Add --default-load-balancer-scheme command line flag (#3908)

phuhung273 · web-flow · commit 6a2dfeed3401 · 2024-12-06T09:53:45.000-08:00
* ingress

* service

* service test syntax only

* ingress model_builder_test

* service model_builder_test

* refactor param name

* rename doc

* remove uneeded replace change

* rename tests
diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go
@@ -59,7 +59,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		annotationParser, subnetsResolver,
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager, controllerConfig.FeatureGates,
 		cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
-		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, backendSGProvider, sgResolver,
+		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver,
 		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager,
diff --git a/controllers/service/service_controller.go b/controllers/service/service_controller.go
@@ -45,7 +45,7 @@ func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorde
 	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
 		elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
-		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
+		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
 		backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger)
diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md
@@ -79,6 +79,7 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 | default-ssl-policy                                                              | string                          | ELBSecurityPolicy-2016-08                  | Default SSL Policy that will be applied to all Ingresses or Services that do not have the SSL Policy annotation                                |
 | default-tags                                                                    | stringMap                       |                                            | AWS Tags that will be applied to all AWS resources managed by this controller. Specified Tags takes highest priority                           |
 | default-target-type                                                             | string                          | instance                                   | Default target type for Ingresses and Services - ip, instance                                                                                  |
+| default-load-balancer-scheme                                                    | string                          | internal                                   | Default scheme for ELBs - internal,  internet-facing                                                                                  |
 | [disable-ingress-class-annotation](#disable-ingress-class-annotation)           | boolean                         | false                                      | Disable new usage of the `kubernetes.io/ingress.class` annotation                                                                              |
 | [disable-ingress-group-name-annotation](#disable-ingress-group-name-annotation) | boolean                         | false                                      | Disallow new use of the `alb.ingress.kubernetes.io/group.name` annotation                                                                      |
 | disable-restricted-sg-rules                                                     | boolean                         | false                                      | Disable the usage of restricted security group rules                                                                                           |
diff --git a/pkg/config/controller_config.go b/pkg/config/controller_config.go
@@ -17,6 +17,7 @@ const (
 	flagK8sClusterName                               = "cluster-name"
 	flagDefaultTags                                  = "default-tags"
 	flagDefaultTargetType                            = "default-target-type"
+	flagDefaultLoadBalancerScheme                    = "default-load-balancer-scheme"
 	flagExternalManagedTags                          = "external-managed-tags"
 	flagServiceTargetENISGTags                       = "service-target-eni-security-group-tags"
 	flagServiceMaxConcurrentReconciles               = "service-max-concurrent-reconciles"
@@ -72,6 +73,9 @@ type ControllerConfig struct {
 	// Default target type for Ingress and Service objects
 	DefaultTargetType string
 
+	// Default scheme for ELB
+	DefaultLoadBalancerScheme string
+
 	// List of Tag keys on AWS resources that will be managed externally.
 	ExternalManagedTags []string
 
@@ -114,6 +118,8 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 		"Default AWS Tags that will be applied to all AWS resources managed by this controller")
 	fs.StringVar(&cfg.DefaultTargetType, flagDefaultTargetType, string(elbv2.TargetTypeInstance),
 		"Default target type for Ingresses and Services - ip, instance")
+	fs.StringVar(&cfg.DefaultLoadBalancerScheme, flagDefaultLoadBalancerScheme, string(elbv2.LoadBalancerSchemeInternal),
+		"Default scheme for ELBs")
 	fs.StringSliceVar(&cfg.ExternalManagedTags, flagExternalManagedTags, nil,
 		"List of Tag keys on AWS resources that will be managed externally")
 	fs.IntVar(&cfg.ServiceMaxConcurrentReconciles, flagServiceMaxConcurrentReconciles, defaultMaxConcurrentReconciles,
@@ -162,6 +168,9 @@ func (cfg *ControllerConfig) Validate() error {
 	if err := cfg.validateDefaultTargetType(); err != nil {
 		return err
 	}
+	if err := cfg.validateDefaultLoadBalancerScheme(); err != nil {
+		return err
+	}
 	if err := cfg.validateBackendSecurityGroupConfiguration(); err != nil {
 		return err
 	}
@@ -205,6 +214,15 @@ func (cfg *ControllerConfig) validateDefaultTargetType() error {
 	}
 }
 
