refactor ingress model builder (#1422)

* refactor ingress model builder

* handle targetGroupNotFound error

* output model deploy logs when deleting ingress group

* gc securityGroup rules

Author: M00nF1sh

controllers/ingress/group_controller.go

@@ -3,13 +3,16 @@ package ingress
 import (
 	"context"
 	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1beta1"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/aws-alb-ingress-controller/controllers/ingress/eventhandlers"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/annotations"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/aws/services"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/deploy"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/ingress"
+	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
 	networkingpkg "sigs.k8s.io/aws-alb-ingress-controller/pkg/networking"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -34,6 +37,7 @@ func NewGroupReconciler(k8sClient client.Client, eventRecorder record.EventRecor
 	finalizerManager := ingress.NewDefaultFinalizerManager(k8sClient)
 
 	return &GroupReconciler{
+		k8sClient:        k8sClient,
 		groupLoader:      groupLoader,
 		finalizerManager: finalizerManager,
 		modelBuilder:     modelBuilder,
@@ -45,6 +49,7 @@ func NewGroupReconciler(k8sClient client.Client, eventRecorder record.EventRecor
 
 // GroupReconciler reconciles a ingress group
 type GroupReconciler struct {
+	k8sClient       client.Client
 	modelBuilder    ingress.ModelBuilder
 	stackMarshaller deploy.StackMarshaller
 	stackDeployer   deploy.StackDeployer
@@ -61,18 +66,17 @@ type GroupReconciler struct {
 // Reconcile
 func (r *GroupReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
-	groupID := ingress.DecodeGroupIDFromReconcileRequest(req)
-	_ = r.log.WithValues("groupID", groupID)
-	group, err := r.groupLoader.Load(ctx, groupID)
+	ingGroupID := ingress.DecodeGroupIDFromReconcileRequest(req)
+	_ = r.log.WithValues("groupID", ingGroupID)
+	ingGroup, err := r.groupLoader.Load(ctx, ingGroupID)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
 
-	if err := r.finalizerManager.AddGroupFinalizer(ctx, groupID, group.Members...); err != nil {
+	if err := r.finalizerManager.AddGroupFinalizer(ctx, ingGroupID, ingGroup.Members...); err != nil {
 		return ctrl.Result{}, err
 	}
-
-	stack, lb, err := r.modelBuilder.Build(ctx, group)
+	stack, lb, err := r.modelBuilder.Build(ctx, ingGroup)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -84,18 +88,50 @@ func (r *GroupReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	if err := r.stackDeployer.Deploy(ctx, stack); err != nil {
 		return ctrl.Result{}, err
 	}
-	lbARN, err := lb.LoadBalancerARN().Resolve(ctx)
-	if err != nil {
-		return ctrl.Result{}, err
+	r.log.Info("successfully deployed model")
+
+	if len(ingGroup.Members) > 0 {
+		lbDNS, err := lb.DNSName().Resolve(ctx)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+		if err := r.updateIngressGroupStatus(ctx, ingGroup, lbDNS); err != nil {
+			return ctrl.Result{}, err
+		}
 	}
-	r.log.Info("successfully deployed model", "LB", lbARN)
 
-	if err := r.finalizerManager.RemoveGroupFinalizer(ctx, groupID, group.InactiveMembers...); err != nil {
+	if err := r.finalizerManager.RemoveGroupFinalizer(ctx, ingGroupID, ingGroup.InactiveMembers...); err != nil {
 		return ctrl.Result{}, err
 	}
 	return ctrl.Result{}, nil
 }
 
