From 28ea80af9f61fe116910b7cbdd18cf36262ea22e Mon Sep 17 00:00:00 2001 From: Yash Thakkar Date: Wed, 24 Jul 2024 09:31:25 +0000 Subject: [PATCH 1/4] adding check for annotation load-balancer scheme for sg source ranges --- pkg/service/model_build_managed_sg.go | 22 ++++-- pkg/service/model_build_managed_sg_test.go | 82 ++++++++++++++++++++-- 2 files changed, 94 insertions(+), 10 deletions(-) diff --git a/pkg/service/model_build_managed_sg.go b/pkg/service/model_build_managed_sg.go index 498994b2a2..f4c3da5c70 100644 --- a/pkg/service/model_build_managed_sg.go +++ b/pkg/service/model_build_managed_sg.go @@ -14,6 +14,7 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations" ec2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/ec2" elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2" + "sigs.k8s.io/aws-load-balancer-controller/pkg/networking" ) const ( @@ -115,7 +116,7 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(ctx return permissions, nil } -func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(_ context.Context, ipAddressType elbv2model.IPAddressType, prefixListsConfigured bool) ([]string, error) { +func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(ctx context.Context, ipAddressType elbv2model.IPAddressType, prefixListsConfigured bool) ([]string, error) { var cidrs []string for _, cidr := range t.service.Spec.LoadBalancerSourceRanges { cidrs = append(cidrs, cidr) @@ -132,9 +133,22 @@ func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(_ context.Context, ip if prefixListsConfigured { return cidrs, nil } - cidrs = append(cidrs, "0.0.0.0/0") - if ipAddressType == elbv2model.IPAddressTypeDualStack { - cidrs = append(cidrs, "::/0") + var scheme string + ok := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixScheme, &scheme, t.service.Annotations) + if ok && (scheme == string(elbv2model.LoadBalancerSchemeInternal) || scheme == "") { + vpcInfo, err := t.vpcInfoProvider.FetchVPCInfo(ctx, t.vpcID, networking.FetchVPCInfoWithoutCache()) + if err != nil { + return cidrs, err + } + cidrs = append(cidrs, vpcInfo.AssociatedIPv4CIDRs()...) + if ipAddressType == elbv2model.IPAddressTypeDualStack { + cidrs = append(cidrs, vpcInfo.AssociatedIPv6CIDRs()...) + } + } else { + cidrs = append(cidrs, "0.0.0.0/0") + if ipAddressType == elbv2model.IPAddressTypeDualStack { + cidrs = append(cidrs, "::/0") + } } } return cidrs, nil diff --git a/pkg/service/model_build_managed_sg_test.go b/pkg/service/model_build_managed_sg_test.go index 0859549572..94bf43217a 100644 --- a/pkg/service/model_build_managed_sg_test.go +++ b/pkg/service/model_build_managed_sg_test.go @@ -5,12 +5,16 @@ import ( "testing" "github.com/aws/aws-sdk-go/aws" + ec2sdk "github.com/aws/aws-sdk-go/service/ec2" + "github.com/golang/mock/gomock" + "github.com/pkg/errors" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations" ec2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/ec2" elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2" + "sigs.k8s.io/aws-load-balancer-controller/pkg/networking" ) func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { @@ -20,10 +24,11 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { prefixListsConfigured bool } tests := []struct { - name string - fields fields - want []string - wantErr bool + name string + fields fields + setupMock func(MockVPCInfoProvider *networking.MockVPCInfoProvider) + want []string + wantErr bool }{ { name: "default IPv4", @@ -36,7 +41,8 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { ipAddressType: elbv2model.IPAddressTypeIPV4, prefixListsConfigured: false, }, - wantErr: false, + setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) {}, + wantErr: false, want: []string{ "0.0.0.0/0", }, @@ -54,7 +60,8 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { ipAddressType: elbv2model.IPAddressTypeDualStack, prefixListsConfigured: false, }, - wantErr: false, + setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) {}, + wantErr: false, want: []string{ "0.0.0.0/0", "::/0", @@ -73,16 +80,79 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { ipAddressType: elbv2model.IPAddressTypeDualStack, prefixListsConfigured: true, }, + setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) {}, + wantErr: false, + want: nil, + }, + { + name: "fetch vpc info for internal scheme", + fields: fields{ + svc: &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "service.beta.kubernetes.io/aws-load-balancer-scheme": "internal", + }, + }, + }, + ipAddressType: elbv2model.IPAddressTypeDualStack, + prefixListsConfigured: false, + }, + setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) { + vpcInfo := networking.VPCInfo{ + CidrBlockAssociationSet: []*ec2sdk.