Added EnableIPTargetType flag to controller (#2587)

* added EnableIPTargetType feature to controller

Signed-off-by: thejasn <[email protected]>

* review: fixed package alias

Signed-off-by: thejasn <[email protected]>

Author: Thejas N

controllers/ingress/group_controller.go

@@ -44,26 +44,26 @@ const (
 func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
 	finalizerManager k8s.FinalizerManager, networkingSGManager networkingpkg.SecurityGroupManager,
 	networkingSGReconciler networkingpkg.SecurityGroupReconciler, subnetsResolver networkingpkg.SubnetsResolver,
-	config config.ControllerConfig, backendSGProvider networkingpkg.BackendSGProvider, logger logr.Logger) *groupReconciler {
+	controllerConfig config.ControllerConfig, backendSGProvider networkingpkg.BackendSGProvider, logger logr.Logger) *groupReconciler {
 
 	annotationParser := annotations.NewSuffixAnnotationParser(annotations.AnnotationPrefixIngress)
 	authConfigBuilder := ingress.NewDefaultAuthConfigBuilder(annotationParser)
 	enhancedBackendBuilder := ingress.NewDefaultEnhancedBackendBuilder(k8sClient, annotationParser, authConfigBuilder)
 	referenceIndexer := ingress.NewDefaultReferenceIndexer(enhancedBackendBuilder, authConfigBuilder, logger)
-	trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, config.ClusterName)
-	elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), config.FeatureGates, logger)
+	trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, controllerConfig.ClusterName)
+	elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, logger)
 	modelBuilder := ingress.NewDefaultModelBuilder(k8sClient, eventRecorder,
 		cloud.EC2(), cloud.ACM(),
 		annotationParser, subnetsResolver,
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager,
-		cloud.VpcID(), config.ClusterName, config.DefaultTags, config.ExternalManagedTags,
-		config.DefaultSSLPolicy, backendSGProvider, config.EnableBackendSecurityGroup, config.DisableRestrictedSGRules, logger)
+		cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
+		controllerConfig.DefaultSSLPolicy, backendSGProvider, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
-		config, ingressTagPrefix, logger)
+		controllerConfig, ingressTagPrefix, logger)
 	classLoader := ingress.NewDefaultClassLoader(k8sClient)
-	classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(config.IngressConfig.IngressClass)
-	manageIngressesWithoutIngressClass := config.IngressConfig.IngressClass == ""
+	classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
+	manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""
 	groupLoader := ingress.NewDefaultGroupLoader(k8sClient, eventRecorder, annotationParser, classLoader, classAnnotationMatcher, manageIngressesWithoutIngressClass)
 	groupFinalizerManager := ingress.NewDefaultFinalizerManager(finalizerManager)
 
@@ -80,7 +80,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		groupFinalizerManager: groupFinalizerManager,
 		logger:                logger,
 
-		maxConcurrentReconciles: config.IngressConfig.MaxConcurrentReconciles,
+		maxConcurrentReconciles: controllerConfig.IngressConfig.MaxConcurrentReconciles,
 	}
 }
 

controllers/service/service_controller.go

@@ -36,30 +36,30 @@ const (
 func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
 	finalizerManager k8s.FinalizerManager, networkingSGManager networking.SecurityGroupManager,
 	networkingSGReconciler networking.SecurityGroupReconciler, subnetsResolver networking.SubnetsResolver,
-	vpcInfoProvider networking.VPCInfoProvider, config config.ControllerConfig, logger logr.Logger) *serviceReconciler {
+	vpcInfoProvider networking.VPCInfoProvider, controllerConfig config.ControllerConfig, logger logr.Logger) *serviceReconciler {
 
