@@ -124,6 +125,16 @@ Traffic Listening can be controlled with following annotations:
         alb.ingress.kubernetes.io/ip-address-type: ipv4
         ```
 
+- <a name="customer-owned-ipv4-pool">`alb.ingress.kubernetes.io/customer-owned-ipv4-pool`</a> specifies the customer-owned IPv4 address pool for ALB on Outpost.
+    
+    !!!warning ""
+        This annotation should be treated as immutable. To remove or change coIPv4Pool, you need to recreate Ingress.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/customer-owned-ipv4-poole: ipv4pool-coip-xxxxxxxx
+        ```
+
 ## Traffic Routing
 Traffic Routing can be controlled with following annotations:
 

pkg/annotations/constants.go

@@ -11,6 +11,7 @@ const (
 	IngressSuffixIPAddressType                = "ip-address-type"
 	IngressSuffixScheme                       = "scheme"
 	IngressSuffixSubnets                      = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
 	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
 	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
 	IngressSuffixWAFACLID                     = "waf-acl-id"

pkg/deploy/elbv2/load_balancer_manager.go

@@ -236,6 +236,8 @@ func buildSDKCreateLoadBalancerInput(lbSpec elbv2model.LoadBalancerSpec) (*elbv2
 	} else {
 		sdkObj.SecurityGroups = sdkSecurityGroups
 	}
+
+	sdkObj.CustomerOwnedIpv4Pool = lbSpec.CustomerOwnedIPv4Pool
 	return sdkObj, nil
 }
 

pkg/deploy/elbv2/load_balancer_manager_test.go

@@ -92,6 +92,46 @@ func Test_buildSDKCreateLoadBalancerInput(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "application loadBalancer - with CoIP pool",
+			args: args{
+				lbSpec: elbv2model.LoadBalancerSpec{
+					Name:          "my-alb",
+					Type:          elbv2model.LoadBalancerTypeApplication,
+					Scheme:        &schemeInternetFacing,
+					IPAddressType: &addressTypeDualStack,
+					SubnetMappings: []elbv2model.SubnetMapping{
+						{
+							SubnetID: "subnet-A",
+						},
+						{
+							SubnetID: "subnet-B",
+						},
+					},
+					SecurityGroups: []coremodel.StringToken{
+						coremodel.LiteralStringToken("sg-A"),
+						coremodel.LiteralStringToken("sg-B"),
+					},
+					CustomerOwnedIPv4Pool: awssdk.String("coIP-pool-x"),
+				},
+			},
+			want: &elbv2sdk.CreateLoadBalancerInput{
+				Name:          awssdk.String("my-alb"),
+				Type:          awssdk.String("application"),
+				IpAddressType: awssdk.String("dualstack"),
+				Scheme:        awssdk.String("internet-facing"),
+				SubnetMappings: []*elbv2sdk.SubnetMapping{
+					{
+						SubnetId: awssdk.String("subnet-A"),
+					},
+					{
+						SubnetId: awssdk.String("subnet-B"),
+					},
+				},
+				SecurityGroups:        awssdk.StringSlice([]string{"sg-A", "sg-B"}),
+				CustomerOwnedIpv4Pool: awssdk.String("coIP-pool-x"),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/ingress/model_build_load_balancer.go

@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/equality"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
@@ -50,6 +51,10 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, liste
 	if err != nil {
 		return elbv2model.LoadBalancerSpec{}, err
 	}
+	coIPv4Pool, err := t.buildLoadBalancerCOIPv4Pool(ctx)
+	if err != nil {
+		return elbv2model.LoadBalancerSpec{}, err
+	}
 	loadBalancerAttributes, err := t.buildLoadBalancerAttributes(ctx)
 	if err != nil {
 		return elbv2model.LoadBalancerSpec{}, err
@@ -66,6 +71,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, liste
 		IPAddressType:          &ipAddressType,
 		SubnetMappings:         subnetMappings,
 		SecurityGroups:         securityGroups,
+		CustomerOwnedIPv4Pool:  coIPv4Pool,
 		LoadBalancerAttributes: loadBalancerAttributes,
 		Tags:                   tags,
 	}, nil
@@ -216,6 +222,31 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont
 	return sgIDTokens, nil
 }
 
+func (t *defaultModelBuildTask) buildLoadBalancerCOIPv4Pool(_ context.Context) (*string, error) {
+	explicitCOIPv4Pools := sets.NewString()
+	for _, ing := range t.ingGroup.Members {
+		rawCOIPv4Pool := ""
+		if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixCustomerOwnedIPv4Pool, &rawCOIPv4Pool, ing.Annotations); !exists {
+			continue
+		}
+		if len(rawCOIPv4Pool) == 0 {
+			return nil, errors.Errorf("cannot use empty value for %s annotation, ingress: %v",
+				annotations.IngressSuffixCustomerOwnedIPv4Pool, k8s.NamespacedName(ing))
+		}
+		explicitCOIPv4Pools.Insert(rawCOIPv4Pool)
+	}
+
+	if len(explicitCOIPv4Pools) == 0 {
+		return nil, nil
+	}
+	if len(explicitCOIPv4Pools) > 1 {