+func (cfg *ControllerConfig) validateDefaultLoadBalancerScheme() error {
+	switch cfg.DefaultLoadBalancerScheme {
+	case string(elbv2.LoadBalancerSchemeInternal), string(elbv2.LoadBalancerSchemeInternetFacing):
+		return nil
+	default:
+		return errors.Errorf("invalid value %v for default scheme", cfg.DefaultLoadBalancerScheme)
+	}
+}
+
 func (cfg *ControllerConfig) validateBackendSecurityGroupConfiguration() error {
 	if len(cfg.BackendSecurityGroup) == 0 {
 		return nil
diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go
@@ -42,37 +42,38 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 	annotationParser annotations.Parser, subnetsResolver networkingpkg.SubnetsResolver,
 	authConfigBuilder AuthConfigBuilder, enhancedBackendBuilder EnhancedBackendBuilder,
 	trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager, featureGates config.FeatureGates,
-	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string, defaultTargetType string,
+	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string, defaultTargetType string, defaultLoadBalancerScheme string,
 	backendSGProvider networkingpkg.BackendSGProvider, sgResolver networkingpkg.SecurityGroupResolver,
 	enableBackendSG bool, disableRestrictedSGRules bool, allowedCAARNs []string, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
 	certDiscovery := NewACMCertDiscovery(acmClient, allowedCAARNs, logger)
 	ruleOptimizer := NewDefaultRuleOptimizer(logger)
 	return &defaultModelBuilder{
-		k8sClient:                k8sClient,
-		eventRecorder:            eventRecorder,
-		ec2Client:                ec2Client,
-		elbv2Client:              elbv2Client,
-		vpcID:                    vpcID,
-		clusterName:              clusterName,
-		annotationParser:         annotationParser,
-		subnetsResolver:          subnetsResolver,
-		backendSGProvider:        backendSGProvider,
-		sgResolver:               sgResolver,
-		certDiscovery:            certDiscovery,
-		authConfigBuilder:        authConfigBuilder,
-		enhancedBackendBuilder:   enhancedBackendBuilder,
-		ruleOptimizer:            ruleOptimizer,
-		trackingProvider:         trackingProvider,
-		elbv2TaggingManager:      elbv2TaggingManager,
-		featureGates:             featureGates,
-		defaultTags:              defaultTags,
-		externalManagedTags:      sets.NewString(externalManagedTags...),
-		defaultSSLPolicy:         defaultSSLPolicy,
-		defaultTargetType:        elbv2model.TargetType(defaultTargetType),
-		enableBackendSG:          enableBackendSG,
-		disableRestrictedSGRules: disableRestrictedSGRules,
-		enableIPTargetType:       enableIPTargetType,
-		logger:                   logger,
+		k8sClient:                 k8sClient,
+		eventRecorder:             eventRecorder,
+		ec2Client:                 ec2Client,
+		elbv2Client:               elbv2Client,
+		vpcID:                     vpcID,
+		clusterName:               clusterName,
+		annotationParser:          annotationParser,
+		subnetsResolver:           subnetsResolver,
+		backendSGProvider:         backendSGProvider,
+		sgResolver:                sgResolver,
+		certDiscovery:             certDiscovery,
+		authConfigBuilder:         authConfigBuilder,
+		enhancedBackendBuilder:    enhancedBackendBuilder,
+		ruleOptimizer:             ruleOptimizer,
+		trackingProvider:          trackingProvider,
+		elbv2TaggingManager:       elbv2TaggingManager,
+		featureGates:              featureGates,
+		defaultTags:               defaultTags,
+		externalManagedTags:       sets.NewString(externalManagedTags...),
+		defaultSSLPolicy:          defaultSSLPolicy,
+		defaultTargetType:         elbv2model.TargetType(defaultTargetType),
+		defaultLoadBalancerScheme: elbv2model.LoadBalancerScheme(defaultLoadBalancerScheme),
+		enableBackendSG:           enableBackendSG,
+		disableRestrictedSGRules:  disableRestrictedSGRules,
+		enableIPTargetType:        enableIPTargetType,
+		logger:                    logger,
 	}
 }
 
