Rebase to v2.4.1 from upstream

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:experimental
 
-FROM --platform=${TARGETPLATFORM} public.ecr.aws/docker/library/golang:1.17.4 AS base
+FROM --platform=${TARGETPLATFORM} public.ecr.aws/docker/library/golang:1.17.8 AS base
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
     CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
     go build -buildmode=pie -tags 'osusergo,netgo,static_build' -ldflags="-s -w -linkmode=external -extldflags '-static-pie' -X ${VERSION_PKG}.GitVersion=${GIT_VERSION} -X ${VERSION_PKG}.GitCommit=${GIT_COMMIT} -X ${VERSION_PKG}.BuildDate=${BUILD_DATE}" -mod=readonly -a -o /out/controller main.go
 
-FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2021-12-01-1638322424 as bin-unix
+FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2022-03-09-1646784337.2 as bin-unix
 
 COPY --from=build /out/controller /controller
 ENTRYPOINT ["/controller"]

Makefile

@@ -2,7 +2,7 @@
 MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 
 # Image URL to use all building/pushing image targets
-IMG ?= amazon/aws-alb-ingress-controller:v2.3.1
+IMG ?= amazon/aws-alb-ingress-controller:v2.4.1
 
 CRD_OPTIONS ?= "crd:crdVersions=v1"
 
@@ -101,7 +101,7 @@ docs-preview: docs-dependencies
 
 # publish the versioned docs using mkdocs mike util
 docs-publish: docs-dependencies
-	pipenv run mike deploy v2.3 latest -p --update-aliases
+	pipenv run mike deploy v2.4 latest -p --update-aliases
 
 # install dependencies needed to preview and publish docs
 docs-dependencies:

config/controller/kustomization.yaml

@@ -9,4 +9,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: amazon/aws-alb-ingress-controller
-  newTag: v2.3.1
+  newTag: v2.4.1

config/rbac/role.yaml

@@ -52,14 +52,6 @@ rules:
   verbs:
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:

controllers/elbv2/eventhandlers/node.go

@@ -55,47 +55,54 @@ func (h *enqueueRequestsForNodeEvent) Generic(e event.GenericEvent, queue workqu
 	// nothing to do here
 }
 
-// enqueueImpactedEndpointBindings will enqueue all impacted TargetGroupBindings for node events.
+// enqueueImpactedTargetGroupBindings will enqueue all impacted TargetGroupBindings for node events.
 func (h *enqueueRequestsForNodeEvent) enqueueImpactedTargetGroupBindings(queue workqueue.RateLimitingInterface, nodeOld *corev1.Node, nodeNew *corev1.Node) {
 	var nodeKey types.NamespacedName
-	nodeOldIsReady := false
-	nodeNewIsReady := false
+	nodeOldSuitableAsTrafficProxy := false
+	nodeNewSuitableAsTrafficProxy := false
+	nodeOldReadyCondStatus := corev1.ConditionFalse
+	nodeNewReadyCondStatus := corev1.ConditionFalse
 	if nodeOld != nil {
 		nodeKey = k8s.NamespacedName(nodeOld)
-		nodeOldIsReady = k8s.IsNodeSuitableAsTrafficProxy(nodeOld)
+		nodeOldSuitableAsTrafficProxy = backend.IsNodeSuitableAsTrafficProxy(nodeOld)
+		if readyCond := k8s.GetNodeCondition(nodeOld, corev1.NodeReady); readyCond != nil {
+			nodeOldReadyCondStatus = readyCond.Status
+		}
 	}
 	if nodeNew != nil {
 		nodeKey = k8s.NamespacedName(nodeNew)
-		nodeNewIsReady = k8s.IsNodeSuitableAsTrafficProxy(nodeNew)
+		nodeNewSuitableAsTrafficProxy = backend.IsNodeSuitableAsTrafficProxy(nodeNew)
+		if readyCond := k8s.GetNodeCondition(nodeNew, corev1.NodeReady); readyCond != nil {
+			nodeNewReadyCondStatus = readyCond.Status
+		}
 	}
 
 	tgbList := &elbv2api.TargetGroupBindingList{}
 	if err := h.k8sClient.List(context.Background(), tgbList); err != nil {
-		h.logger.Error(err, "failed to fetch targetGroupBindings")
+		h.logger.Error(err, "[this should never happen] failed to fetch targetGroupBindings")
 		return
 	}
 
 	for _, tgb := range tgbList.Items {
 		if tgb.Spec.TargetType == nil || (*tgb.Spec.TargetType) != elbv2api.TargetTypeInstance {
 			continue
 		}
-
 		nodeSelector, err := backend.GetTrafficProxyNodeSelector(&tgb)
 		if err != nil {
 			h.logger.Error(err, "failed to get nodeSelector", "TargetGroupBinding", tgb)
-			return
+			continue
 		}
 
