check deletion_protection in model builder step

Author: oliviassss

controllers/ingress/group_controller.go

@@ -29,7 +29,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/source"
-	"strconv"
 )
 
 const (
@@ -39,7 +38,6 @@ const (
 	// the groupVersion of used Ingress & IngressClass resource.
 	ingressResourcesGroupVersion 	 = "networking.k8s.io/v1beta1"
 	ingressClassKind             	 = "IngressClass"
-	lbAttrsDeletionProtectionEnabled = "deletion_protection.enabled"
 )
 
 // NewGroupReconciler constructs new GroupReconciler
@@ -128,17 +126,6 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error
 		r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedAddFinalizer, fmt.Sprintf("Failed add finalizer due to %v", err))
 		return err
 	}
-	for _, inactiveMember := range ingGroup.InactiveMembers {
-		if !inactiveMember.DeletionTimestamp.IsZero() {
-			deletionProtectionEnabled, err := r.getDeletionProtectionViaAnnotation(inactiveMember)
-			if err != nil {
-				return err
-			}
-			if deletionProtectionEnabled {
-				return errors.Errorf("deletion_protection is enabled, cannot delete the ingress: %v", inactiveMember.Name)
-			}
-		}
-	}
 	_, lb, err := r.buildAndDeployModel(ctx, ingGroup)
 	if err != nil {
 		return err
@@ -327,22 +314,6 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 	return nil
 }
 
-func (r *groupReconciler) getDeletionProtectionViaAnnotation(ing *networking.Ingress) (bool, error) {
-	var lbAttributes map[string]string
-	_, err := r.annotationParser.ParseStringMapAnnotation(annotations.IngressSuffixLoadBalancerAttributes, &lbAttributes, ing.Annotations)
-	if err != nil {
-		return false, err
-	}
-	if _, deletionProtectionSpecified := lbAttributes[lbAttrsDeletionProtectionEnabled]; deletionProtectionSpecified {
-		deletionProtectionEnabled, err := strconv.ParseBool(lbAttributes[lbAttrsDeletionProtectionEnabled])
-		if err != nil {
-			return false, err
-		}
-		return deletionProtectionEnabled, nil
-	}
-	return false, nil
-}
-
 // isResourceKindAvailable checks whether specific kind is available.
 func isResourceKindAvailable(resList *metav1.APIResourceList, kind string) bool {
 	for _, res := range resList.APIResources {

controllers/service/service_controller.go

@@ -24,15 +24,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/source"
-	"strconv"
 )
 
 const (
 	serviceFinalizer                 = "service.k8s.aws/resources"
 	serviceTagPrefix                 = "service.k8s.aws"
 	serviceAnnotationPrefix          = "service.beta.kubernetes.io"
 	controllerName                   = "service"
-	lbAttrsDeletionProtectionEnabled = "deletion_protection.enabled"
 )
 
 func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
@@ -90,13 +88,6 @@ func (r *serviceReconciler) reconcile(ctx context.Context, req ctrl.Request) err
 		return client.IgnoreNotFound(err)
 	}
 	if !svc.DeletionTimestamp.IsZero() {
-		deletionProtectionEnabled, err := r.getDeletionProtectionViaAnnotation(*svc)
-		if err != nil {
-			return err
-		}
-		if deletionProtectionEnabled {
-			return errors.Errorf("deletion_protection is enabled, cannot delete the service: %v", svc.Name)
-		}
 		return r.cleanupLoadBalancerResources(ctx, svc)
 	}
 	return r.reconcileLoadBalancerResources(ctx, svc)
@@ -200,18 +191,3 @@ func (r *serviceReconciler) setupWatches(_ context.Context, c controller.Control
 	return nil
 }
 
-func (r *serviceReconciler) getDeletionProtectionViaAnnotation(svc corev1.Service) (bool, error) {
-	var lbAttributes map[string]string
-	_, err := r.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixLoadBalancerAttributes, &lbAttributes, svc.Annotations)
-	if err != nil {
-		return false, err
-	}
-	if _, deletionProtectionSpecified := lbAttributes[lbAttrsDeletionProtectionEnabled]; deletionProtectionSpecified {
-		deletionProtectionEnabled, err := strconv.ParseBool(lbAttributes[lbAttrsDeletionProtectionEnabled])
-		if err != nil {
-			return false, err
-		}
-		return deletionProtectionEnabled, nil
-	}
-	return false, nil
-}

