feat: Support TargetGroupBinding on targets outside the cluster's VPC

ikosenn · ikosenn · commit c40ee7fbf212 · 2024-02-29T17:46:54.000-08:00
diff --git a/apis/elbv2/v1beta1/targetgroupbinding_types.go b/apis/elbv2/v1beta1/targetgroupbinding_types.go
@@ -145,6 +145,10 @@ type TargetGroupBindingSpec struct {
 	// ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred.
 	// +optional
 	IPAddressType *TargetGroupIPAddressType `json:"ipAddressType,omitempty"`
+
+	// VpcId is the VPC of the TargetGroup. If unspecified, it will be automatically inferred.
+	// +optional
+	VpcId string `json:"vpcId,omitempty"`
 }
 
 // TargetGroupBindingStatus defines the observed state of TargetGroupBinding
diff --git a/config/crd/bases/elbv2.k8s.aws_targetgroupbindings.yaml b/config/crd/bases/elbv2.k8s.aws_targetgroupbindings.yaml
@@ -386,6 +386,10 @@ spec:
                 - instance
                 - ip
                 type: string
+              vpcId:
+                description: VpcId is the VPC of the TargetGroup. If unspecified,
+                  it will be automatically inferred.
+                type: string
             required:
             - serviceRef
             - targetGroupARN
diff --git a/pkg/targetgroupbinding/resource_manager.go b/pkg/targetgroupbinding/resource_manager.go
@@ -127,6 +127,7 @@ func (m *defaultResourceManager) reconcileWithIPTargetType(ctx context.Context,
 	}
 
 	tgARN := tgb.Spec.TargetGroupARN
+	vpcId := tgb.Spec.VpcId
 	targets, err := m.targetsManager.ListTargets(ctx, tgARN)
 	if err != nil {
 		return err
@@ -145,7 +146,7 @@ func (m *defaultResourceManager) reconcileWithIPTargetType(ctx context.Context,
 		}
 	}
 	if len(unmatchedEndpoints) > 0 {
-		if err := m.registerPodEndpoints(ctx, tgARN, unmatchedEndpoints); err != nil {
+		if err := m.registerPodEndpoints(ctx, tgARN, vpcId, unmatchedEndpoints); err != nil {
 			return err
 		}
 	}
@@ -382,8 +383,13 @@ func (m *defaultResourceManager) deregisterTargets(ctx context.Context, tgARN st
 	return m.targetsManager.DeregisterTargets(ctx, tgARN, sdkTargets)
 }
 
-func (m *defaultResourceManager) registerPodEndpoints(ctx context.Context, tgARN string, endpoints []backend.PodEndpoint) error {
-	vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, m.vpcID)
+func (m *defaultResourceManager) registerPodEndpoints(ctx context.Context, tgARN, tgVpcId string, endpoints []backend.PodEndpoint) error {
+	vpcId := m.vpcID
+	// Target group is in a different VPC from the cluster's VPC
+	if tgVpcId != m.vpcID {
+		vpcId = tgVpcId
+	}
+	vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, vpcId)
 	if err != nil {
 		return err
 	}
diff --git a/webhooks/elbv2/targetgroupbinding_mutator.go b/webhooks/elbv2/targetgroupbinding_mutator.go
@@ -43,6 +43,9 @@ func (m *targetGroupBindingMutator) MutateCreate(ctx context.Context, obj runtim
 	if err := m.defaultingIPAddressType(ctx, tgb); err != nil {
 		return nil, err
 	}
+	if err := m.defaultingVpcId(ctx, tgb); err != nil {
+		return nil, err
+	}
 	return tgb, nil
 }
 
@@ -85,6 +88,18 @@ func (m *targetGroupBindingMutator) defaultingIPAddressType(ctx context.Context,
 	return nil
 }
 