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("192.168.0.0/16"), + CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, + }, + }, + Ipv6CidrBlockAssociationSet: []*ec2sdk.VpcIpv6CidrBlockAssociation{ + { + Ipv6CidrBlock: aws.String("fd00::/8"), + Ipv6CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, + }, + }, + } + MockVPCInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), "vpc-1234", gomock.Any()).Return(vpcInfo, nil) + }, wantErr: false, + want: []string{ + "192.168.0.0/16", + "fd00::/8", + }, + }, + { + name: "error fetching vpc info", + fields: fields{ + svc: &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "service.beta.kubernetes.io/aws-load-balancer-scheme": "internal", + }, + }, + }, + ipAddressType: elbv2model.IPAddressTypeDualStack, + prefixListsConfigured: false, + }, + setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) { + MockVPCInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), "vpc-1234", gomock.Any()).Return(networking.VPCInfo{}, errors.New("failed to fetch vpcInfo")) + }, + wantErr: true, want: nil, }, } + for _, tt := range tests { t.Run(tt.name, func(t1 *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + mockVPCInfoProvider := networking.NewMockVPCInfoProvider(ctrl) + tt.setupMock(mockVPCInfoProvider) annotationParser := annotations.NewSuffixAnnotationParser("service.beta.kubernetes.io") task := &defaultModelBuildTask{ annotationParser: annotationParser, service: tt.fields.svc, + vpcID: "vpc-1234", + vpcInfoProvider: mockVPCInfoProvider, } got, err := task.buildCIDRsFromSourceRanges(context.Background(), tt.fields.ipAddressType, tt.fields.prefixListsConfigured) if tt.wantErr { From df3034484f01e18801454e1a8d3c39e210711a81 Mon Sep 17 00:00:00 2001 From: Yash Thakkar Date: Thu, 25 Jul 2024 21:14:00 +0000 Subject: [PATCH 2/4] updating test with vpcInfo details and want cidr --- pkg/service/model_builder_test.go | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/pkg/service/model_builder_test.go b/pkg/service/model_builder_test.go index 4b598d80a9..793de69d70 100644 --- a/pkg/service/model_builder_test.go +++ b/pkg/service/model_builder_test.go @@ -3427,9 +3427,23 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { }, enableBackendSG: true, resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForTwoSubnet}, - listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, - backendSecurityGroup: "sg-backend", - wantError: false, + fetchVPCInfoCalls: []fetchVPCInfoCall{ + { + wantVPCInfo: networking.VPCInfo{ + CidrBlockAssociationSet: []*ec2.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("192.168.0.0/16"), + CidrBlockState: &ec2.VpcCidrBlockState{ + State: &cidrBlockStateAssociated, + }, + }, + }, + }, + }, + }, + listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, + backendSecurityGroup: "sg-backend", + wantError: false, wantValue: ` { "id":"default/nlb-ip-svc", @@ -3446,7 +3460,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "192.168.0.0/16" } ] }, @@ -3456,7 +3470,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 83, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "192.168.0.0/16" } ] } From 275be82961178a4a2fadaa6e69e248488ffb2abc Mon Sep 17 00:00:00 2001 From: Yash Thakkar Date: Sun, 18 Aug 2024 19:31:14 +0000 Subject: [PATCH 3/4] wip to pass scheme from upper layer --- pkg/service/model_build_load_balancer.go | 6 +-- pkg/service/model_build_managed_sg.go | 18 ++++----- pkg/service/model_build_managed_sg_test.go | 45 +++++++++++----------- 3 files changed, 33 insertions(+), 36 deletions(-) diff --git a/pkg/service/model_build_load_balancer.go b/pkg/service/model_build_load_balancer.go index 1a645205da..4837442b41 100644 --- a/pkg/service/model_build_load_balancer.go +++ b/pkg/service/model_build_load_balancer.go @@ -61,7 +61,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, schem if err != nil { return elbv2model.LoadBalancerSpec{}, err } - securityGroups, err := t.buildLoadBalancerSecurityGroups(ctx, existingLB, ipAddressType) + securityGroups, err := t.buildLoadBalancerSecurityGroups(ctx, existingLB, scheme, ipAddressType) if err != nil { return elbv2model.LoadBalancerSpec{}, err } @@ -101,7 +101,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, schem } func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Context, existingLB *elbv2deploy.LoadBalancerWithTags, - ipAddressType elbv2model.IPAddressType) ([]core.StringToken, error) { + scheme elbv2model.LoadBalancerScheme, ipAddressType elbv2model.IPAddressType) ([]core.StringToken, error) { if existingLB != nil && len(existingLB.LoadBalancer.SecurityGroups) == 0 { return nil, nil } @@ -115,7 +115,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerSecurityGroups(ctx context.Cont var lbSGTokens []core.StringToken t.annotationParser.ParseStringSliceAnnotation(annotations.SvcLBSuffixLoadBalancerSecurityGroups, &sgNameOrIDs, t.service.Annotations) if len(sgNameOrIDs) == 0 { - managedSG, err := t.buildManagedSecurityGroup(ctx, ipAddressType) + managedSG, err := t.buildManagedSecurityGroup(ctx, ipAddressType, scheme) if err != nil { return nil, err } diff --git a/pkg/service/model_build_managed_sg.go b/pkg/service/model_build_managed_sg.go index f4c3da5c70..88a4c8d77e 100644 --- a/pkg/service/model_build_managed_sg.go +++ b/pkg/service/model_build_managed_sg.go @@ -21,8 +21,8 @@ const ( resourceIDManagedSecurityGroup = "ManagedLBSecurityGroup" ) -func (t *defaultModelBuildTask) buildManagedSecurityGroup(ctx context.Context, ipAddressType elbv2model.IPAddressType) (*ec2model.SecurityGroup, error) { - sgSpec, err := t.buildManagedSecurityGroupSpec(ctx, ipAddressType) +func (t *defaultModelBuildTask) buildManagedSecurityGroup(ctx context.Context, ipAddressType elbv2model.IPAddressType, scheme elbv2model.LoadBalancerScheme) (*ec2model.SecurityGroup, error) { + sgSpec, err := t.buildManagedSecurityGroupSpec(ctx, ipAddressType, scheme) if err != nil { return nil, err } @@ -30,13 +30,13 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroup(ctx context.Context, i return sg, nil } -func (t *defaultModelBuildTask) buildManagedSecurityGroupSpec(ctx context.Context, ipAddressType elbv2model.IPAddressType) (ec2model.SecurityGroupSpec, error) { +func (t *defaultModelBuildTask) buildManagedSecurityGroupSpec(ctx context.Context, ipAddressType elbv2model.IPAddressType, scheme elbv2model.LoadBalancerScheme) (ec2model.SecurityGroupSpec, error) { name := t.buildManagedSecurityGroupName(ctx) tags, err := t.buildManagedSecurityGroupTags(ctx) if err != nil { return ec2model.SecurityGroupSpec{}, err } - ingressPermissions, err := t.buildManagedSecurityGroupIngressPermissions(ctx, ipAddressType) + ingressPermissions, err := t.buildManagedSecurityGroupIngressPermissions(ctx, ipAddressType, scheme) if err != nil { return ec2model.SecurityGroupSpec{}, err } @@ -63,11 +63,11 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupName(_ context.Context) return fmt.Sprintf("k8s-%.8s-%.8s-%.10s", sanitizedNamespace, sanitizedName, uuid) } -func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(ctx context.Context, ipAddressType elbv2model.IPAddressType) ([]ec2model.IPPermission, error) { +func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(ctx context.Context, ipAddressType elbv2model.IPAddressType, scheme elbv2model.LoadBalancerScheme) ([]ec2model.IPPermission, error) { var permissions []ec2model.IPPermission var prefixListIDs []string prefixListsConfigured := t.annotationParser.ParseStringSliceAnnotation(annotations.SvcLBSuffixSecurityGroupPrefixLists, &prefixListIDs, t.service.Annotations) - cidrs, err := t.buildCIDRsFromSourceRanges(ctx, ipAddressType, prefixListsConfigured) + cidrs, err := t.buildCIDRsFromSourceRanges(ctx, ipAddressType, prefixListsConfigured, scheme) if err != nil { return nil, err } @@ -116,7 +116,7 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(ctx return permissions, nil } -func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(ctx context.Context, ipAddressType elbv2model.IPAddressType, prefixListsConfigured bool) ([]string, error) { +func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(ctx context.Context, ipAddressType elbv2model.IPAddressType, prefixListsConfigured bool, scheme elbv2model.LoadBalancerScheme) ([]string, error) { var