 	annotationParser := annotations.NewSuffixAnnotationParser(serviceAnnotationPrefix)
-	trackingProvider := tracking.NewDefaultProvider(serviceTagPrefix, config.ClusterName)
-	elbv2TaggingManager := elbv2.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), config.FeatureGates, logger)
-	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, config.ServiceConfig.LoadBalancerClass, config.FeatureGates)
+	trackingProvider := tracking.NewDefaultProvider(serviceTagPrefix, controllerConfig.ClusterName)
+	elbv2TaggingManager := elbv2.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, logger)
+	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
-		elbv2TaggingManager, config.ClusterName, config.DefaultTags, config.ExternalManagedTags, config.DefaultSSLPolicy, serviceUtils)
+		elbv2TaggingManager, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags, controllerConfig.DefaultSSLPolicy, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
-	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, config, serviceTagPrefix, logger)
+	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, controllerConfig, serviceTagPrefix, logger)
 	return &serviceReconciler{
 		k8sClient:         k8sClient,
 		eventRecorder:     eventRecorder,
 		finalizerManager:  finalizerManager,
 		annotationParser:  annotationParser,
-		loadBalancerClass: config.ServiceConfig.LoadBalancerClass,
+		loadBalancerClass: controllerConfig.ServiceConfig.LoadBalancerClass,
 		serviceUtils:      serviceUtils,
 
 		modelBuilder:    modelBuilder,
 		stackMarshaller: stackMarshaller,
 		stackDeployer:   stackDeployer,
 		logger:          logger,
 
-		maxConcurrentReconciles: config.ServiceMaxConcurrentReconciles,
+		maxConcurrentReconciles: controllerConfig.ServiceMaxConcurrentReconciles,
 	}
 }
 

docs/deploy/configurations.md

@@ -146,3 +146,4 @@ They are a set of kye=value pairs that describe AWS load balance controller feat
 | ServiceTypeLoadBalancerOnly           | string                          | false          | If enabled, controller will be limited to reconciling service of type `LoadBalancer`|
 | EndpointsFailOpen                     | string                          | false          | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
 | EnableServiceController               | string                          | true           | Toggles support for `Service` type resources. |
+| EnableIPTargetType                    | string                          | true           | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |

pkg/config/feature_gates.go

@@ -15,6 +15,7 @@ const (
 	ServiceTypeLoadBalancerOnly Feature = "ServiceTypeLoadBalancerOnly"
 	EndpointsFailOpen           Feature = "EndpointsFailOpen"
 	EnableServiceController     Feature = "EnableServiceController"
+	EnableIPTargetType          Feature = "EnableIPTargetType"
 )
 
 type FeatureGates interface {
@@ -47,6 +48,7 @@ func NewFeatureGates() FeatureGates {
 			ServiceTypeLoadBalancerOnly: false,
 			EndpointsFailOpen:           false,
 			EnableServiceController:     true,
+			EnableIPTargetType:          true,
 		},
 	}
 }

pkg/ingress/model_build_target_group.go

@@ -214,6 +214,9 @@ func (t *defaultModelBuildTask) buildTargetGroupTargetType(_ context.Context, sv
 	case string(elbv2model.TargetTypeInstance):
 		return elbv2model.TargetTypeInstance, nil
 	case string(elbv2model.TargetTypeIP):
+		if !t.enableIPTargetType {
+			return "", errors.Errorf("unsupported targetType: %v when EnableIPTargetType is %v", rawTargetType, t.enableIPTargetType)
+		}
 		return elbv2model.TargetTypeIP, nil
 	default:
 		return "", errors.Errorf("unknown targetType: %v", rawTargetType)

pkg/ingress/model_builder.go

@@ -40,7 +40,7 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 	authConfigBuilder AuthConfigBuilder, enhancedBackendBuilder EnhancedBackendBuilder,
 	trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager,
 	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string,
-	backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, disableRestrictedSGRules bool, logger logr.Logger) *defaultModelBuilder {
+	backendSGProvider networkingpkg.BackendSGProvider, enableBackendSG bool, disableRestrictedSGRules bool, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
 	certDiscovery := NewACMCertDiscovery(acmClient, logger)
 	ruleOptimizer := NewDefaultRuleOptimizer(logger)
 	return &defaultModelBuilder{
@@ -63,6 +63,7 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 		defaultSSLPolicy:         defaultSSLPolicy,
 		enableBackendSG:          enableBackendSG,
 		disableRestrictedSGRules: disableRestrictedSGRules,
+		enableIPTargetType:       enableIPTargetType,
 		logger:                   logger,
 	}
 }
@@ -92,6 +93,7 @@ type defaultModelBuilder struct {
 	defaultSSLPolicy         string
 	enableBackendSG          bool
 	disableRestrictedSGRules bool
+	enableIPTargetType       bool
 
