Saving changes

Makefile

@@ -2,7 +2,7 @@
 MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 
 # Image URL to use all building/pushing image targets
-IMG ?= public.ecr.aws/eks/aws-load-balancer-controller:v2.7.0
+IMG ?= 238177055437.dkr.ecr.us-east-1.amazonaws.com/shrabang-dev:v2.8.1
 # Image URL to use for builder stage in Docker build
 BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:1.21.5
 # Image URL to use for base layer in Docker build

controllers/ingress/group_controller.go

@@ -120,6 +120,7 @@ func (r *groupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 
 func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error {
 	ingGroupID := ingress.DecodeGroupIDFromReconcileRequest(req)
+	r.logger.Info("starting reconcile", "ingGroupID", ingGroupID)
 	ingGroup, err := r.groupLoader.Load(ctx, ingGroupID)
 	if err != nil {
 		return err
@@ -129,6 +130,7 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error
 		r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedAddFinalizer, fmt.Sprintf("Failed add finalizer due to %v", err))
 		return err
 	}
+	r.logger.Info("starting buildAndDeployModel", "ingGroupID", ingGroupID)
 	_, lb, err := r.buildAndDeployModel(ctx, ingGroup)
 	if err != nil {
 		return err

pkg/annotations/constants.go

@@ -6,83 +6,85 @@ const (
 
 	AnnotationPrefixIngress = "alb.ingress.kubernetes.io"
 	// Ingress annotation suffixes
-	IngressSuffixLoadBalancerName             = "load-balancer-name"
-	IngressSuffixGroupName                    = "group.name"
-	IngressSuffixGroupOrder                   = "group.order"
-	IngressSuffixTags                         = "tags"
-	IngressSuffixIPAddressType                = "ip-address-type"
-	IngressSuffixScheme                       = "scheme"
-	IngressSuffixSubnets                      = "subnets"
-	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
-	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
-	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
-	IngressSuffixWAFACLID                     = "waf-acl-id"
-	IngressSuffixWebACLID                     = "web-acl-id" // deprecated, use "waf-acl-id" instead.
-	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
-	IngressSuffixSecurityGroups               = "security-groups"
-	IngressSuffixListenPorts                  = "listen-ports"
-	IngressSuffixSSLRedirect                  = "ssl-redirect"
-	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
-	IngressSuffixCertificateARN               = "certificate-arn"
-	IngressSuffixSSLPolicy                    = "ssl-policy"
-	IngressSuffixTargetType                   = "target-type"
-	IngressSuffixBackendProtocol              = "backend-protocol"
-	IngressSuffixBackendProtocolVersion       = "backend-protocol-version"
-	IngressSuffixTargetGroupAttributes        = "target-group-attributes"
-	IngressSuffixHealthCheckPort              = "healthcheck-port"
-	IngressSuffixHealthCheckProtocol          = "healthcheck-protocol"
-	IngressSuffixHealthCheckPath              = "healthcheck-path"
-	IngressSuffixHealthCheckIntervalSeconds   = "healthcheck-interval-seconds"
-	IngressSuffixHealthCheckTimeoutSeconds    = "healthcheck-timeout-seconds"
-	IngressSuffixHealthyThresholdCount        = "healthy-threshold-count"
-	IngressSuffixUnhealthyThresholdCount      = "unhealthy-threshold-count"
-	IngressSuffixSuccessCodes                 = "success-codes"
-	IngressSuffixAuthType                     = "auth-type"
-	IngressSuffixAuthIDPCognito               = "auth-idp-cognito"
-	IngressSuffixAuthIDPOIDC                  = "auth-idp-oidc"
-	IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request"
-	IngressSuffixAuthScope                    = "auth-scope"
-	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
-	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
-	IngressSuffixTargetNodeLabels             = "target-node-labels"
-	IngressSuffixManageSecurityGroupRules     = "manage-backend-security-group-rules"
-	IngressSuffixMutualAuthentication         = "mutual-authentication"
+	IngressSuffixLoadBalancerName               = "load-balancer-name"
+	IngressSuffixGroupName                      = "group.name"
+	IngressSuffixGroupOrder                     = "group.order"
+	IngressSuffixTags                           = "tags"
