Add support for NLB instance mode (#1832)

* add support for NLB instance mode

* decouple health check default values from builder task

Author: kishorj

controllers/service/eventhandlers/service_events.go

@@ -8,13 +8,12 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	svcpkg "sigs.k8s.io/aws-load-balancer-controller/pkg/service"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
-const loadBalancerTypeNLBIP = "nlb-ip"
-
 // NewEnqueueRequestForServiceEvent constructs new enqueueRequestsForServiceEvent.
 func NewEnqueueRequestForServiceEvent(eventRecorder record.EventRecorder, annotationParser annotations.Parser, logger logr.Logger) *enqueueRequestsForServiceEvent {
 	return &enqueueRequestsForServiceEvent{
@@ -61,7 +60,13 @@ func (h *enqueueRequestsForServiceEvent) Generic(e event.GenericEvent, queue wor
 func (h *enqueueRequestsForServiceEvent) isServiceSupported(service *corev1.Service) bool {
 	lbType := ""
 	_ = h.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixLoadBalancerType, &lbType, service.Annotations)
-	if lbType == loadBalancerTypeNLBIP {
+	if lbType == svcpkg.LoadBalancerTypeNLBIP {
+		return true
+	}
+	var lbTargetType string
+	_ = h.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixTargetType, &lbTargetType, service.Annotations)
+	if lbType == svcpkg.LoadBalancerTypeExternal && (lbTargetType == svcpkg.LoadBalancerTargetTypeNLBIP ||
+		lbTargetType == svcpkg.LoadBalancerTargetTypeNLBInstance) {
 		return true
 	}
 	return false

pkg/annotations/constants.go

@@ -71,4 +71,6 @@ const (
 	SvcLBSuffixTargetGroupAttributes         = "aws-load-balancer-target-group-attributes"
 	SvcLBSuffixSubnets                       = "aws-load-balancer-subnets"
 	SvcLBSuffixALPNPolicy                    = "aws-load-balancer-alpn-policy"
+	SvcLBSuffixTargetType                    = "aws-load-balancer-target-type"
+	SvcLBSuffixTargetNodeLabels              = "aws-load-balancer-target-node-labels"
 )

pkg/deploy/elbv2/target_group_binding_manager.go

@@ -185,6 +185,7 @@ func buildK8sTargetGroupBindingSpec(ctx context.Context, resTGB *elbv2model.Targ
 		}
 		k8sTGBSpec.Networking = &k8sTGBNetworking
 	}
+	k8sTGBSpec.NodeSelector = resTGB.Spec.Template.Spec.NodeSelector
 	return k8sTGBSpec, nil
 }
 

pkg/model/elbv2/target_group_binding.go

@@ -95,6 +95,10 @@ type TargetGroupBindingSpec struct {
 	// networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup.
 	// +optional
 	Networking *TargetGroupBindingNetworking `json:"networking,omitempty"`
+
+	// node selector for instance type target groups to only register certain nodes
+	// +optional
+	NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"`
 }
 
 // Template for TargetGroupBinding Custom Resource.

pkg/service/model_build_target_group.go

@@ -32,11 +32,11 @@ func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context, port corev
 	if targetGroup, exists := t.tgByResID[tgResourceID]; exists {
 		return targetGroup, nil
 	}
-	healthCheckConfig, err := t.buildTargetGroupHealthCheckConfig(ctx)
+	targetType, err := t.buildTargetType(ctx)
 	if err != nil {
 		return nil, err
 	}
-	targetType, err := t.buildTargetType(ctx)
+	healthCheckConfig, err := t.buildTargetGroupHealthCheckConfig(ctx, targetType)
 	if err != nil {
 		return nil, err
 	}
@@ -53,8 +53,11 @@ func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context, port corev
 		return nil, err
 	}
 	targetGroup := elbv2model.NewTargetGroup(t.stack, tgResourceID, tgSpec)
+	_, err = t.buildTargetGroupBinding(ctx, targetGroup, preserveClientIP, port, healthCheckConfig)
+	if err != nil {
+		return nil, err
+	}
 	t.tgByResID[tgResourceID] = targetGroup
-	_ = t.buildTargetGroupBinding(ctx, targetGroup, preserveClientIP, port, healthCheckConfig)
 	return targetGroup, nil
 }
 