+func (r *GroupReconciler) updateIngressGroupStatus(ctx context.Context, ingGroup ingress.Group, lbDNS string) error {
+	for _, ing := range ingGroup.Members {
+		if err := r.updateIngressStatus(ctx, ing, lbDNS); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *GroupReconciler) updateIngressStatus(ctx context.Context, ing *networking.Ingress, lbDNS string) error {
+	if len(ing.Status.LoadBalancer.Ingress) != 1 ||
+		ing.Status.LoadBalancer.Ingress[0].IP != "" ||
+		ing.Status.LoadBalancer.Ingress[0].Hostname != lbDNS {
+		ingOld := ing.DeepCopy()
+		ing.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{
+			{
+				Hostname: lbDNS,
+			},
+		}
+		if err := r.k8sClient.Status().Patch(ctx, ing, client.MergeFrom(ingOld)); err != nil {
+			return errors.Wrapf(err, "failed to update ingress status: %v", k8s.NamespacedName(ing))
+		}
+	}
+	return nil
+}
+
 func (r *GroupReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	c, err := controller.New(controllerName, mgr, controller.Options{
 		MaxConcurrentReconciles: 1,

pkg/annotations/constants.go

@@ -16,6 +16,7 @@ const (
 	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
 	IngressSuffixSecurityGroups               = "security-groups"
 	IngressSuffixListenPorts                  = "listen-ports"
+	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
 	IngressSuffixCertificateARN               = "certificate-arn"
 	IngressSuffixSSLPolicy                    = "ssl-policy"
 	IngressSuffixTargetType                   = "target-type"

pkg/aws/errors/utils.go

@@ -0,0 +1,22 @@
+package errors
+
+import (
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/pkg/errors"
+)
+
+func IsELBV2TargetGroupNotFoundError(err error) bool {
+	var awsErr awserr.Error
+	if errors.As(err, &awsErr) {
+		return awsErr.Code() == "TargetGroupNotFound"
+	}
+	return false
+}
+
+func IsEC2SecurityGroupNotFoundError(err error) bool {
+	var awsErr awserr.Error
+	if errors.As(err, &awsErr) {
+		return awsErr.Code() == "InvalidGroup.NotFound"
+	}
+	return false
+}

pkg/deploy/ec2/security_group_manager.go

@@ -167,9 +167,9 @@ func buildIPPermissionInfo(permission ec2model.IPPermission) (networking.IPPermi
 		labels := networking.NewIPPermissionLabelsForRawDescription(permission.IPRanges[0].Description)
 		return networking.NewCIDRIPPermission(protocol, permission.FromPort, permission.ToPort, permission.IPRanges[0].CIDRIP, labels), nil
 	}
-	if len(permission.IPV6Range) == 1 {
-		labels := networking.NewIPPermissionLabelsForRawDescription(permission.IPV6Range[0].Description)
-		return networking.NewCIDRIPPermission(protocol, permission.FromPort, permission.ToPort, permission.IPV6Range[0].CIDRIPv6, labels), nil
+	if len(permission.IPv6Range) == 1 {
+		labels := networking.NewIPPermissionLabelsForRawDescription(permission.IPv6Range[0].Description)
+		return networking.NewCIDRIPPermission(protocol, permission.FromPort, permission.ToPort, permission.IPv6Range[0].CIDRIPv6, labels), nil
 	}
 	if len(permission.UserIDGroupPairs) == 1 {
 		labels := networking.NewIPPermissionLabelsForRawDescription(permission.UserIDGroupPairs[0].Description)

pkg/ingress/model_build_actions.go

@@ -14,40 +14,38 @@ import (
 	"unicode"
 )
 
-func (b *defaultModelBuilder) buildActions(ctx context.Context, stack core.Stack, ingGroupID GroupID, tgByID map[string]*elbv2model.TargetGroup,
-	protocol elbv2model.Protocol, ing *networking.Ingress, backend EnhancedBackend) ([]elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildActions(ctx context.Context, protocol elbv2model.Protocol, ing *networking.Ingress, backend EnhancedBackend) ([]elbv2model.Action, error) {
 	var actions []elbv2model.Action
 	if protocol == elbv2model.ProtocolHTTPS {
-		authAction, err := b.buildAuthAction(ctx, ing, backend)
+		authAction, err := t.buildAuthAction(ctx, ing, backend)
 		if err != nil {
 			return nil, err
 		}
 		if authAction != nil {
 			actions = append(actions, *authAction)
 		}
 	}
-	backendAction, err := b.buildBackendAction(ctx, stack, ingGroupID, tgByID, ing, backend.Action)
+	backendAction, err := t.buildBackendAction(ctx, ing, backend.Action)
 	if err != nil {
 		return nil, err
 	}
 	actions = append(actions, backendAction)
 	return actions, nil
 }
 