+		return nil, errors.Errorf("conflicting CustomerOwnedIPv4Pool: %v", explicitCOIPv4Pools.List())
+	}
+
+	rawCOIPv4Pool, _ := explicitCOIPv4Pools.PopAny()
+	return &rawCOIPv4Pool, nil
+}
+
 func (t *defaultModelBuildTask) buildLoadBalancerAttributes(_ context.Context) ([]elbv2model.LoadBalancerAttribute, error) {
 	mergedAttributes := make(map[string]string)
 	for _, ing := range t.ingGroup.Members {

pkg/ingress/model_build_load_balancer_test.go

@@ -0,0 +1,202 @@
+package ingress
+
+import (
+	"context"
+	"errors"
+	awssdk "github.com/aws/aws-sdk-go/aws"
+	"github.com/stretchr/testify/assert"
+	networking "k8s.io/api/networking/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	"testing"
+)
+
+func Test_defaultModelBuildTask_buildLoadBalancerCOIPv4Pool(t *testing.T) {
+	type fields struct {
+		ingGroup Group
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		want    *string
+		wantErr error
+	}{
+		{
+			name: "COIPv4 not configured on standalone Ingress",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "awesome-ns",
+								Name:        "ing-1",
+								Annotations: map[string]string{},
+							},
+						},
+					},
+				},
+			},
+			want: nil,
+		},
+		{
+			name: "COIPv4 configured on standalone Ingress",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-ip-pool",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: awssdk.String("my-ip-pool"),
+		},
+		{
+			name: "specified empty COIPv4 on standalone Ingress",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "",
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: errors.New("cannot use empty value for customer-owned-ipv4-pool annotation, ingress: awesome-ns/ing-1"),
+		},
+		{
+			name: "COIPv4 not configured on all Ingresses among IngressGroup",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "awesome-ns",
+								Name:        "ing-1",
+								Annotations: map[string]string{},
+							},
+						},
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "awesome-ns",
+								Name:        "ing-2",
+								Annotations: map[string]string{},
+							},
+						},
+					},
+				},
+			},
+			want: nil,
+		},
+		{
+			name: "COIPv4 configured on one Ingress among IngressGroup",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-ip-pool",
+								},
+							},
+						},
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "awesome-ns",
+								Name:        "ing-2",
+								Annotations: map[string]string{},
+							},
+						},
+					},
+				},
+			},
+			want: awssdk.String("my-ip-pool"),
+		},
+		{
+			name: "COIPv4 configured on multiple Ingresses among IngressGroup - with same value",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-ip-pool",
+								},
+							},
+						},
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-2",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-ip-pool",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: awssdk.String("my-ip-pool"),
+		},
+		{
+			name: "COIPv4 configured on multiple Ingress among IngressGroup - with different value",
+			fields: fields{
+				ingGroup: Group{
+					Members: []*networking.Ingress{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-ip-pool",
+								},
+							},
+						},
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Namespace: "awesome-ns",
+								Name:      "ing-2",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/customer-owned-ipv4-pool": "my-another-pool",
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: errors.New("conflicting CustomerOwnedIPv4Pool: [my-another-pool my-ip-pool]"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t1 *testing.T) {
+			annotationParser := annotations.NewSuffixAnnotationParser("alb.ingress.kubernetes.io")
+			task := &defaultModelBuildTask{
+				annotationParser: annotationParser,
+				ingGroup:         tt.fields.ingGroup,
+			}
+			got, err := task.buildLoadBalancerCOIPv4Pool(context.Background())
+			if tt.wantErr != nil {
+				assert.EqualError(t, err, tt.wantErr.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, got, tt.want)
+			}
+		})
+	}
+}

pkg/model/elbv2/load_balancer.go

@@ -140,6 +140,10 @@ type LoadBalancerSpec struct {
 	// +optional
 	SecurityGroups []core.StringToken `json:"securityGroups,omitempty"`
 
+	// [Application Load Balancers on Outposts] The ID of the customer-owned address pool (CoIP pool).
+	// +optional
+	CustomerOwnedIPv4Pool *string `json:"customerOwnedIPv4Pool,omitempty"`
+
 	// The load balancer attributes.
 	// +optional
 	LoadBalancerAttributes []LoadBalancerAttribute `json:"loadBalancerAttributes,omitempty"`