+	IngressSuffixIPAddressType                  = "ip-address-type"
+	IngressSuffixScheme                         = "scheme"
+	IngressSuffixSubnets                        = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool          = "customer-owned-ipv4-pool"
+	IngressSuffixLoadBalancerAttributes         = "load-balancer-attributes"
+	IngressSuffixWAFv2ACLARN                    = "wafv2-acl-arn"
+	IngressSuffixWAFACLID                       = "waf-acl-id"
+	IngressSuffixWebACLID                       = "web-acl-id" // deprecated, use "waf-acl-id" instead.
+	IngressSuffixShieldAdvancedProtection       = "shield-advanced-protection"
+	IngressSuffixSecurityGroups                 = "security-groups"
+	IngressSuffixListenPorts                    = "listen-ports"
+	IngressSuffixSSLRedirect                    = "ssl-redirect"
+	IngressSuffixInboundCIDRs                   = "inbound-cidrs"
+	IngressSuffixCertificateARN                 = "certificate-arn"
+	IngressSuffixSSLPolicy                      = "ssl-policy"
+	IngressSuffixTargetType                     = "target-type"
+	IngressSuffixBackendProtocol                = "backend-protocol"
+	IngressSuffixBackendProtocolVersion         = "backend-protocol-version"
+	IngressSuffixTargetGroupAttributes          = "target-group-attributes"
+	IngressSuffixHealthCheckPort                = "healthcheck-port"
+	IngressSuffixHealthCheckProtocol            = "healthcheck-protocol"
+	IngressSuffixHealthCheckPath                = "healthcheck-path"
+	IngressSuffixHealthCheckIntervalSeconds     = "healthcheck-interval-seconds"
+	IngressSuffixHealthCheckTimeoutSeconds      = "healthcheck-timeout-seconds"
+	IngressSuffixHealthyThresholdCount          = "healthy-threshold-count"
+	IngressSuffixUnhealthyThresholdCount        = "unhealthy-threshold-count"
+	IngressSuffixSuccessCodes                   = "success-codes"
+	IngressSuffixAuthType                       = "auth-type"
+	IngressSuffixAuthIDPCognito                 = "auth-idp-cognito"
+	IngressSuffixAuthIDPOIDC                    = "auth-idp-oidc"
+	IngressSuffixAuthOnUnauthenticatedRequest   = "auth-on-unauthenticated-request"
+	IngressSuffixAuthScope                      = "auth-scope"
+	IngressSuffixAuthSessionCookie              = "auth-session-cookie"
+	IngressSuffixAuthSessionTimeout             = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels               = "target-node-labels"
+	IngressSuffixManageSecurityGroupRules       = "manage-backend-security-group-rules"
+	IngressSuffixMutualAuthentication           = "mutual-authentication"
+	IngressSuffixExternalManagedLoadBalancerARN = "external-managed-lb-arn"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io
-	SvcLBSuffixSourceRanges                  = "load-balancer-source-ranges"
-	SvcLBSuffixLoadBalancerType              = "aws-load-balancer-type"
-	SvcLBSuffixTargetType                    = "aws-load-balancer-nlb-target-type"
-	SvcLBSuffixLoadBalancerName              = "aws-load-balancer-name"
-	SvcLBSuffixScheme                        = "aws-load-balancer-scheme"
-	SvcLBSuffixInternal                      = "aws-load-balancer-internal"
-	SvcLBSuffixProxyProtocol                 = "aws-load-balancer-proxy-protocol"
-	SvcLBSuffixIPAddressType                 = "aws-load-balancer-ip-address-type"
-	SvcLBSuffixAccessLogEnabled              = "aws-load-balancer-access-log-enabled"
-	SvcLBSuffixAccessLogS3BucketName         = "aws-load-balancer-access-log-s3-bucket-name"
-	SvcLBSuffixAccessLogS3BucketPrefix       = "aws-load-balancer-access-log-s3-bucket-prefix"
-	SvcLBSuffixCrossZoneLoadBalancingEnabled = "aws-load-balancer-cross-zone-load-balancing-enabled"
-	SvcLBSuffixSSLCertificate                = "aws-load-balancer-ssl-cert"
-	SvcLBSuffixSSLPorts                      = "aws-load-balancer-ssl-ports"
-	SvcLBSuffixSSLNegotiationPolicy          = "aws-load-balancer-ssl-negotiation-policy"
-	SvcLBSuffixBEProtocol                    = "aws-load-balancer-backend-protocol"
-	SvcLBSuffixAdditionalTags                = "aws-load-balancer-additional-resource-tags"
-	SvcLBSuffixHCHealthyThreshold            = "aws-load-balancer-healthcheck-healthy-threshold"
-	SvcLBSuffixHCUnhealthyThreshold          = "aws-load-balancer-healthcheck-unhealthy-threshold"
-	SvcLBSuffixHCTimeout                     = "aws-load-balancer-healthcheck-timeout"