-func (b *defaultModelBuilder) buildBackendAction(ctx context.Context, stack core.Stack, ingGroupID GroupID,
-	tgByID map[string]*elbv2model.TargetGroup, ing *networking.Ingress, actionCfg Action) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildBackendAction(ctx context.Context, ing *networking.Ingress, actionCfg Action) (elbv2model.Action, error) {
 	switch actionCfg.Type {
 	case ActionTypeFixedResponse:
-		return b.buildFixedResponseAction(ctx, actionCfg)
+		return t.buildFixedResponseAction(ctx, actionCfg)
 	case ActionTypeRedirect:
-		return b.buildRedirectAction(ctx, actionCfg)
+		return t.buildRedirectAction(ctx, actionCfg)
 	case ActionTypeForward:
-		return b.buildForwardAction(ctx, stack, ingGroupID, tgByID, ing, actionCfg)
+		return t.buildForwardAction(ctx, ing, actionCfg)
 	}
 	return elbv2model.Action{}, errors.Errorf("unknown action type: %v", actionCfg.Type)
 }
 
-func (b *defaultModelBuilder) buildAuthAction(ctx context.Context, ing *networking.Ingress, backend EnhancedBackend) (*elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildAuthAction(ctx context.Context, ing *networking.Ingress, backend EnhancedBackend) (*elbv2model.Action, error) {
 	// if a single service is used as backend, then it's auth configuration via annotation will take priority than ingress.
 	svcAndIngAnnotations := ing.Annotations
 	if backend.Action.Type == ActionTypeForward && len(backend.Action.ForwardConfig.TargetGroups) == 1 && backend.Action.ForwardConfig.TargetGroups[0].ServiceName != nil {
@@ -57,24 +55,25 @@ func (b *defaultModelBuilder) buildAuthAction(ctx context.Context, ing *networki
 			Name:      svcName,
 		}
 		svc := &corev1.Service{}
-		if err := b.k8sClient.Get(ctx, svcKey, svc); err != nil {
+		if err := t.k8sClient.Get(ctx, svcKey, svc); err != nil {
 			return nil, err
 		}
 		svcAndIngAnnotations = algorithm.MergeStringMap(svc.Annotations, svcAndIngAnnotations)
 	}
-	authCfg, err := b.authConfigBuilder.Build(ctx, svcAndIngAnnotations)
+
+	authCfg, err := t.authConfigBuilder.Build(ctx, svcAndIngAnnotations)
 	if err != nil {
 		return nil, err
 	}
 	switch authCfg.Type {
 	case AuthTypeCognito:
-		action, err := b.buildAuthenticateCognitoAction(ctx, authCfg)
+		action, err := t.buildAuthenticateCognitoAction(ctx, authCfg)
 		if err != nil {
 			return nil, err
 		}
 		return &action, nil
 	case AuthTypeOIDC:
-		action, err := b.buildAuthenticateOIDCAction(ctx, authCfg, ing.Namespace)
+		action, err := t.buildAuthenticateOIDCAction(ctx, authCfg, ing.Namespace)
 		if err != nil {
 			return nil, err
 		}
@@ -84,7 +83,7 @@ func (b *defaultModelBuilder) buildAuthAction(ctx context.Context, ing *networki
 	}
 }
 
-func (b *defaultModelBuilder) buildFixedResponseAction(ctx context.Context, actionCfg Action) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildFixedResponseAction(_ context.Context, actionCfg Action) (elbv2model.Action, error) {
 	if actionCfg.FixedResponseConfig == nil {
 		return elbv2model.Action{}, errors.New("missing FixedResponseConfig")
 	}
@@ -98,7 +97,7 @@ func (b *defaultModelBuilder) buildFixedResponseAction(ctx context.Context, acti
 	}, nil
 }
 
-func (b *defaultModelBuilder) buildRedirectAction(ctx context.Context, actionCfg Action) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildRedirectAction(_ context.Context, actionCfg Action) (elbv2model.Action, error) {
 	if actionCfg.RedirectConfig == nil {
 		return elbv2model.Action{}, errors.New("missing RedirectConfig")
 	}
@@ -115,11 +114,11 @@ func (b *defaultModelBuilder) buildRedirectAction(ctx context.Context, actionCfg
 	}, nil
 }
 