@@ -77,28 +80,70 @@ func (t *defaultModelBuildTask) buildTargetGroupSpec(ctx context.Context, tgProt
 	}, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckConfig(ctx context.Context) (*elbv2model.TargetGroupHealthCheckConfig, error) {
-	healthCheckProtocol, err := t.buildTargetGroupHealthCheckProtocol(ctx)
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckConfig(ctx context.Context, targetType elbv2model.TargetType) (*elbv2model.TargetGroupHealthCheckConfig, error) {
+	if targetType == elbv2model.TargetTypeInstance && t.service.Spec.ExternalTrafficPolicy == corev1.ServiceExternalTrafficPolicyTypeLocal {
+		return t.buildTargetGroupHealthCheckConfigForInstanceModeLocal(ctx)
+	}
+	return t.buildTargetGroupHealthCheckConfigDefault(ctx)
+}
+
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckConfigDefault(ctx context.Context) (*elbv2model.TargetGroupHealthCheckConfig, error) {
+	healthCheckProtocol, err := t.buildTargetGroupHealthCheckProtocol(ctx, t.defaultHealthCheckProtocol)
 	if err != nil {
 		return nil, err
 	}
 	var healthCheckPathPtr *string
 	if healthCheckProtocol != elbv2model.ProtocolTCP {
-		healthCheckPathPtr = t.buildTargetGroupHealthCheckPath(ctx)
+		healthCheckPathPtr = t.buildTargetGroupHealthCheckPath(ctx, t.defaultHealthCheckPath)
 	}
-	healthCheckPort, err := t.buildTargetGroupHealthCheckPort(ctx)
+	healthCheckPort, err := t.buildTargetGroupHealthCheckPort(ctx, t.defaultHealthCheckPort)
 	if err != nil {
 		return nil, err
 	}
-	intervalSeconds, err := t.buildTargetGroupHealthCheckIntervalSeconds(ctx)
+	intervalSeconds, err := t.buildTargetGroupHealthCheckIntervalSeconds(ctx, t.defaultHealthCheckInterval)
 	if err != nil {
 		return nil, err
 	}
-	healthyThresholdCount, err := t.buildTargetGroupHealthCheckHealthyThresholdCount(ctx)
+	healthyThresholdCount, err := t.buildTargetGroupHealthCheckHealthyThresholdCount(ctx, t.defaultHealthCheckHealthyThreshold)
 	if err != nil {
 		return nil, err
 	}
-	unhealthyThresholdCount, err := t.buildTargetGroupHealthCheckUnhealthyThresholdCount(ctx)
+	unhealthyThresholdCount, err := t.buildTargetGroupHealthCheckUnhealthyThresholdCount(ctx, t.defaultHealthCheckUnhealthyThreshold)
+	if err != nil {
+		return nil, err
+	}
+	return &elbv2model.TargetGroupHealthCheckConfig{
+		Port:                    &healthCheckPort,
+		Protocol:                &healthCheckProtocol,
+		Path:                    healthCheckPathPtr,
+		IntervalSeconds:         &intervalSeconds,
+		HealthyThresholdCount:   &healthyThresholdCount,
+		UnhealthyThresholdCount: &unhealthyThresholdCount,
+	}, nil
+}
+
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckConfigForInstanceModeLocal(ctx context.Context) (*elbv2model.TargetGroupHealthCheckConfig, error) {
+	healthCheckProtocol, err := t.buildTargetGroupHealthCheckProtocol(ctx, t.defaultHealthCheckProtocolForInstanceModeLocal)
+	if err != nil {
+		return nil, err
+	}
+	var healthCheckPathPtr *string
+	if healthCheckProtocol != elbv2model.ProtocolTCP {
+		healthCheckPathPtr = t.buildTargetGroupHealthCheckPath(ctx, t.defaultHealthCheckPathForInstanceModeLocal)
+	}
+	healthCheckPort, err := t.buildTargetGroupHealthCheckPort(ctx, t.defaultHealthCheckPortForInstanceModeLocal)
+	if err != nil {
+		return nil, err
+	}