-	SvcLBSuffixHCInterval                    = "aws-load-balancer-healthcheck-interval"
-	SvcLBSuffixHCProtocol                    = "aws-load-balancer-healthcheck-protocol"
-	SvcLBSuffixHCPort                        = "aws-load-balancer-healthcheck-port"
-	SvcLBSuffixHCPath                        = "aws-load-balancer-healthcheck-path"
-	SvcLBSuffixHCSuccessCodes                = "aws-load-balancer-healthcheck-success-codes"
-	SvcLBSuffixTargetGroupAttributes         = "aws-load-balancer-target-group-attributes"
-	SvcLBSuffixSubnets                       = "aws-load-balancer-subnets"
-	SvcLBSuffixEIPAllocations                = "aws-load-balancer-eip-allocations"
-	SvcLBSuffixPrivateIpv4Addresses          = "aws-load-balancer-private-ipv4-addresses"
-	SvcLBSuffixIpv6Addresses                 = "aws-load-balancer-ipv6-addresses"
-	SvcLBSuffixALPNPolicy                    = "aws-load-balancer-alpn-policy"
-	SvcLBSuffixTargetNodeLabels              = "aws-load-balancer-target-node-labels"
-	SvcLBSuffixLoadBalancerAttributes        = "aws-load-balancer-attributes"
-	SvcLBSuffixLoadBalancerSecurityGroups    = "aws-load-balancer-security-groups"
-	SvcLBSuffixManageSGRules                 = "aws-load-balancer-manage-backend-security-group-rules"
+	SvcLBSuffixSourceRanges                   = "load-balancer-source-ranges"
+	SvcLBSuffixLoadBalancerType               = "aws-load-balancer-type"
+	SvcLBSuffixTargetType                     = "aws-load-balancer-nlb-target-type"
+	SvcLBSuffixLoadBalancerName               = "aws-load-balancer-name"
+	SvcLBSuffixScheme                         = "aws-load-balancer-scheme"
+	SvcLBSuffixInternal                       = "aws-load-balancer-internal"
+	SvcLBSuffixProxyProtocol                  = "aws-load-balancer-proxy-protocol"
+	SvcLBSuffixIPAddressType                  = "aws-load-balancer-ip-address-type"
+	SvcLBSuffixAccessLogEnabled               = "aws-load-balancer-access-log-enabled"
+	SvcLBSuffixAccessLogS3BucketName          = "aws-load-balancer-access-log-s3-bucket-name"
+	SvcLBSuffixAccessLogS3BucketPrefix        = "aws-load-balancer-access-log-s3-bucket-prefix"
+	SvcLBSuffixCrossZoneLoadBalancingEnabled  = "aws-load-balancer-cross-zone-load-balancing-enabled"
+	SvcLBSuffixSSLCertificate                 = "aws-load-balancer-ssl-cert"
+	SvcLBSuffixSSLPorts                       = "aws-load-balancer-ssl-ports"
+	SvcLBSuffixSSLNegotiationPolicy           = "aws-load-balancer-ssl-negotiation-policy"
+	SvcLBSuffixBEProtocol                     = "aws-load-balancer-backend-protocol"
+	SvcLBSuffixAdditionalTags                 = "aws-load-balancer-additional-resource-tags"
+	SvcLBSuffixHCHealthyThreshold             = "aws-load-balancer-healthcheck-healthy-threshold"
+	SvcLBSuffixHCUnhealthyThreshold           = "aws-load-balancer-healthcheck-unhealthy-threshold"
+	SvcLBSuffixHCTimeout                      = "aws-load-balancer-healthcheck-timeout"
+	SvcLBSuffixHCInterval                     = "aws-load-balancer-healthcheck-interval"
+	SvcLBSuffixHCProtocol                     = "aws-load-balancer-healthcheck-protocol"
+	SvcLBSuffixHCPort                         = "aws-load-balancer-healthcheck-port"
+	SvcLBSuffixHCPath                         = "aws-load-balancer-healthcheck-path"
+	SvcLBSuffixHCSuccessCodes                 = "aws-load-balancer-healthcheck-success-codes"
+	SvcLBSuffixTargetGroupAttributes          = "aws-load-balancer-target-group-attributes"
+	SvcLBSuffixSubnets                        = "aws-load-balancer-subnets"
+	SvcLBSuffixEIPAllocations                 = "aws-load-balancer-eip-allocations"
+	SvcLBSuffixPrivateIpv4Addresses           = "aws-load-balancer-private-ipv4-addresses"
+	SvcLBSuffixIpv6Addresses                  = "aws-load-balancer-ipv6-addresses"
+	SvcLBSuffixALPNPolicy                     = "aws-load-balancer-alpn-policy"
+	SvcLBSuffixTargetNodeLabels               = "aws-load-balancer-target-node-labels"
+	SvcLBSuffixLoadBalancerAttributes         = "aws-load-balancer-attributes"
+	SvcLBSuffixLoadBalancerSecurityGroups     = "aws-load-balancer-security-groups"
+	SvcLBSuffixManageSGRules                  = "aws-load-balancer-manage-backend-security-group-rules"
+	SvcLBSuffixExternalManagedLoadBalancerARN = "external-managed-lb-arn"
 )

