fix: AmazonWebServices-NLB controller parameter modification and doc update

clarklee92 · clarklee92 · commit e5a2ed6a22c0 · 2024-07-12T16:43:16.000+08:00
Signed-off-by: clarklee92 &lt;clarklee1992@hotmail.com&gt;
diff --git a/cloudprovider/amazonswebservices/README.md b/cloudprovider/amazonswebservices/README.md
@@ -42,39 +42,34 @@ The key to deploying this project lies in authorizing the k8s ServiceAccount to
 4. On the cluster details page, ensure that the OIDC provider is enabled. Obtain the OIDC provider URL for the EKS cluster. In the "Configuration" section of the cluster details page, find the "OpenID Connect provider URL".
 
 ##### Step 2：Configure the IAM role trust policy
-
-Create an IAM role:
-
-- In the IAM console, create a new IAM role and select "Custom trust policy".
-
-- Use the following trust policy to allow EKS to use this role:
-
-  ```json
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Effect": "Allow",
-        "Principal": {
-          "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-          "StringEquals": {
-            "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT_NAME>",
-            "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
-          }
-        }
-      }
-    ]
-  }
-  ```
-
-- Replace `<AWS_ACCOUNT_ID>`、`<REGION>`、`<OIDC_ID>`、`<NAMESPACE>` and `<SERVICE_ACCOUNT_NAME>` with your actual values.
-
-
-
-- Add the permission `ElasticLoadBalancingFullAccess`
+1. In the IAM console, create a new identity provider and select "OpenID Connect".
+   - For the Provider URL, enter the OIDC provider URL of your EKS cluster.
+   - For Audience, enter: `sts.amazonaws.com`
+
+2. In the IAM console, create a new IAM role and select "Custom trust policy".
+   - Use the following trust policy to allow EKS to use this role:
+     ```json
+     {
+       "Version": "2012-10-17",
+       "Statement": [
+         {
+           "Effect": "Allow",
+           "Principal": {
+             "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
+           },
+           "Action": "sts:AssumeRoleWithWebIdentity",
+           "Condition": {
+             "StringEquals": {
+               "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<NAMESPACE>:ack-elbv2-controller",
+               "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
+             }
+           }
+         }
+       ]
+     }
+     ```
+     - Replace `<AWS_ACCOUNT_ID>`、`<REGION>`、`<OIDC_ID>`、`<NAMESPACE>` and `<SERVICE_ACCOUNT_NAME>` with your actual values.
+     - Add the permission `ElasticLoadBalancingFullAccess`
 
 
 
diff --git a/cloudprovider/amazonswebservices/README.zh_CN.md b/cloudprovider/amazonswebservices/README.zh_CN.md
@@ -42,36 +42,33 @@ aws:
 
 ##### 步骤 2：配置 IAM 角色信任策略
 
-创建 IAM 角色：
-
-- 在 IAM 控制台中，创建一个新的 IAM 角色，并选择 “Custom trust policy”。
-
-- 使用以下信任策略，允许 EKS 使用这个角色：
-
-  ```json
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Effect": "Allow",
-        "Principal": {
-          "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-          "StringEquals": {
-            "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT_NAME>",
-            "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
-          }
-        }
-      }
-    ]
-  }
-  ```
-
-- 将 `<AWS_ACCOUNT_ID>`、`<REGION>`、`<OIDC_ID>`、`<NAMESPACE>` 和 `<SERVICE_ACCOUNT_NAME>` 替换为您的实际值。
-
-- 添加权限 `ElasticLoadBalancingFullAccess`
+1. 在 IAM 控制台中，创建一个新的身份提供商，并选择 “OpenID Connect”
+   - 提供商URL填写EKS 集群的 OIDC 提供者 URL
+   - 受众填写：`sts.amazonaws.com`
+2. 在 IAM 控制台中，创建一个新的 IAM 角色，并选择 “Custom trust policy”。
+   - 使用以下信任策略，允许 EKS 使用这个角色：
+     ```json
+     {
+       "Version": "2012-10-17",
+       "Statement": [
+         {
+           "Effect": "Allow",
+           "Principal": {
+             "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
+           },
+           "Action": "sts:AssumeRoleWithWebIdentity",
+           "Condition": {
+             "StringEquals": {
+               "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<NAMESPACE>:ack-elbv2-controller",
+               "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
+             }
+           }
+         }
+       ]
+     }
+     ```
+   - 将 `<AWS_ACCOUNT_ID>`、`<REGION>`、`<OIDC_ID>`、`<NAMESPACE>` 和 `<SERVICE_ACCOUNT_NAME>` 替换为您的实际值。
+   - 添加权限 `ElasticLoadBalancingFullAccess`
 
