add COIP support for ALB on outpost (#1685)

M00nF1sh · web-flow · commit a08ca0d9ad49 · 2020-11-24T17:35:09.000-08:00
* add COIP support for ALB on outpost

* check for drifted coIPv4Pool settings
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -23,6 +23,7 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 |[alb.ingress.kubernetes.io/scheme](#scheme)|internal \| internet-facing|internal|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/subnets](#subnets)|stringList|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/security-groups](#security-groups)|stringList|N/A|Ingress|Exclusive|
+|[alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool)|string|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes)|stringMap|N/A|Ingress|Merge|
 |[alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn)|string|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id)|string|N/A|Ingress|Exclusive|
@@ -124,6 +125,16 @@ Traffic Listening can be controlled with following annotations:
         alb.ingress.kubernetes.io/ip-address-type: ipv4
         ```
 
+- <a name="customer-owned-ipv4-pool">`alb.ingress.kubernetes.io/customer-owned-ipv4-pool`</a> specifies the customer-owned IPv4 address pool for ALB on Outpost.
+    
+    !!!warning ""
+        This annotation should be treated as immutable. To remove or change coIPv4Pool, you need to recreate Ingress.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/customer-owned-ipv4-pool: ipv4pool-coip-xxxxxxxx
+        ```
+
 ## Traffic Routing
 Traffic Routing can be controlled with following annotations:
 
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -11,6 +11,7 @@ const (
 	IngressSuffixIPAddressType                = "ip-address-type"
 	IngressSuffixScheme                       = "scheme"
 	IngressSuffixSubnets                      = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
 	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
 	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
 	IngressSuffixWAFACLID                     = "waf-acl-id"
diff --git a/pkg/deploy/elbv2/load_balancer_manager.go b/pkg/deploy/elbv2/load_balancer_manager.go
@@ -6,6 +6,7 @@ import (
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/deploy/tracking"
@@ -92,6 +93,9 @@ func (m *defaultLoadBalancerManager) Update(ctx context.Context, resLB *elbv2mod
 	if err := m.attributesReconciler.Reconcile(ctx, resLB, sdkLB); err != nil {
 		return elbv2model.LoadBalancerStatus{}, err
 	}
+	if err := m.checkSDKLoadBalancerWithCOIPv4Pool(ctx, resLB, sdkLB); err != nil {
+		return elbv2model.LoadBalancerStatus{}, err
+	}
 	return buildResLoadBalancerStatus(sdkLB), nil
 }
 
@@ -206,6 +210,13 @@ func (m *defaultLoadBalancerManager) updateSDKLoadBalancerWithSecurityGroups(ctx
 	return nil
 }
 
+func (m *defaultLoadBalancerManager) checkSDKLoadBalancerWithCOIPv4Pool(_ context.Context, resLB *elbv2model.LoadBalancer, sdkLB LoadBalancerWithTags) error {
+	if awssdk.StringValue(resLB.Spec.CustomerOwnedIPv4Pool) != awssdk.StringValue(sdkLB.LoadBalancer.CustomerOwnedIpv4Pool) {
+		return errors.New("loadBalancer has drifted CustomerOwnedIPv4Pool setting")
+	}
+	return nil
+}
+
 func (m *defaultLoadBalancerManager) updateSDKLoadBalancerWithTags(ctx context.Context, resLB *elbv2model.LoadBalancer, sdkLB LoadBalancerWithTags) error {
 	desiredLBTags := m.trackingProvider.ResourceTags(resLB.Stack(), resLB, resLB.Spec.Tags)
 	return m.taggingManager.ReconcileTags(ctx, awssdk.StringValue(sdkLB.LoadBalancer.LoadBalancerArn), desiredLBTags,