pkg/ingress/model_build_load_balancer.go

@@ -34,7 +34,13 @@ func (t *defaultModelBuildTask) buildLoadBalancer(ctx context.Context, listenPor
 	if err != nil {
 		return nil, err
 	}
-	lb := elbv2model.NewLoadBalancer(t.stack, resourceIDLoadBalancer, lbSpec)
+	lb := elbv2model.NewLoadBalancer(t.stack, resourceIDLoadBalancer, lbSpec, false)
+	t.loadBalancer = lb
+	return lb, nil
+}
+
+func (t *defaultModelBuildTask) buildExternalLoadBalancer(ctx context.Context, listenPortConfigByPort map[int64]listenPortConfig) (*elbv2model.LoadBalancer, error) {
+	lb := elbv2model.NewLoadBalancer(t.stack, resourceIDLoadBalancer, elbv2model.LoadBalancerSpec{}, true)
 	t.loadBalancer = lb
 	return lb, nil
 }
@@ -87,6 +93,33 @@ func (t *defaultModelBuildTask) buildLoadBalancerSpec(ctx context.Context, liste
 
 var invalidLoadBalancerNamePattern = regexp.MustCompile("[[:^alnum:]]")
 
+// buildLoadBalancerIPAddressType builds the LoadBalancer IPAddressType.
+func (t *defaultModelBuildTask) getExternalLoadBalancerArn(_ context.Context) (*string, error) {
+	explicitExternalLoadBalancerArns := sets.NewString()
+	for _, member := range t.ingGroup.Members {
+		//if member.IngClassConfig.IngClassParams != nil && member.IngClassConfig.IngClassParams.Spec.IPAddressType != nil {
+		//	ipAddressType := string(*member.IngClassConfig.IngClassParams.Spec.IPAddressType)
+		//	explicitExternalLbArn.Insert(ipAddressType)
+		//	continue
+		//}
+		rawExternalLoadBalancerArn := ""
+		if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixExternalManagedLoadBalancerARN, &rawExternalLoadBalancerArn, member.Ing.Annotations); !exists {
+			continue
+		}
+		explicitExternalLoadBalancerArns.Insert(rawExternalLoadBalancerArn)
+	}
+	if len(explicitExternalLoadBalancerArns) == 0 {
+		return nil, nil
+	}
+	if len(explicitExternalLoadBalancerArns) > 1 {
+		return nil, errors.Errorf("conflicting External Load balancer Arns: %v", explicitExternalLoadBalancerArns.List())
+	}
+	rawExternalLoadBalancerArn, _ := explicitExternalLoadBalancerArns.PopAny()
+	//TODO validate arn
+
+	return awssdk.String(rawExternalLoadBalancerArn), nil
+}
+
 func (t *defaultModelBuildTask) buildLoadBalancerName(_ context.Context, scheme elbv2model.LoadBalancerScheme) (string, error) {
 	explicitNames := sets.String{}
 	for _, member := range t.ingGroup.Members {