+func (m *targetGroupBindingMutator) defaultingVpcId(ctx context.Context, tgb *elbv2api.TargetGroupBinding) error {
+	if tgb.Spec.VpcId != "" {
+		return nil
+	}
+	vpcId, err := m.getVpcIdFromAWS(ctx, tgb.Spec.TargetGroupARN)
+	if err != nil {
+		return errors.Wrap(err, "unable to get target group VpcId")
+	}
+	tgb.Spec.VpcId = vpcId
+	return nil
+}
+
 func (m *targetGroupBindingMutator) obtainSDKTargetTypeFromAWS(ctx context.Context, tgARN string) (string, error) {
 	targetGroup, err := m.getTargetGroupFromAWS(ctx, tgARN)
 	if err != nil {
@@ -125,6 +140,14 @@ func (m *targetGroupBindingMutator) getTargetGroupFromAWS(ctx context.Context, t
 	return tgList[0], nil
 }
 
+func (m *targetGroupBindingMutator) getVpcIdFromAWS(ctx context.Context, tgARN string) (string, error) {
+	targetGroup, err := m.getTargetGroupFromAWS(ctx, tgARN)
+	if err != nil {
+		return "", err
+	}
+	return awssdk.StringValue(targetGroup.VpcId), nil
+}
+
 // +kubebuilder:webhook:path=/mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding,mutating=true,failurePolicy=fail,groups=elbv2.k8s.aws,resources=targetgroupbindings,verbs=create;update,versions=v1beta1,name=mtargetgroupbinding.elbv2.k8s.aws,sideEffects=None,webhookVersions=v1,admissionReviewVersions=v1beta1
 
 func (m *targetGroupBindingMutator) SetupWithManager(mgr ctrl.Manager) {
diff --git a/webhooks/elbv2/targetgroupbinding_validator.go b/webhooks/elbv2/targetgroupbinding_validator.go
@@ -55,6 +55,9 @@ func (v *targetGroupBindingValidator) ValidateCreate(ctx context.Context, obj ru
 	if err := v.checkTargetGroupIPAddressType(ctx, tgb); err != nil {
 		return err
 	}
+	if err := v.checkTargetGroupVpcId(ctx, tgb); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -83,6 +86,9 @@ func (v *targetGroupBindingValidator) checkRequiredFields(tgb *elbv2api.TargetGr
 	if tgb.Spec.TargetType == nil {
 		absentRequiredFields = append(absentRequiredFields, "spec.targetType")
 	}
+	if tgb.Spec.VpcId == "" {
+		absentRequiredFields = append(absentRequiredFields, "spec.vpcId")
+	}
 	if len(absentRequiredFields) != 0 {
 		return errors.Errorf("%s must specify these fields: %s", "TargetGroupBinding", strings.Join(absentRequiredFields, ","))
 	}
@@ -108,6 +114,10 @@ func (v *targetGroupBindingValidator) checkImmutableFields(tgb *elbv2api.TargetG
 	if oldTGB.Spec.IPAddressType != nil && tgb.Spec.IPAddressType != nil && (*oldTGB.Spec.IPAddressType) != (*tgb.Spec.IPAddressType) {
 		changedImmutableFields = append(changedImmutableFields, "spec.ipAddressType")
 	}
+	if (tgb.Spec.VpcId != "" && oldTGB.Spec.VpcId != "" && (tgb.Spec.VpcId) != (oldTGB.Spec.VpcId)) ||
+		(tgb.Spec.VpcId == "") != (oldTGB.Spec.VpcId == "") {
+		changedImmutableFields = append(changedImmutableFields, "spec.vpcId")
+	}
 	if len(changedImmutableFields) != 0 {
 		return errors.Errorf("%s update may not change these fields: %s", "TargetGroupBinding", strings.Join(changedImmutableFields, ","))
 	}
@@ -150,6 +160,18 @@ func (v *targetGroupBindingValidator) checkTargetGroupIPAddressType(ctx context.
 	return nil
 }
 