@@ -236,6 +247,8 @@ func buildSDKCreateLoadBalancerInput(lbSpec elbv2model.LoadBalancerSpec) (*elbv2
 	} else {
 		sdkObj.SecurityGroups = sdkSecurityGroups
 	}
+
+	sdkObj.CustomerOwnedIpv4Pool = lbSpec.CustomerOwnedIPv4Pool
 	return sdkObj, nil
 }
 
diff --git a/pkg/deploy/elbv2/load_balancer_manager_test.go b/pkg/deploy/elbv2/load_balancer_manager_test.go
@@ -1,6 +1,8 @@
 package elbv2
 
 import (
+	"context"
+	"errors"
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/stretchr/testify/assert"
@@ -92,6 +94,46 @@ func Test_buildSDKCreateLoadBalancerInput(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "application loadBalancer - with CoIP pool",
+			args: args{
+				lbSpec: elbv2model.LoadBalancerSpec{
+					Name:          "my-alb",
+					Type:          elbv2model.LoadBalancerTypeApplication,
+					Scheme:        &schemeInternetFacing,
+					IPAddressType: &addressTypeDualStack,
+					SubnetMappings: []elbv2model.SubnetMapping{
+						{
+							SubnetID: "subnet-A",
+						},
+						{
+							SubnetID: "subnet-B",
+						},
+					},
+					SecurityGroups: []coremodel.StringToken{
+						coremodel.LiteralStringToken("sg-A"),
+						coremodel.LiteralStringToken("sg-B"),
+					},
+					CustomerOwnedIPv4Pool: awssdk.String("coIP-pool-x"),
+				},
+			},
+			want: &elbv2sdk.CreateLoadBalancerInput{
+				Name:          awssdk.String("my-alb"),
+				Type:          awssdk.String("application"),
+				IpAddressType: awssdk.String("dualstack"),
+				Scheme:        awssdk.String("internet-facing"),
+				SubnetMappings: []*elbv2sdk.SubnetMapping{
+					{
+						SubnetId: awssdk.String("subnet-A"),
+					},
+					{
+						SubnetId: awssdk.String("subnet-B"),
+					},
+				},
+				SecurityGroups:        awssdk.StringSlice([]string{"sg-A", "sg-B"}),
+				CustomerOwnedIpv4Pool: awssdk.String("coIP-pool-x"),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -264,3 +306,107 @@ func Test_buildResLoadBalancerStatus(t *testing.T) {
 		})
 	}
 }
+
+func Test_defaultLoadBalancerManager_checkSDKLoadBalancerWithCOIPv4Pool(t *testing.T) {
+	type args struct {
+		resLB *elbv2model.LoadBalancer
+		sdkLB LoadBalancerWithTags
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr error
+	}{
+		{
+			name: "both resLB and sdkLB don't have CustomerOwnedIPv4Pool setting",
+			args: args{
+				resLB: &elbv2model.LoadBalancer{
+					Spec: elbv2model.LoadBalancerSpec{
+						CustomerOwnedIPv4Pool: nil,
+					},
+				},
+				sdkLB: LoadBalancerWithTags{
+					LoadBalancer: &elbv2sdk.LoadBalancer{
+						CustomerOwnedIpv4Pool: nil,
+					},
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "both resLB and sdkLB have same CustomerOwnedIPv4Pool setting",
+			args: args{
+				resLB: &elbv2model.LoadBalancer{
+					Spec: elbv2model.LoadBalancerSpec{
+						CustomerOwnedIPv4Pool: awssdk.String("ipv4pool-coip-abc"),
+					},
+				},
+				sdkLB: LoadBalancerWithTags{
+					LoadBalancer: &elbv2sdk.LoadBalancer{
+						CustomerOwnedIpv4Pool: awssdk.String("ipv4pool-coip-abc"),
+					},
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "both resLB and sdkLB have different CustomerOwnedIPv4Pool setting",
+			args: args{
+				resLB: &elbv2model.LoadBalancer{
+					Spec: elbv2model.LoadBalancerSpec{
+						CustomerOwnedIPv4Pool: awssdk.String("ipv4pool-coip-abc"),
+					},
+				},
+				sdkLB: LoadBalancerWithTags{
+					LoadBalancer: &elbv2sdk.LoadBalancer{
+						CustomerOwnedIpv4Pool: awssdk.String("ipv4pool-coip-def"),
+					},
+				},
+			},
+			wantErr: errors.New("loadBalancer has drifted CustomerOwnedIPv4Pool setting"),
+		},
+		{