pkg/ingress/model_builder.go

@@ -220,6 +220,7 @@ type defaultModelBuildTask struct {
 }
 
 func (t *defaultModelBuildTask) run(ctx context.Context) error {
+	t.logger.Info("I am building Model now", "t.ingGroup", t.ingGroup)
 	for _, inactiveMember := range t.ingGroup.InactiveMembers {
 		if !inactiveMember.DeletionTimestamp.IsZero() {
 			deletionProtectionEnabled, err := t.getDeletionProtectionViaAnnotation(inactiveMember)
@@ -235,6 +236,11 @@ func (t *defaultModelBuildTask) run(ctx context.Context) error {
 		return nil
 	}
 
+	externalLBArn, err := t.getExternalLoadBalancerArn(ctx)
+	if err != nil {
+		return err
+	}
+
 	ingListByPort := make(map[int64][]ClassifiedIngress)
 	listenPortConfigsByPort := make(map[int64][]listenPortConfigWithIngress)
 	for _, member := range t.ingGroup.Members {
@@ -261,11 +267,20 @@ func (t *defaultModelBuildTask) run(ctx context.Context) error {
 		listenPortConfigByPort[port] = mergedCfg
 	}
 
-	lb, err := t.buildLoadBalancer(ctx, listenPortConfigByPort)
-	if err != nil {
-		return err
+	var lb *elbv2model.LoadBalancer
+	if externalLBArn == nil {
+		lbCreated, err := t.buildLoadBalancer(ctx, listenPortConfigByPort)
+		if err != nil {
+			return err
+		}
+		lb = lbCreated
+	} else {
+		lbCreated, err := t.buildExternalLoadBalancer(ctx, listenPortConfigByPort)
+		if err != nil {
+			return err
+		}
+		lb = lbCreated
 	}
-
 	t.sslRedirectConfig, err = t.buildSSLRedirectConfig(ctx, listenPortConfigByPort)
 	if err != nil {
 		return err

pkg/model/elbv2/load_balancer.go

@@ -15,20 +15,25 @@ type LoadBalancer struct {
 	// desired state of LoadBalancer
 	Spec LoadBalancerSpec `json:"spec"`
 
+	External bool `json:"external,omitempty"`
+
 	// observed state of LoadBalancer
 	// +optional
 	Status *LoadBalancerStatus `json:"status,omitempty"`
 }
 
 // NewLoadBalancer constructs new LoadBalancer resource.
-func NewLoadBalancer(stack core.Stack, id string, spec LoadBalancerSpec) *LoadBalancer {
+func NewLoadBalancer(stack core.Stack, id string, spec LoadBalancerSpec, isExternal bool) *LoadBalancer {
 	lb := &LoadBalancer{
 		ResourceMeta: core.NewResourceMeta(stack, "AWS::ElasticLoadBalancingV2::LoadBalancer", id),
 		Spec:         spec,
+		External:     isExternal,
 		Status:       nil,
 	}
 	stack.AddResource(lb)
-	lb.registerDependencies(stack)
+	if isExternal == false {
+		lb.registerDependencies(stack)
+	}
 	return lb
 }
 

pkg/service/model_build_load_balancer.go

@@ -43,7 +43,7 @@ func (t *defaultModelBuildTask) buildLoadBalancer(ctx context.Context, scheme el
 	if err != nil {
 		return err
 	}
-	t.loadBalancer = elbv2model.NewLoadBalancer(t.stack, resourceIDLoadBalancer, spec)
+	t.loadBalancer = elbv2model.NewLoadBalancer(t.stack, resourceIDLoadBalancer, spec, false)
 	return nil
 }