From 10ece689c51ada7902bb52ec05fa7832e1c9305b Mon Sep 17 00:00:00 2001 From: jeswinkoshyninan Date: Tue, 26 Nov 2024 10:39:15 +0000 Subject: [PATCH 1/2] avoid using flag --aws-vpc-tag-key --- docs/deploy/configurations.md | 1 - docs/deploy/installation.md | 2 +- pkg/aws/cloud.go | 27 ++++++++++++++++----------- pkg/aws/cloud_config.go | 3 --- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md index 44751238bc..49802db0f7 100644 --- a/docs/deploy/configurations.md +++ b/docs/deploy/configurations.md @@ -72,7 +72,6 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne | aws-region | string | [instance metadata](#instance-metadata) | AWS Region for the kubernetes cluster | | aws-vpc-id | string | [instance metadata](#instance-metadata) | AWS VPC ID for the Kubernetes cluster | | aws-vpc-tags | stringMap | | Tags for the Kubernetes cluster VPC, When both flags `--aws-vpc-id` and `--aws-vpc-tags` are specified, the controller prioritizes `--aws-vpc-id` and ignores the other flag. -| aws-vpc-tag-key | string | Name | Optional tag key used with aws-vpc-tags add only if VPC name tag key is not the default value "Name" | allowed-certificate-authority-arns | stringList | [] | Specify an optional list of CA ARNs to filter on in cert discovery (empty means all CAs are allowed) | | backend-security-group | string | | Backend security group id to use for the ingress rules on the worker node SG | | cluster-name | string | | Kubernetes cluster name | diff --git a/docs/deploy/installation.md b/docs/deploy/installation.md index b0fbee642d..e399f83e2b 100644 --- a/docs/deploy/installation.md +++ b/docs/deploy/installation.md @@ -37,7 +37,7 @@ You can set the IMDSv2 as follows: aws ec2 modify-instance-metadata-options --http-put-response-hop-limit 2 --http-tokens required --region --instance-id ``` -Instead of depending on IMDSv2, you can specify the AWS Region via the controller flag `--aws-region`, and the AWS VPC via controller flag `--aws-vpc-id` or by specifying vpc tags via the flag `--aws-vpc-tags` and an optional flag `--aws-vpc-tag-key` if you have a different key for the tag other than "Name". When both flags `--aws-vpc-id` and `--aws-vpc-tags` are specified, the controller prioritizes `--aws-vpc-id`and ignores the other flag. +Instead of depending on IMDSv2, you can specify the AWS Region via the controller flag `--aws-region`, and the AWS VPC via controller flag `--aws-vpc-id` or by specifying vpc tags via the flag `--aws-vpc-tags`. When both flags `--aws-vpc-id` and `--aws-vpc-tags` are specified, the controller prioritizes `--aws-vpc-id`and ignores the other flag. ## Configure IAM diff --git a/pkg/aws/cloud.go b/pkg/aws/cloud.go index 41070e70db..41e6594c94 100644 --- a/pkg/aws/cloud.go +++ b/pkg/aws/cloud.go @@ -3,17 +3,18 @@ package aws import ( "context" "fmt" + "net" + "os" + "strings" + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" "github.com/aws/aws-sdk-go-v2/aws/ratelimit" "github.com/aws/aws-sdk-go-v2/aws/retry" "github.com/aws/aws-sdk-go-v2/config" ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types" smithymiddleware "github.com/aws/smithy-go/middleware" - "net" - "os" "sigs.k8s.io/aws-load-balancer-controller/pkg/aws/throttle" "sigs.k8s.io/aws-load-balancer-controller/pkg/version" - "strings" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" @@ -158,7 +159,7 @@ func getVpcID(cfg CloudConfig, ec2Service