+			name: "only resLB have CustomerOwnedIPv4Pool setting",
+			args: args{
+				resLB: &elbv2model.LoadBalancer{
+					Spec: elbv2model.LoadBalancerSpec{
+						CustomerOwnedIPv4Pool: awssdk.String("ipv4pool-coip-abc"),
+					},
+				},
+				sdkLB: LoadBalancerWithTags{
+					LoadBalancer: &elbv2sdk.LoadBalancer{
+						CustomerOwnedIpv4Pool: nil,
+					},
+				},
+			},
+			wantErr: errors.New("loadBalancer has drifted CustomerOwnedIPv4Pool setting"),
+		},
+		{
+			name: "only sdkLB have CustomerOwnedIPv4Pool setting",
+			args: args{
+				resLB: &elbv2model.LoadBalancer{
+					Spec: elbv2model.LoadBalancerSpec{
+						CustomerOwnedIPv4Pool: nil,
+					},
+				},
+				sdkLB: LoadBalancerWithTags{
+					LoadBalancer: &elbv2sdk.LoadBalancer{
+						CustomerOwnedIpv4Pool: awssdk.String("ipv4pool-coip-abc"),
+					},
+				},
+			},
+			wantErr: errors.New("loadBalancer has drifted CustomerOwnedIPv4Pool setting"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := &defaultLoadBalancerManager{}
+			err := m.checkSDKLoadBalancerWithCOIPv4Pool(context.Background(), tt.args.resLB, tt.args.sdkLB)
+			if tt.wantErr != nil {
+				assert.EqualError(t, err, tt.wantErr.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/pkg/ingress/model_build_load_balancer.go b/pkg/ingress/model_build_load_balancer.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/equality"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
@@ -50,6 +51,10 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, liste
 	if err != nil {
 		return elbv2model.LoadBalancerSpec{}, err
 	}
+	coIPv4Pool, err := t.buildLoadBalancerCOIPv4Pool(ctx)
+	if err != nil {
+		return elbv2model.LoadBalancerSpec{}, err
+	}
 	loadBalancerAttributes, err := t.buildLoadBalancerAttributes(ctx)
 	if err != nil {
 		return elbv2model.LoadBalancerSpec{}, err
@@ -66,6 +71,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, liste
 		IPAddressType:          &ipAddressType,
 		SubnetMappings:         subnetMappings,
 		SecurityGroups:         securityGroups,
+		CustomerOwnedIPv4Pool:  coIPv4Pool,
 		LoadBalancerAttributes: loadBalancerAttributes,
 		Tags:                   tags,
 	}, nil
@@ -216,6 +222,31 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont
 	return sgIDTokens, nil
 }
 
+func (t *defaultModelBuildTask) buildLoadBalancerCOIPv4Pool(_ context.Context) (*string, error) {
+	explicitCOIPv4Pools := sets.NewString()
+	for _, ing := range t.ingGroup.Members {
+		rawCOIPv4Pool := ""
+		if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixCustomerOwnedIPv4Pool, &rawCOIPv4Pool, ing.Annotations); !exists {
+			continue
+		}
+		if len(rawCOIPv4Pool) == 0 {
+			return nil, errors.Errorf("cannot use empty value for %s annotation, ingress: %v",
+				annotations.IngressSuffixCustomerOwnedIPv4Pool, k8s.NamespacedName(ing))
+		}
+		explicitCOIPv4Pools.Insert(rawCOIPv4Pool)
+	}
+
+	if len(explicitCOIPv4Pools) == 0 {
+		return nil, nil
+	}
+	if len(explicitCOIPv4Pools) > 1 {
+		return nil, errors.Errorf("conflicting CustomerOwnedIPv4Pool: %v", explicitCOIPv4Pools.List())
+	}
+
+	rawCOIPv4Pool, _ := explicitCOIPv4Pools.PopAny()
+	return &rawCOIPv4Pool, nil
+}
+
 func (t *defaultModelBuildTask) buildLoadBalancerAttributes(_ context.Context) ([]elbv2model.LoadBalancerAttribute, error) {
 	mergedAttributes := make(map[string]string)
 	for _, ing := range t.ingGroup.Members {
diff --git a/pkg/ingress/model_build_load_balancer_test.go b/pkg/ingress/model_build_load_balancer_test.go
diff --git a/pkg/model/elbv2/load_balancer.go b/pkg/model/elbv2/load_balancer.go