+	intervalSeconds, err := t.buildTargetGroupHealthCheckIntervalSeconds(ctx, t.defaultHealthCheckIntervalForInstanceModeLocal)
+	if err != nil {
+		return nil, err
+	}
+	healthyThresholdCount, err := t.buildTargetGroupHealthCheckHealthyThresholdCount(ctx, t.defaultHealthCheckHealthyThresholdForInstanceModeLocal)
+	if err != nil {
+		return nil, err
+	}
+	unhealthyThresholdCount, err := t.buildTargetGroupHealthCheckUnhealthyThresholdCount(ctx, t.defaultHealthCheckUnhealthyThresholdForInstanceModeLocal)
 	if err != nil {
 		return nil, err
 	}
@@ -193,21 +238,37 @@ func (t *defaultModelBuildTask) buildPreserveClientIPFlag(_ context.Context, tar
 	return false, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckPort(_ context.Context) (intstr.IntOrString, error) {
-	rawHealthCheckPort := t.defaultHealthCheckPort
+// buildTargetGroupPort constructs the TargetGroup's port.
+// Note: TargetGroup's port is not in the data path as we always register targets with port specified.
+// so this settings don't really matter to our controller, and we do our best to use the most appropriate port as targetGroup's port to avoid UX confusing.
+func (t *defaultModelBuildTask) buildTargetGroupPort(_ context.Context, targetType elbv2model.TargetType, svcPort corev1.ServicePort) int64 {
+	if targetType == elbv2model.TargetTypeInstance {
+		return int64(svcPort.NodePort)
+	}
+	if svcPort.TargetPort.Type == intstr.Int {
+		return int64(svcPort.TargetPort.IntValue())
+	}
+
+	// when a literal targetPort is used, we just use a fixed 1 here as this setting is not in the data path.
+	// also, under extreme edge case, it can actually be different ports for different pods.
+	return 1
+}
+
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckPort(_ context.Context, defaultHealthCheckPort string) (intstr.IntOrString, error) {
+	rawHealthCheckPort := defaultHealthCheckPort
 	t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixHCPort, &rawHealthCheckPort, t.service.Annotations)
-	if rawHealthCheckPort == t.defaultHealthCheckPort {
+	if rawHealthCheckPort == healthCheckPortTrafficPort {
 		return intstr.FromString(rawHealthCheckPort), nil
 	}
-	var portVal int64
-	if _, err := t.annotationParser.ParseInt64Annotation(annotations.SvcLBSuffixHCPort, &portVal, t.service.Annotations); err != nil {
-		return intstr.IntOrString{}, err
+	portVal, err := strconv.ParseInt(rawHealthCheckPort, 10, 64)
+	if err != nil {
+		return intstr.IntOrString{}, errors.Errorf("health check port \"%v\" not supported", rawHealthCheckPort)
 	}
 	return intstr.FromInt(int(portVal)), nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckProtocol(_ context.Context) (elbv2model.Protocol, error) {
-	rawHealthCheckProtocol := string(t.defaultHealthCheckProtocol)
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckProtocol(_ context.Context, defaultHealthCheckProtocol elbv2model.Protocol) (elbv2model.Protocol, error) {
+	rawHealthCheckProtocol := string(defaultHealthCheckProtocol)
 	t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixHCProtocol, &rawHealthCheckProtocol, t.service.Annotations)
 	switch strings.ToUpper(rawHealthCheckProtocol) {
 	case string(elbv2model.ProtocolTCP):
@@ -221,62 +282,56 @@ func (t *defaultModelBuildTask) buildTargetGroupHealthCheckProtocol(_ context.Co
 	}
 }
 