 	logger logr.Logger
 }
@@ -117,6 +119,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.S
 		logger:                   b.logger,
 		enableBackendSG:          b.enableBackendSG,
 		disableRestrictedSGRules: b.disableRestrictedSGRules,
+		enableIPTargetType:       b.enableIPTargetType,
 
 		ingGroup: ingGroup,
 		stack:    stack,
@@ -172,6 +175,7 @@ type defaultModelBuildTask struct {
 	backendSGIDToken         core.StringToken
 	enableBackendSG          bool
 	disableRestrictedSGRules bool
+	enableIPTargetType       bool
 
 	defaultTags                               map[string]string
 	externalManagedTags                       sets.String

pkg/ingress/model_builder_test.go

@@ -194,12 +194,13 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 	}
 
 	tests := []struct {
-		name          string
-		env           env
-		args          args
-		fields        fields
-		wantStackJSON string
-		wantErr       error
+		name               string
+		env                env
+		enableIPTargetType *bool
+		args               args
+		fields             fields
+		wantStackJSON      string
+		wantErr            error
 	}{
 		{
 			name: "Ingress - vanilla internal",
@@ -3611,6 +3612,59 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			},
 			wantErr: errors.New("ingress: ns-1/ing-1: unsupported IPv6 configuration, lb not dual-stack"),
 		},
+		{
+			name: "target type IP with enableIPTargetType set to false",
+			env: env{
+				svcs: []*corev1.Service{svcWithNamedTargetPort},
+			},
+			enableIPTargetType: awssdk.Bool(false),
+			fields: fields{
+				resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternalLB},
+				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
+				enableBackendSG:          true,
+			},
+			args: args{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-1",
+								Name:      "ing-1",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/target-type": "ip",
+								},
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: svcWithNamedTargetPort.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "https",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: errors.New("ingress: ns-1/ing-1: unsupported targetType: ip when EnableIPTargetType is false"),
+		},
 		{
 			name: "target type IP with named target port",
 			env: env{
@@ -3900,6 +3954,12 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 				defaultSSLPolicy: "ELBSecurityPolicy-2016-08",
 			}
 
+			if tt.enableIPTargetType == nil {
+				b.enableIPTargetType = true
+			} else {
+				b.enableIPTargetType = *tt.enableIPTargetType
+			}
+
 			gotStack, _, _, err := b.Build(context.Background(), tt.args.ingGroup)
 			if tt.wantErr != nil {
 				assert.EqualError(t, err, tt.wantErr.Error())

pkg/service/model_build_target_group.go

@@ -339,6 +339,9 @@ func (t *defaultModelBuildTask) buildTargetType(_ context.Context, port corev1.S
 	var lbTargetType string
 	lbTargetType = string(t.defaultTargetType)
 	_ = t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixTargetType, &lbTargetType, t.service.Annotations)
+	if lbTargetType == LoadBalancerTargetTypeIP && !t.enableIPTargetType {
+		return "", errors.Errorf("unsupported targetType: %v when EnableIPTargetType is %v", lbTargetType, t.enableIPTargetType)
+	}
 	if lbType == LoadBalancerTypeNLBIP || lbTargetType == LoadBalancerTargetTypeIP {
 		return elbv2model.TargetTypeIP, nil
 	}

pkg/service/model_build_target_group_test.go

@@ -1161,10 +1161,11 @@ func Test_defaultModelBuilder_buildPreserveClientIPFlag(t *testing.T) {
 func Test_defaultModelBuilder_buildTargetType(t *testing.T) {
 