-func (b *defaultModelBuilder) buildForwardAction(ctx context.Context, stack core.Stack, ingGroupID GroupID,
-	tgByID map[string]*elbv2model.TargetGroup, ing *networking.Ingress, actionCfg Action) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildForwardAction(ctx context.Context, ing *networking.Ingress, actionCfg Action) (elbv2model.Action, error) {
 	if actionCfg.ForwardConfig == nil {
 		return elbv2model.Action{}, errors.New("missing ForwardConfig")
 	}
+
 	var targetGroupTuples []elbv2model.TargetGroupTuple
 	for _, tgt := range actionCfg.ForwardConfig.TargetGroups {
 		var tgARN core.StringToken
@@ -131,10 +130,10 @@ func (b *defaultModelBuilder) buildForwardAction(ctx context.Context, stack core
 				Name:      awssdk.StringValue(tgt.ServiceName),
 			}
 			svc := &corev1.Service{}
-			if err := b.k8sClient.Get(ctx, svcKey, svc); err != nil {
+			if err := t.k8sClient.Get(ctx, svcKey, svc); err != nil {
 				return elbv2model.Action{}, err
 			}
-			tg, err := b.buildTargetGroup(ctx, stack, ingGroupID, tgByID, ing, svc, *tgt.ServicePort)
+			tg, err := t.buildTargetGroup(ctx, ing, svc, *tgt.ServicePort)
 			if err != nil {
 				return elbv2model.Action{}, err
 			}
@@ -162,7 +161,7 @@ func (b *defaultModelBuilder) buildForwardAction(ctx context.Context, stack core
 	}, nil
 }
 
-func (b *defaultModelBuilder) buildAuthenticateCognitoAction(ctx context.Context, authCfg AuthConfig) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildAuthenticateCognitoAction(_ context.Context, authCfg AuthConfig) (elbv2model.Action, error) {
 	if authCfg.IDPConfigCognito == nil {
 		return elbv2model.Action{}, errors.New("missing IDPConfigCognito")
 	}
@@ -182,7 +181,7 @@ func (b *defaultModelBuilder) buildAuthenticateCognitoAction(ctx context.Context
 	}, nil
 }
 
-func (b *defaultModelBuilder) buildAuthenticateOIDCAction(ctx context.Context, authCfg AuthConfig, namespace string) (elbv2model.Action, error) {
+func (t *defaultModelBuildTask) buildAuthenticateOIDCAction(ctx context.Context, authCfg AuthConfig, namespace string) (elbv2model.Action, error) {
 	if authCfg.IDPConfigOIDC == nil {
 		return elbv2model.Action{}, errors.New("missing IDPConfigOIDC")
 	}
@@ -192,9 +191,10 @@ func (b *defaultModelBuilder) buildAuthenticateOIDCAction(ctx context.Context, a
 		Name:      authCfg.IDPConfigOIDC.SecretName,
 	}
 	secret := &corev1.Secret{}
-	if err := b.k8sClient.Get(ctx, secretKey, secret); err != nil {
+	if err := t.k8sClient.Get(ctx, secretKey, secret); err != nil {
 		return elbv2model.Action{}, err
 	}
+
 	clientID := strings.TrimRightFunc(string(secret.Data["clientId"]), unicode.IsSpace)
 	clientSecret := string(secret.Data["clientSecret"])
 	return elbv2model.Action{
@@ -215,7 +215,7 @@ func (b *defaultModelBuilder) buildAuthenticateOIDCAction(ctx context.Context, a
 	}, nil
 }
 
-func (b *defaultModelBuilder) build404Action(ctx context.Context) elbv2model.Action {
+func (t *defaultModelBuildTask) build404Action(_ context.Context) elbv2model.Action {
 	return elbv2model.Action{
 		Type: elbv2model.ActionTypeFixedResponse,
 		FixedResponseConfig: &elbv2model.FixedResponseActionConfig{