cidrs []string for _, cidr := range t.service.Spec.LoadBalancerSourceRanges { cidrs = append(cidrs, cidr) @@ -133,9 +133,7 @@ func (t *defaultModelBuildTask) buildCIDRsFromSourceRanges(ctx context.Context, if prefixListsConfigured { return cidrs, nil } - var scheme string - ok := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixScheme, &scheme, t.service.Annotations) - if ok && (scheme == string(elbv2model.LoadBalancerSchemeInternal) || scheme == "") { + if scheme == elbv2model.LoadBalancerSchemeInternal { vpcInfo, err := t.vpcInfoProvider.FetchVPCInfo(ctx, t.vpcID, networking.FetchVPCInfoWithoutCache()) if err != nil { return cidrs, err diff --git a/pkg/service/model_build_managed_sg_test.go b/pkg/service/model_build_managed_sg_test.go index 94bf43217a..ae3723e7b6 100644 --- a/pkg/service/model_build_managed_sg_test.go +++ b/pkg/service/model_build_managed_sg_test.go @@ -13,6 +13,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations" ec2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/ec2" + "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2" elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2" "sigs.k8s.io/aws-load-balancer-controller/pkg/networking" ) @@ -22,6 +23,7 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { svc *corev1.Service ipAddressType elbv2model.IPAddressType prefixListsConfigured bool + scheme elbv2model.LoadBalancerScheme } tests := []struct { name string @@ -87,33 +89,28 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { { name: "fetch vpc info for internal scheme", fields: fields{ - svc: &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - "service.beta.kubernetes.io/aws-load-balancer-scheme": "internal", - }, - }, - }, + svc: &corev1.Service{}, ipAddressType: elbv2model.IPAddressTypeDualStack, prefixListsConfigured: false, + scheme: elbv2.LoadBalancerSchemeInternal, }, setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) { vpcInfo := networking.VPCInfo{ - CidrBlockAssociationSet: []*ec2sdk.VpcCidrBlockAssociation{ - { - CidrBlock: aws.String("192.168.0.0/16"), - CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, - }, + CidrBlockAssociationSet: []*ec2sdk.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("192.168.0.0/16"), + CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, }, - Ipv6CidrBlockAssociationSet: []*ec2sdk.VpcIpv6CidrBlockAssociation{ - { - Ipv6CidrBlock: aws.String("fd00::/8"), - Ipv6CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, - }, + }, + Ipv6CidrBlockAssociationSet: []*ec2sdk.VpcIpv6CidrBlockAssociation{ + { + Ipv6CidrBlock: aws.String("fd00::/8"), + Ipv6CidrBlockState: &ec2sdk.VpcCidrBlockState{State: aws.String(ec2sdk.VpcCidrBlockStateCodeAssociated)}, }, - } - MockVPCInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), "vpc-1234", gomock.Any()).Return(vpcInfo, nil) - }, + }, + } + MockVPCInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), "vpc-1234", gomock.Any()).Return(vpcInfo, nil) + }, wantErr: false, want: []string{ "192.168.0.0/16", @@ -132,6 +129,7 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { }, ipAddressType: elbv2model.IPAddressTypeDualStack, prefixListsConfigured: false, + scheme: elbv2.LoadBalancerSchemeInternal, }, setupMock: func(MockVPCInfoProvider *networking.MockVPCInfoProvider) { MockVPCInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), "vpc-1234", gomock.Any()).Return(networking.VPCInfo{}, errors.New("failed to fetch vpcInfo")) @@ -152,9 +150,9 @@ func Test_buildCIDRsFromSourceRanges_buildCIDRsFromSourceRanges(t *testing.T) { annotationParser: annotationParser, service: tt.fields.svc, vpcID: "vpc-1234", - vpcInfoProvider: mockVPCInfoProvider, + vpcInfoProvider: mockVPCInfoProvider, } - got, err := task.buildCIDRsFromSourceRanges(context.Background(), tt.fields.ipAddressType, tt.fields.prefixListsConfigured) + got, err := task.buildCIDRsFromSourceRanges(context.Background(), tt.fields.ipAddressType, tt.fields.prefixListsConfigured, tt.fields.scheme) if tt.wantErr { assert.Error(t, err) } else { @@ -169,6 +167,7 @@ func Test_buildCIDRsFromSourceRanges_buildManagedSecurityGroupIngressPermissions type fields struct { svc *corev1.Service ipAddressType elbv2model.IPAddressType + scheme elbv2model.LoadBalancerScheme } tests := []struct { name string @@ -348,7 +347,7 @@ func