 
 
diff --git a/cloudprovider/amazonswebservices/nlb.go b/cloudprovider/amazonswebservices/nlb.go
@@ -56,10 +56,6 @@ const (
 	NlbAnnotations           = "Annotations"
 	NlbARNAnnoKey            = "service.beta.kubernetes.io/aws-load-balancer-nlb-arn"
 	NlbPortAnnoKey           = "service.beta.kubernetes.io/aws-load-balancer-nlb-port"
-	NlbTypeKey               = "service.beta.kubernetes.io/aws-load-balancer-type"
-	NlbTypeExternal          = "external"
-	NlbTargetTypeKey         = "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type"
-	NlbTargetTypeIP          = "ip"
 	AWSTargetGroupSyncStatus = "aws-load-balancer-nlb-target-group-synced"
 	SvcSelectorKey           = "statefulset.kubernetes.io/pod-name"
 	NlbConfigHashKey         = "game.kruise.io/network-config-hash"
@@ -255,7 +251,7 @@ func (n *NlbPlugin) initLbCache(svcList []corev1.Service) {
 	}
 }
 
-func (n *NlbPlugin) OnPodAdded(client client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {
+func (n *NlbPlugin) OnPodAdded(c client.Client, pod *corev1.Pod, ctx context.Context) (*corev1.Pod, cperrors.PluginError) {
 	return pod, nil
 }
 
@@ -651,7 +647,7 @@ func (n *NlbPlugin) syncTargetGroupAndService(config *nlbConfig,
 		targetGroupName := fmt.Sprintf("%s-%d", pod.GetName(), ports[i])
 		protocol := string(config.backends[i].protocol)
 		targetPort := int64(config.backends[i].targetPort)
-		targetType := NlbTargetTypeIP
+		var targetTypeIP = string(ackv1alpha1.TargetTypeEnum_ip)
 		_, err := controllerutil.CreateOrUpdate(ctx, client, &ackv1alpha1.TargetGroup{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:            targetGroupName,
@@ -679,8 +675,8 @@ func (n *NlbPlugin) syncTargetGroupAndService(config *nlbConfig,
 				Name:                       &targetGroupName,
 				Protocol:                   &protocol,
 				Port:                       &targetPort,
-				TargetType:                 &targetType,
 				VPCID:                      &config.vpcID,
+				TargetType:                 &targetTypeIP,
 				Tags: []*ackv1alpha1.Tag{{Key: ptr.To[string](ResourceTagKey),
 					Value: ptr.To[string](ResourceTagValue)}},
 			},
@@ -700,8 +696,6 @@ func (n *NlbPlugin) syncTargetGroupAndService(config *nlbConfig,
 		})
 	}
 	annotations := map[string]string{
-		NlbTypeKey:       NlbTypeExternal,
-		NlbTargetTypeKey: NlbTargetTypeIP,
 		NlbARNAnnoKey:    lbARN,
 		NlbConfigHashKey: util.GetHash(config),
 	}
@@ -771,7 +765,7 @@ func syncListenerAndTargetGroupBinding(ctx context.Context, client client.Client
 		return err
 	}
 
-	var targetType = elbv2api.TargetTypeIP
+	var targetTypeIP = elbv2api.TargetTypeIP
 	_, err = controllerutil.CreateOrUpdate(ctx, client, &elbv2api.TargetGroupBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            tg.GetName(),
@@ -784,7 +778,7 @@ func syncListenerAndTargetGroupBinding(ctx context.Context, client client.Client
 		},
 		Spec: elbv2api.TargetGroupBindingSpec{
 			TargetGroupARN: *targetGroupARN,
-			TargetType:     &targetType,
+			TargetType:     &targetTypeIP,
 			ServiceRef: elbv2api.ServiceReference{
 				Name: podName,
 				Port: intstr.FromInt(int(port)),