-		nodeOldIsTrafficProxy := false
-		nodeNewIsTrafficProxy := false
+		nodeOldSuitableAsTrafficProxyForTGB := false
+		nodeNewSuitableAsTrafficProxyForTGB := false
 		if nodeOld != nil {
-			nodeOldIsTrafficProxy = nodeOldIsReady && nodeSelector.Matches(labels.Set(nodeOld.Labels))
+			nodeOldSuitableAsTrafficProxyForTGB = nodeOldSuitableAsTrafficProxy && nodeSelector.Matches(labels.Set(nodeOld.Labels))
 		}
 		if nodeNew != nil {
-			nodeNewIsTrafficProxy = nodeNewIsReady && nodeSelector.Matches(labels.Set(nodeNew.Labels))
+			nodeNewSuitableAsTrafficProxyForTGB = nodeNewSuitableAsTrafficProxy && nodeSelector.Matches(labels.Set(nodeNew.Labels))
 		}
 
-		if nodeOldIsTrafficProxy != nodeNewIsTrafficProxy {
+		if h.shouldEnqueueTGBDueToNodeEvent(nodeOldSuitableAsTrafficProxyForTGB, nodeOldReadyCondStatus, nodeNewSuitableAsTrafficProxyForTGB, nodeNewReadyCondStatus) {
 			h.logger.V(1).Info("enqueue targetGroupBinding for node event",
 				"node", nodeKey,
 				"targetGroupBinding", k8s.NamespacedName(&tgb),
@@ -109,3 +116,22 @@ func (h *enqueueRequestsForNodeEvent) enqueueImpactedTargetGroupBindings(queue w
 		}
 	}
 }
+
+// shouldEnqueueTGBDueToNodeEvent checks whether a TGB should be queued due to node event.
+func (h *enqueueRequestsForNodeEvent) shouldEnqueueTGBDueToNodeEvent(
+	nodeOldSuitableAsTrafficProxyForTGB bool, nodeOldReadyCondStatus corev1.ConditionStatus,
+	nodeNewSuitableAsTrafficProxyForTGB bool, nodeNewReadyCondStatus corev1.ConditionStatus) bool {
+	if nodeOldSuitableAsTrafficProxyForTGB == false && nodeNewSuitableAsTrafficProxyForTGB == false {
+		return false
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == true && nodeNewSuitableAsTrafficProxyForTGB == true {
+		return nodeOldReadyCondStatus != nodeNewReadyCondStatus
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == true && nodeNewSuitableAsTrafficProxyForTGB == false {
+		return nodeOldReadyCondStatus != corev1.ConditionFalse
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == false && nodeNewSuitableAsTrafficProxyForTGB == true {
+		return nodeNewReadyCondStatus != corev1.ConditionFalse
+	}
+	return false
+}

controllers/elbv2/eventhandlers/node_test.go

@@ -0,0 +1,170 @@
+package eventhandlers
+
+import (
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	"testing"
+)
+
+func Test_enqueueRequestsForNodeEvent_shouldEnqueueTGBDueToNodeEvent(t *testing.T) {
+	type args struct {
+		nodeOldSuitableAsTrafficProxyForTGB bool
+		nodeOldReadyCondStatus              corev1.ConditionStatus
+		nodeNewSuitableAsTrafficProxyForTGB bool
+		nodeNewReadyCondStatus              corev1.ConditionStatus
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "suitable node changed from ready to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from ready to unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from notReady to ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from notReady to unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from unknown to ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from unknown to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: false,
+		},
+		{
+			name: "suitable node remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "suitable node remains unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: false,
+		},
+		{
+			name: "non-suitable node changed from ready to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "node became suitable while remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "node became suitable while remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "node became non-suitable while remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "node became non-suitable while remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := &enqueueRequestsForNodeEvent{}
+			got := h.shouldEnqueueTGBDueToNodeEvent(tt.args.nodeOldSuitableAsTrafficProxyForTGB, tt.args.nodeOldReadyCondStatus,
+				tt.args.nodeNewSuitableAsTrafficProxyForTGB, tt.args.nodeNewReadyCondStatus)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

controllers/elbv2/targetgroupbinding_controller.go

@@ -84,7 +84,6 @@ type targetGroupBindingReconciler struct {
 // +kubebuilder:rbac:groups="",resources=pods/status,verbs=update;patch
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 // +kubebuilder:rbac:groups="discovery.k8s.io",resources=endpointslices,verbs=get;list;watch

controllers/ingress/eventhandlers/secret_events.go

@@ -63,7 +63,8 @@ func (h *enqueueRequestsForSecretEvent) Delete(e event.DeleteEvent, _ workqueue.
 }
 
 func (h *enqueueRequestsForSecretEvent) Generic(e event.GenericEvent, _ workqueue.RateLimitingInterface) {
-	// we don't have any generic event for secrets.
+	secretObj := e.Object.(*corev1.Secret)
+	h.enqueueImpactedObjects(secretObj)
 }
 
 func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(secret *corev1.Secret) {