-// buildTargetGroupPort constructs the TargetGroup's port.
-// Note: TargetGroup's port is not in the data path as we always register targets with port specified.
-// so this settings don't really matter to our controller, and we do our best to use the most appropriate port as targetGroup's port to avoid UX confusing.
-func (t *defaultModelBuildTask) buildTargetGroupPort(_ context.Context, targetType elbv2model.TargetType, svcPort corev1.ServicePort) int64 {
-	if targetType == elbv2model.TargetTypeInstance {
-		return int64(svcPort.NodePort)
-	}
-	if svcPort.TargetPort.Type == intstr.Int {
-		return int64(svcPort.TargetPort.IntValue())
-	}
-
-	// when a literal targetPort is used, we just use a fixed 1 here as this setting is not in the data path.
-	// also, under extreme edge case, it can actually be different ports for different pods.
-	return 1
-}
-
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckPath(_ context.Context) *string {
-	healthCheckPath := t.defaultHealthCheckPath
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckPath(_ context.Context, defaultHealthCheckPath string) *string {
+	healthCheckPath := defaultHealthCheckPath
 	t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixHCPath, &healthCheckPath, t.service.Annotations)
 	return &healthCheckPath
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckIntervalSeconds(_ context.Context) (int64, error) {
-	intervalSeconds := t.defaultHealthCheckInterval
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckIntervalSeconds(_ context.Context, defaultHealthCheckInterval int64) (int64, error) {
+	intervalSeconds := defaultHealthCheckInterval
 	if _, err := t.annotationParser.ParseInt64Annotation(annotations.SvcLBSuffixHCInterval, &intervalSeconds, t.service.Annotations); err != nil {
 		return 0, err
 	}
 	return intervalSeconds, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckTimeoutSeconds(_ context.Context) (int64, error) {
-	timeoutSeconds := t.defaultHealthCheckTimeout
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckTimeoutSeconds(_ context.Context, defaultHealthCheckTimeout int64) (int64, error) {
+	timeoutSeconds := defaultHealthCheckTimeout
 	if _, err := t.annotationParser.ParseInt64Annotation(annotations.SvcLBSuffixHCTimeout, &timeoutSeconds, t.service.Annotations); err != nil {
 		return 0, err
 	}
 	return timeoutSeconds, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckHealthyThresholdCount(_ context.Context) (int64, error) {
-	healthyThresholdCount := t.defaultHealthCheckHealthyThreshold
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckHealthyThresholdCount(_ context.Context, defaultHealthCheckHealthyThreshold int64) (int64, error) {
+	healthyThresholdCount := defaultHealthCheckHealthyThreshold
 	if _, err := t.annotationParser.ParseInt64Annotation(annotations.SvcLBSuffixHCHealthyThreshold, &healthyThresholdCount, t.service.Annotations); err != nil {
 		return 0, err
 	}
 	return healthyThresholdCount, nil
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupHealthCheckUnhealthyThresholdCount(_ context.Context) (int64, error) {
-	unhealthyThresholdCount := t.defaultHealthCheckUnhealthyThreshold
+func (t *defaultModelBuildTask) buildTargetGroupHealthCheckUnhealthyThresholdCount(_ context.Context, defaultHealthCheckUnhealthyThreshold int64) (int64, error) {
+	unhealthyThresholdCount := defaultHealthCheckUnhealthyThreshold
 	if _, err := t.annotationParser.ParseInt64Annotation(annotations.SvcLBSuffixHCUnhealthyThreshold, &unhealthyThresholdCount, t.service.Annotations); err != nil {
 		return 0, err
 	}
 	return unhealthyThresholdCount, nil
 }
 