+// checkTargetGroupVpcId ensures VpcId matches with that on the AWS target group
+func (v *targetGroupBindingValidator) checkTargetGroupVpcId(ctx context.Context, tgb *elbv2api.TargetGroupBinding) error {
+	vpcId, err := v.getVpcIdFromAWS(ctx, tgb.Spec.TargetGroupARN)
+	if err != nil {
+		return errors.Wrap(err, "unable to get target group VpcId")
+	}
+	if vpcId != tgb.Spec.VpcId {
+		return errors.Errorf("invalid vpc Id %v doesnt match VpcId from TargetGroup %v", tgb.Spec.VpcId, tgb.Spec.TargetGroupARN)
+	}
+	return nil
+}
+
 // getTargetGroupIPAddressTypeFromAWS returns the target group IP address type of AWS target group
 func (v *targetGroupBindingValidator) getTargetGroupIPAddressTypeFromAWS(ctx context.Context, tgARN string) (elbv2api.TargetGroupIPAddressType, error) {
 	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgARN)
@@ -183,6 +205,14 @@ func (v *targetGroupBindingValidator) getTargetGroupFromAWS(ctx context.Context,
 	return tgList[0], nil
 }
 
+func (v *targetGroupBindingValidator) getVpcIdFromAWS(ctx context.Context, tgARN string) (string, error) {
+	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgARN)
+	if err != nil {
+		return "", err
+	}
+	return awssdk.StringValue(targetGroup.VpcId), nil
+}
+
 // +kubebuilder:webhook:path=/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding,mutating=false,failurePolicy=fail,groups=elbv2.k8s.aws,resources=targetgroupbindings,verbs=create;update,versions=v1beta1,name=vtargetgroupbinding.elbv2.k8s.aws,sideEffects=None,webhookVersions=v1,admissionReviewVersions=v1beta1
 
 func (v *targetGroupBindingValidator) SetupWithManager(mgr ctrl.Manager) {

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ func (m *defaultResourceManager) reconcileWithIPTargetType(ctx context.Context,`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`tgARN := tgb.Spec.TargetGroupARN`
	`130`	`+ vpcId := tgb.Spec.VpcId`
`130`	`131`	`targets, err := m.targetsManager.ListTargets(ctx, tgARN)`
`131`	`132`	`if err != nil {`
`132`	`133`	`return err`
`@@ -145,7 +146,7 @@ func (m *defaultResourceManager) reconcileWithIPTargetType(ctx context.Context,`
`145`	`146`	`}`
`146`	`147`	`}`
`147`	`148`	`if len(unmatchedEndpoints) > 0 {`
`148`		`- if err := m.registerPodEndpoints(ctx, tgARN, unmatchedEndpoints); err != nil {`
	`149`	`+ if err := m.registerPodEndpoints(ctx, tgARN, vpcId, unmatchedEndpoints); err != nil {`
`149`	`150`	`return err`
`150`	`151`	`}`
`151`	`152`	`}`
`@@ -382,8 +383,13 @@ func (m *defaultResourceManager) deregisterTargets(ctx context.Context, tgARN st`
`382`	`383`	`return m.targetsManager.DeregisterTargets(ctx, tgARN, sdkTargets)`
`383`	`384`	`}`
`384`	`385`
`385`		`-func (m *defaultResourceManager) registerPodEndpoints(ctx context.Context, tgARN string, endpoints []backend.PodEndpoint) error {`
`386`		`- vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, m.vpcID)`
	`386`	`+func (m *defaultResourceManager) registerPodEndpoints(ctx context.Context, tgARN, tgVpcId string, endpoints []backend.PodEndpoint) error {`
	`387`	`+ vpcId := m.vpcID`
	`388`	`+ // Target group is in a different VPC from the cluster's VPC`
	`389`	`+ if tgVpcId != m.vpcID {`
	`390`	`+ vpcId = tgVpcId`
	`391`	`+ }`
	`392`	`+ vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, vpcId)`
`387`	`393`	`if err != nil {`
`388`	`394`	`return err`
`389`	`395`	`}`