pkg/deploy/elbv2/load_balancer_synthesizer.go

@@ -63,7 +63,7 @@ func (s *loadBalancerSynthesizer) Synthesize(ctx context.Context) error {
 	for _, sdkLB := range unmatchedSDKLBs {
 		if err := s.lbManager.Delete(ctx, sdkLB); err != nil {
 			errMessage := err.Error()
-			if strings.Contains(errMessage,"OperationNotPermitted") {
+			if strings.Contains(errMessage,"OperationNotPermitted") && strings.Contains(errMessage, "deletion protection") {
 				s.disableDeletionProtection(sdkLB.LoadBalancer)
 				if err = s.lbManager.Delete(ctx, sdkLB); err != nil {
 					return err

pkg/ingress/model_builder.go

@@ -7,6 +7,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1beta1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
@@ -20,6 +21,11 @@ import (
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	networkingpkg "sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"strconv"
+)
+
+const (
+	lbAttrsDeletionProtectionEnabled = "deletion_protection.enabled"
 )
 
 // ModelBuilder is responsible for build mode stack for a IngressGroup.
@@ -179,10 +185,20 @@ type defaultModelBuildTask struct {
 }
 
 func (t *defaultModelBuildTask) run(ctx context.Context) error {
+	for _, inactiveMember := range t.ingGroup.InactiveMembers {
+		if !inactiveMember.DeletionTimestamp.IsZero() {
+			deletionProtectionEnabled, err := t.getDeletionProtectionViaAnnotation(inactiveMember)
+			if err != nil {
+				return err
+			}
+			if deletionProtectionEnabled {
+				return errors.Errorf("deletion_protection is enabled, cannot delete the ingress: %v", inactiveMember.Name)
+			}
+		}
+	}
 	if len(t.ingGroup.Members) == 0 {
 		return nil
 	}
-
 	ingListByPort := make(map[int64][]ClassifiedIngress)
 	listenPortConfigsByPort := make(map[int64][]listenPortConfigWithIngress)
 	for _, member := range t.ingGroup.Members {
@@ -340,6 +356,22 @@ func (t *defaultModelBuildTask) buildSSLRedirectConfig(ctx context.Context, list
 	}, nil
 }
 
+func (t *defaultModelBuildTask) getDeletionProtectionViaAnnotation(ing *networking.Ingress) (bool, error) {
+	var lbAttributes map[string]string
+	_, err := t.annotationParser.ParseStringMapAnnotation(annotations.IngressSuffixLoadBalancerAttributes, &lbAttributes, ing.Annotations)
+	if err != nil {
+		return false, err
+	}
+	if _, deletionProtectionSpecified := lbAttributes[lbAttrsDeletionProtectionEnabled]; deletionProtectionSpecified {
+		deletionProtectionEnabled, err := strconv.ParseBool(lbAttributes[lbAttrsDeletionProtectionEnabled])
+		if err != nil {
+			return false, err
+		}
+		return deletionProtectionEnabled, nil
+	}
+	return false, nil
+}
+
 // the listen port config for specific Ingress's listener port.
 type listenPortConfigWithIngress struct {
 	ingKey           types.NamespacedName

pkg/service/model_builder.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"strconv"
 	"sync"
@@ -22,6 +23,7 @@ const (
 	LoadBalancerTypeExternal       = "external"
 	LoadBalancerTargetTypeIP       = "ip"
 	LoadBalancerTargetTypeInstance = "instance"
+	lbAttrsDeletionProtection = "deletion_protection.enabled"
 )
 
 // ModelBuilder builds the model stack for the service resource.
@@ -156,6 +158,13 @@ type defaultModelBuildTask struct {
 
 func (t *defaultModelBuildTask) run(ctx context.Context) error {
 	if !t.service.DeletionTimestamp.IsZero() {
+		deletionProtectionEnabled, err := t.getDeletionProtectionViaAnnotation(*t.service)
+		if err != nil {
+			return err
+		}
+		if deletionProtectionEnabled {
+			return errors.Errorf("deletion_protection is enabled, cannot delete the service: %v", t.service.Name)
+		}
 		return nil
 	}
 	err := t.buildModel(ctx)
@@ -181,3 +190,20 @@ func (t *defaultModelBuildTask) buildModel(ctx context.Context) error {
 	}
 	return nil
 }
+
+func (t *defaultModelBuildTask) getDeletionProtectionViaAnnotation(svc corev1.Service) (bool, error) {
+	var lbAttributes map[string]string
+	_, err := t.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixLoadBalancerAttributes, &lbAttributes, svc.Annotations)
+	if err != nil {
+		return false, err
+	}
+	if _, deletionProtectionSpecified := lbAttributes[lbAttrsDeletionProtection]; deletionProtectionSpecified {
+		deletionProtectionEnabled, err := strconv.ParseBool(lbAttributes[lbAttrsDeletionProtection])
+		if err != nil {
+			return false, err
+		}
+		return deletionProtectionEnabled, nil
+	}
+	return false, nil
+}
+