 func (t *defaultModelBuildTask) buildTargetType(_ context.Context) (elbv2model.TargetType, error) {
-	return elbv2model.TargetTypeIP, nil
+	var lbType string
+	_ = t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixLoadBalancerType, &lbType, t.service.Annotations)
+	var lbTargetType string
+	_ = t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixTargetType, &lbTargetType, t.service.Annotations)
+	if lbType == LoadBalancerTargetTypeNLBIP || (lbType == LoadBalancerTypeExternal && lbTargetType == LoadBalancerTargetTypeNLBIP) {
+		return elbv2model.TargetTypeIP, nil
+	}
+	if lbType == LoadBalancerTypeExternal && lbTargetType == LoadBalancerTargetTypeNLBInstance {
+		return elbv2model.TargetTypeInstance, nil
+	}
+	return "", errors.Errorf("unsupported target type \"%v\" for load balancer type \"%v\"", lbTargetType, lbType)
 }
 
 func (t *defaultModelBuildTask) buildTargetGroupResourceID(svcKey types.NamespacedName, port intstr.IntOrString) string {
@@ -288,15 +343,26 @@ func (t *defaultModelBuildTask) buildTargetGroupTags(ctx context.Context) (map[s
 }
 
 func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, targetGroup *elbv2model.TargetGroup, preserveClientIP bool,
-	port corev1.ServicePort, hc *elbv2model.TargetGroupHealthCheckConfig) *elbv2model.TargetGroupBindingResource {
-	tgbSpec := t.buildTargetGroupBindingSpec(ctx, targetGroup, preserveClientIP, port, hc)
-	return elbv2model.NewTargetGroupBindingResource(t.stack, targetGroup.ID(), tgbSpec)
+	port corev1.ServicePort, hc *elbv2model.TargetGroupHealthCheckConfig) (*elbv2model.TargetGroupBindingResource, error) {
+	tgbSpec, err := t.buildTargetGroupBindingSpec(ctx, targetGroup, preserveClientIP, port, hc)
+	if err != nil {
+		return nil, err
+	}
+	return elbv2model.NewTargetGroupBindingResource(t.stack, targetGroup.ID(), tgbSpec), nil
 }
 
 func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, targetGroup *elbv2model.TargetGroup, preserveClientIP bool,
-	port corev1.ServicePort, hc *elbv2model.TargetGroupHealthCheckConfig) elbv2model.TargetGroupBindingResourceSpec {
-	tgbNetworking := t.buildTargetGroupBindingNetworking(ctx, port.TargetPort, preserveClientIP, *hc.Port, port.Protocol)
+	port corev1.ServicePort, hc *elbv2model.TargetGroupHealthCheckConfig) (elbv2model.TargetGroupBindingResourceSpec, error) {
+	nodeSelector, err := t.buildTargetGroupBindingNodeSelector(ctx, targetGroup.Spec.TargetType)
+	if err != nil {
+		return elbv2model.TargetGroupBindingResourceSpec{}, err
+	}
+	targetPort := port.TargetPort
 	targetType := elbv2api.TargetType(targetGroup.Spec.TargetType)
+	if targetType == elbv2api.TargetTypeInstance {
+		targetPort = intstr.FromInt(int(port.NodePort))
+	}
+	tgbNetworking := t.buildTargetGroupBindingNetworking(ctx, targetPort, preserveClientIP, *hc.Port, port.Protocol)
 	return elbv2model.TargetGroupBindingResourceSpec{
 		Template: elbv2model.TargetGroupBindingTemplate{
 			ObjectMeta: metav1.ObjectMeta{
@@ -310,10 +376,11 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
 					Name: t.service.Name,
 					Port: intstr.FromInt(int(port.Port)),
 				},
-				Networking: tgbNetworking,
+				Networking:   tgbNetworking,
+				NodeSelector: nodeSelector,
 			},
 		},
-	}
+	}, nil
 }
 
 func (t *defaultModelBuildTask) buildPeersFromSourceRanges(_ context.Context) []elbv2model.NetworkingPeer {
@@ -388,3 +455,19 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
 	}
 	return tgbNetworking
 }
+
+func (t *defaultModelBuildTask) buildTargetGroupBindingNodeSelector(_ context.Context, targetType elbv2model.TargetType) (*metav1.LabelSelector, error) {
+	if targetType != elbv2model.TargetTypeInstance {
+		return nil, nil
+	}
+	var targetNodeLabels map[string]string
+	if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixTargetNodeLabels, &targetNodeLabels, t.service.Annotations); err != nil {
+		return nil, err
+	}
+	if len(targetNodeLabels) == 0 {
+		return nil, nil
+	}
+	return &metav1.LabelSelector{
+		MatchLabels: targetNodeLabels,
+	}, nil
+}