services.EC2, ec2Metadata services.EC2 } if cfg.VpcTags != nil { - return inferVPCIDFromTags(ec2Service, cfg.VpcNameTagKey, cfg.VpcTags[cfg.VpcNameTagKey]) + return inferVPCIDFromTags(ec2Service, cfg.VpcTags) } return inferVPCID(ec2Metadata, ec2Service) @@ -200,14 +201,18 @@ func inferVPCID(ec2Metadata services.EC2Metadata, ec2Service services.EC2) (stri return "", amerrors.NewAggregate(errList) } -func inferVPCIDFromTags(ec2Service services.EC2, VpcNameTagKey string, VpcNameTagValue string) (string, error) { +func inferVPCIDFromTags(ec2Service services.EC2, VpcTags map[string]string) (string, error) { + vpcFilter := []ec2types.Filter{} + + for tagKey, tagValue := range VpcTags { + vpcFilter = append(vpcFilter, ec2types.Filter{ + Name: aws.String(fmt.Sprintf("tag:%s", tagKey)), + Values: []string{tagValue}, + }) + } + vpcs, err := ec2Service.DescribeVPCsAsList(context.Background(), &ec2.DescribeVpcsInput{ - Filters: []ec2types.Filter{ - { - Name: aws.String("tag:" + VpcNameTagKey), - Values: []string{VpcNameTagValue}, - }, - }, + Filters: vpcFilter, }) if err != nil { return "", fmt.Errorf("failed to fetch VPC ID with tag: %w", err) diff --git a/pkg/aws/cloud_config.go b/pkg/aws/cloud_config.go index 0793215656..34725ff472 100644 --- a/pkg/aws/cloud_config.go +++ b/pkg/aws/cloud_config.go @@ -15,9 +15,7 @@ const ( flagAWSVpcTags = "aws-vpc-tags" flagAWSVpcCacheTTL = "aws-vpc-cache-ttl" flagAWSMaxRetries = "aws-max-retries" - flagAWSVpcNameTagKey = "aws-vpc-tag-key" defaultVpcID = "" - defaultVpcNameTagKey = "Name" defaultRegion = "" defaultAPIMaxRetries = 10 ) @@ -53,7 +51,6 @@ func (cfg *CloudConfig) BindFlags(fs *pflag.FlagSet) { fs.Var(cfg.ThrottleConfig, flagAWSAPIThrottle, "throttle settings for AWS APIs, format: serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst") fs.StringVar(&cfg.VpcID, flagAWSVpcID, defaultVpcID, "AWS VpcID for the LoadBalancer resources") fs.StringToStringVar(&cfg.VpcTags, flagAWSVpcTags, nil, "AWS VPC tags List,format: tagkey1=tagvalue1,tagkey2=tagvalue2") - fs.StringVar(&cfg.VpcNameTagKey, flagAWSVpcNameTagKey, defaultVpcNameTagKey, "AWS tag key for identifying the VPC") fs.IntVar(&cfg.MaxRetries, flagAWSMaxRetries, defaultAPIMaxRetries, "Maximum retries for AWS APIs") fs.StringToStringVar(&cfg.AWSEndpoints, flagAWSAPIEndpoints, nil, "Custom AWS endpoint configuration, format: serviceID1=URL1,serviceID2=URL2") } From 0e810517b6fb502cf4f4c06aa0df4c19856a7a90 Mon Sep 17 00:00:00 2001 From: jeswinkoshyninan Date: Tue, 26 Nov 2024 16:06:33 +0000 Subject: [PATCH 2/2] update error message based on changes --- pkg/aws/cloud.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/aws/cloud.go b/pkg/aws/cloud.go index 41e6594c94..cf792000fe 100644 --- a/pkg/aws/cloud.go +++ b/pkg/aws/cloud.go @@ -215,13 +215,13 @@ func inferVPCIDFromTags(ec2Service services.EC2, VpcTags map[string]string) (str Filters: vpcFilter, }) if err != nil { - return "", fmt.Errorf("failed to fetch VPC ID with tag: %w", err) + return "", fmt.Errorf("failed to fetch VPC ID with tags(s): %w", err) } if len(vpcs) == 0 { - return "", fmt.Errorf("no VPC exists with tag: %w", err) + return "", fmt.Errorf("no VPC exists with tags(s): %w", err) } if len(vpcs) > 1 { - return "", fmt.Errorf("multiple VPCs exists with tag: %w", err) + return "", fmt.Errorf("multiple VPCs exists with tag(s): %w", err) } return *vpcs[0].VpcId, nil