 	tests := []struct {
-		testName string
-		svc      *corev1.Service
-		want     elbv2.TargetType
-		wantErr  error
+		testName           string
+		svc                *corev1.Service
+		want               elbv2.TargetType
+		enableIPTargetType *bool
+		wantErr            error
 	}{
 		{
 			testName: "empty annotation",
@@ -1247,6 +1248,29 @@ func Test_defaultModelBuilder_buildTargetType(t *testing.T) {
 			},
 			want: elbv2.TargetTypeIP,
 		},
+		{
+			testName: "enableIPTargetType is false, target ip",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-type":            "external",
+						"service.beta.kubernetes.io/aws-load-balancer-nlb-target-type": "ip",
+					},
+				},
+				Spec: corev1.ServiceSpec{
+					Ports: []corev1.ServicePort{
+						{
+							Name:       "http",
+							Port:       80,
+							TargetPort: intstr.FromInt(80),
+							Protocol:   corev1.ProtocolTCP,
+						},
+					},
+				},
+			},
+			enableIPTargetType: aws.Bool(false),
+			wantErr:            errors.New("unsupported targetType: ip when EnableIPTargetType is false"),
+		},
 		{
 			testName: "external, ClusterIP with target type instance",
 			svc: &corev1.Service{
@@ -1337,6 +1361,11 @@ func Test_defaultModelBuilder_buildTargetType(t *testing.T) {
 				service:           tt.svc,
 				defaultTargetType: LoadBalancerTargetTypeInstance,
 			}
+			if tt.enableIPTargetType == nil {
+				builder.enableIPTargetType = true
+			} else {
+				builder.enableIPTargetType = *tt.enableIPTargetType
+			}
 			got, err := builder.buildTargetType(context.Background(), tt.svc.Spec.Ports[0])
 			if tt.wantErr != nil {
 				assert.EqualError(t, err, tt.wantErr.Error())

pkg/service/model_builder.go

@@ -36,7 +36,7 @@ type ModelBuilder interface {
 func NewDefaultModelBuilder(annotationParser annotations.Parser, subnetsResolver networking.SubnetsResolver,
 	vpcInfoProvider networking.VPCInfoProvider, vpcID string, trackingProvider tracking.Provider,
 	elbv2TaggingManager elbv2deploy.TaggingManager, clusterName string, defaultTags map[string]string,
-	externalManagedTags []string, defaultSSLPolicy string, serviceUtils ServiceUtils) *defaultModelBuilder {
+	externalManagedTags []string, defaultSSLPolicy string, enableIPTargetType bool, serviceUtils ServiceUtils) *defaultModelBuilder {
 	return &defaultModelBuilder{
 		annotationParser:    annotationParser,
 		subnetsResolver:     subnetsResolver,
@@ -49,6 +49,7 @@ func NewDefaultModelBuilder(annotationParser annotations.Parser, subnetsResolver
 		defaultTags:         defaultTags,
 		externalManagedTags: sets.NewString(externalManagedTags...),
 		defaultSSLPolicy:    defaultSSLPolicy,
+		enableIPTargetType:  enableIPTargetType,
 	}
 }
 
@@ -67,6 +68,7 @@ type defaultModelBuilder struct {
 	defaultTags         map[string]string
 	externalManagedTags sets.String
 	defaultSSLPolicy    string
+	enableIPTargetType  bool
 }
 
 func (b *defaultModelBuilder) Build(ctx context.Context, service *corev1.Service) (core.Stack, *elbv2model.LoadBalancer, error) {
@@ -80,6 +82,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, service *corev1.Service
 		trackingProvider:    b.trackingProvider,
 		elbv2TaggingManager: b.elbv2TaggingManager,
 		serviceUtils:        b.serviceUtils,
+		enableIPTargetType:  b.enableIPTargetType,
 
 		service:   service,
 		stack:     stack,
@@ -129,6 +132,7 @@ type defaultModelBuildTask struct {
 	trackingProvider    tracking.Provider
 	elbv2TaggingManager elbv2deploy.TaggingManager
 	serviceUtils        ServiceUtils
+	enableIPTargetType  bool
 
 	service *corev1.Service