Add support for ALB IPv6 target groups (#2284)

* Add support for ALB IPv6 target groups

* Update CRDs

* resolve VPC ENI for pods with IPv6 addresses

* fix formatting

* refactor based on PR comments

Author: kishorj

Dockerfile

@@ -7,7 +7,9 @@ COPY go.mod go.mod
 COPY go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN GOPROXY=direct go mod download
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    GOPROXY=direct go mod download
 
 FROM base AS build
 ARG TARGETOS

apis/elbv2/v1beta1/targetgroupbinding_types.go

@@ -33,6 +33,15 @@ const (
 	TargetTypeIP       TargetType = "ip"
 )
 
+// +kubebuilder:validation:Enum=ipv4;ipv6
+// TargetGroupIPAddressType is the IP Address type of your ELBV2 TargetGroup.
+type TargetGroupIPAddressType string
+
+const (
+	TargetGroupIPAddressTypeIPv4 TargetGroupIPAddressType = "ipv4"
+	TargetGroupIPAddressTypeIPv6 TargetGroupIPAddressType = "ipv6"
+)
+
 // ServiceReference defines reference to a Kubernetes Service and its ServicePort.
 type ServiceReference struct {
 	// Name is the name of the Service.
@@ -132,6 +141,10 @@ type TargetGroupBindingSpec struct {
 	// node selector for instance type target groups to only register certain nodes
 	// +optional
 	NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"`
+
+	// ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred.
+	// +optional
+	IPAddressType *TargetGroupIPAddressType `json:"ipAddressType,omitempty"`
 }
 
 // TargetGroupBindingStatus defines the observed state of TargetGroupBinding

apis/elbv2/v1beta1/zz_generated.deepcopy.go

@@ -188,6 +188,12 @@ spec:
           spec:
             description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding
             properties:
+              ipAddressType:
+                description: ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred.
+                enum:
+                - ipv4
+                - ipv6
+                type: string
               networking:
                 description: networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup.
                 properties:

config/crd/bases/elbv2.k8s.aws_targetgroupbindings.yaml

@@ -19,6 +19,7 @@
                 "ec2:DescribeAvailabilityZones",
                 "ec2:DescribeInternetGateways",
                 "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeInstances",

docs/install/iam_policy.json

@@ -19,6 +19,7 @@
                 "ec2:DescribeAvailabilityZones",
                 "ec2:DescribeInternetGateways",
                 "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeInstances",

docs/install/iam_policy_cn.json

@@ -19,6 +19,7 @@
                 "ec2:DescribeAvailabilityZones",
                 "ec2:DescribeInternetGateways",
                 "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeInstances",

docs/install/iam_policy_us-gov.json

@@ -4,7 +4,7 @@ go 1.16
 
 require (
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/aws/aws-sdk-go v1.40.7
+	github.com/aws/aws-sdk-go v1.41.0
 	github.com/fatih/color v1.7.0 // indirect
 	github.com/gavv/httpexpect/v2 v2.3.1 // indirect
 	github.com/go-logr/logr v0.4.0

go.mod

@@ -135,6 +135,8 @@ github.com/aws/aws-sdk-go v1.38.67 h1:OCeXMKiiM8X7HAKPCE5yD+t+sEsRaj8EwDs2tlgvX2
 github.com/aws/aws-sdk-go v1.38.67/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.40.7 h1:dD5+UZxedqHeE4WakJHEhTsEARYlq8kHkYEf89R1tEo=
 github.com/aws/aws-sdk-go v1.40.7/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
+github.com/aws/aws-sdk-go v1.41.0 h1:XUzHLFWQVhmFtmKTodnAo5QdooPQfpVfilCxIV3aLoE=
+github.com/aws/aws-sdk-go v1.41.0/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go-v2 v0.18.0 h1:qZ+woO4SamnH/eEbjM2IDLhRNwIwND/RQyVlBLp3Jqg=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=

go.sum

@@ -61,6 +61,22 @@ spec:
                 - ipv4
                 - dualstack
                 type: string
+              loadBalancerAttributes:
+                description: LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with this IngressClassParams.
+                items:
+                  description: Attributes defines custom attributes on resources.
+                  properties:
+                    key:
+                      description: The key of the attribute.
+                      type: string
+                    value:
+                      description: The value of the attribute.
+                      type: string
+                  required:
+                  - key
+                  - value
+                  type: object
+                type: array
               namespaceSelector:
                 description: NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces.
                 properties:
@@ -313,6 +329,12 @@ spec:
           spec:
             description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding
             properties:
+              ipAddressType:
+                description: ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred.
+                enum:
+                - ipv4
+                - ipv6
+                type: string
               networking:
                 description: networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup.
                 properties:

helm/aws-load-balancer-controller/crds/crds.yaml

@@ -145,7 +145,7 @@ func main() {
 		mgr.GetClient(), ctrl.Log.WithName("pod-readiness-gate-injector"))
 	corewebhook.NewPodMutator(podReadinessGateInjector).SetupWithManager(mgr)
 	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), ctrl.Log).SetupWithManager(mgr)
-	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), ctrl.Log).SetupWithManager(mgr)
+	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), cloud.ELBV2(), ctrl.Log).SetupWithManager(mgr)
 	networkingwebhook.NewIngressValidator(mgr.GetClient(), controllerCFG.IngressConfig, ctrl.Log).SetupWithManager(mgr)
 	//+kubebuilder:scaffold:builder