Test_buildCIDRsFromSourceRanges_buildManagedSecurityGroupIngressPermissions annotationParser: annotationParser, service: tt.fields.svc, } - got, err := task.buildManagedSecurityGroupIngressPermissions(context.Background(), tt.fields.ipAddressType) + got, err := task.buildManagedSecurityGroupIngressPermissions(context.Background(), tt.fields.ipAddressType, tt.fields.scheme) if tt.wantErr { assert.Error(t, err) } else { From 0aaaff999facef3b075444434f9a61b844bf574e Mon Sep 17 00:00:00 2001 From: Yash Thakkar Date: Mon, 19 Aug 2024 00:37:34 -0700 Subject: [PATCH 4/4] updating testcases to change according internal scheme --- pkg/service/model_builder_test.go | 89 +++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 10 deletions(-) diff --git a/pkg/service/model_builder_test.go b/pkg/service/model_builder_test.go index 793de69d70..b54533aecc 100644 --- a/pkg/service/model_builder_test.go +++ b/pkg/service/model_builder_test.go @@ -2236,8 +2236,29 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { }, }, resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForOneSubnet}, - listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, - wantError: true, + fetchVPCInfoCalls: []fetchVPCInfoCall{ + { + wantVPCInfo: networking.VPCInfo{ + CidrBlockAssociationSet: []*ec2.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("192.160.0.0/16"), + CidrBlockState: &ec2.VpcCidrBlockState{ + State: aws.String("associated"), + }, + }, + { + CidrBlock: aws.String("100.64.0.0/16"), + CidrBlockState: &ec2.VpcCidrBlockState{ + State: aws.String("associated"), + }, + }, + }, + }, + err: nil, + }, + }, + listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, + wantError: true, }, { testName: "list load balancers error", @@ -2363,7 +2384,22 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { }, resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForOneSubnet}, listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, - wantError: true, + fetchVPCInfoCalls: []fetchVPCInfoCall{ + { + wantVPCInfo: networking.VPCInfo{ + Ipv6CidrBlockAssociationSet: []*ec2.VpcIpv6CidrBlockAssociation{ + { + Ipv6CidrBlock: aws.String("2600:1f00:1000::/56"), + Ipv6CidrBlockState: &ec2.VpcCidrBlockState{ + State: aws.String("associated"), + }, + }, + }, + }, + err: nil, + }, + }, + wantError: true, }, { testName: "ipv6 for NLB", @@ -3060,6 +3096,21 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { listLoadBalancerCalls: []listLoadBalancerCall{listLoadBalancerCallForEmptyLB}, backendSecurityGroup: "sg-backend", wantError: false, + fetchVPCInfoCalls: []fetchVPCInfoCall{ + { + wantVPCInfo: networking.VPCInfo{ + CidrBlockAssociationSet: []*ec2.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("10.0.0.0/16"), + CidrBlockState: &ec2.VpcCidrBlockState{ + State: aws.String("associated"), + }, + }, + }, + }, + err: nil, + }, + }, wantValue: ` { "id":"default/nlb-ip-svc-tls", @@ -3076,7 +3127,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "10.0.0.0/16" } ] } @@ -4110,7 +4161,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "192.168.0.0/16" } ] }, @@ -4120,7 +4171,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 83, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP":"192.168.0.0/16" } ] } @@ -5287,7 +5338,17 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "192.160.0.0/16" + } + ] + }, + { + "ipProtocol": "tcp", + "fromPort": 80, + "toPort": 80, + "ipRanges": [ + { + "cidrIP": "100.64.0.0/16" } ] } @@ -5447,6 +5508,14 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { fetchVPCInfoCalls: []fetchVPCInfoCall{ { wantVPCInfo: networking.VPCInfo{ + CidrBlockAssociationSet: []*ec2.VpcCidrBlockAssociation{ + { + CidrBlock: aws.String("10.0.0.0/16"), + CidrBlockState: &ec2.VpcCidrBlockState{ + State: aws.String("associated"), + }, + }, + }, Ipv6CidrBlockAssociationSet: []*ec2.VpcIpv6CidrBlockAssociation{ { Ipv6CidrBlock: aws.String("2600:1fe3:3c0:1d00::/56"), @@ -5477,7 +5546,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "10.0.0.0/16" } ] }, @@ -5487,7 +5556,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipv6Ranges": [ { - "cidrIPv6": "::/0" + "cidrIPv6": "2600:1fe3:3c0:1d00::/56" } ] } @@ -5854,7 +5923,7 @@ func Test_defaultModelBuilderTask_Build(t *testing.T) { "toPort": 80, "ipRanges": [ { - "cidrIP": "0.0.0.0/0" + "cidrIP": "192.168.0.0/16" } ] }