@@ -88,24 +89,25 @@ type defaultModelBuilder struct {
 	vpcID       string
 	clusterName string
 
-	annotationParser         annotations.Parser
-	subnetsResolver          networkingpkg.SubnetsResolver
-	backendSGProvider        networkingpkg.BackendSGProvider
-	sgResolver               networkingpkg.SecurityGroupResolver
-	certDiscovery            CertDiscovery
-	authConfigBuilder        AuthConfigBuilder
-	enhancedBackendBuilder   EnhancedBackendBuilder
-	ruleOptimizer            RuleOptimizer
-	trackingProvider         tracking.Provider
-	elbv2TaggingManager      elbv2deploy.TaggingManager
-	featureGates             config.FeatureGates
-	defaultTags              map[string]string
-	externalManagedTags      sets.String
-	defaultSSLPolicy         string
-	defaultTargetType        elbv2model.TargetType
-	enableBackendSG          bool
-	disableRestrictedSGRules bool
-	enableIPTargetType       bool
+	annotationParser          annotations.Parser
+	subnetsResolver           networkingpkg.SubnetsResolver
+	backendSGProvider         networkingpkg.BackendSGProvider
+	sgResolver                networkingpkg.SecurityGroupResolver
+	certDiscovery             CertDiscovery
+	authConfigBuilder         AuthConfigBuilder
+	enhancedBackendBuilder    EnhancedBackendBuilder
+	ruleOptimizer             RuleOptimizer
+	trackingProvider          tracking.Provider
+	elbv2TaggingManager       elbv2deploy.TaggingManager
+	featureGates              config.FeatureGates
+	defaultTags               map[string]string
+	externalManagedTags       sets.String
+	defaultSSLPolicy          string
+	defaultTargetType         elbv2model.TargetType
+	defaultLoadBalancerScheme elbv2model.LoadBalancerScheme
+	enableBackendSG           bool
+	disableRestrictedSGRules  bool
+	enableIPTargetType        bool
 
 	logger logr.Logger
 }
@@ -142,7 +144,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.S
 		defaultTags:                               b.defaultTags,
 		externalManagedTags:                       b.externalManagedTags,
 		defaultIPAddressType:                      elbv2model.IPAddressTypeIPV4,
-		defaultScheme:                             elbv2model.LoadBalancerSchemeInternal,
+		defaultScheme:                             b.defaultLoadBalancerScheme,
 		defaultSSLPolicy:                          b.defaultSSLPolicy,
 		defaultTargetType:                         b.defaultTargetType,
 		defaultBackendProtocol:                    elbv2model.ProtocolHTTP,
diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go
@@ -605,14 +605,15 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 	}
 
 	tests := []struct {
-		name               string
-		env                env
-		defaultTargetType  string
-		enableIPTargetType *bool
-		args               args
-		fields             fields
-		wantStackPatch     string
-		wantErr            string
+		name                      string
+		env                       env
+		defaultTargetType         string
+		defaultLoadBalancerScheme string
+		enableIPTargetType        *bool
+		args                      args
+		fields                    fields
+		wantStackPatch            string
+		wantErr                   string
 	}{
 		{
 			name: "Ingress - vanilla internal",
@@ -3628,6 +3629,108 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			}
 		}
 	}
+}`,
+		},
+		{
+			name: "Ingress - vanilla with default-load-balancer-scheme internet-facing",
+			env: env{
+				svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
+			},
+			fields: fields{
+				resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternetFacingLB},
+				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
+				enableBackendSG:          true,
+			},
+			defaultLoadBalancerScheme: string(elbv2model.LoadBalancerSchemeInternetFacing),
+			args: args{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-1",
+								Name:      "ing-1",
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_1.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+														{
+															Path: "/svc-2",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_2.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-3",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_3.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "https",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantStackPatch: `
+{
+	"resources": {
+		"AWS::ElasticLoadBalancingV2::LoadBalancer": {
+			"LoadBalancer": {
+				"spec": {
+					"name": "k8s-ns1-ing1-159dd7a143",
+					"scheme": "internet-facing",
+					"subnetMapping": [
+						{
+							"subnetID": "subnet-c"
+						},
+						{
+							"subnetID": "subnet-d"
+						}
+					]
+				}
+			}
+		}
+	}
 }`,
 		},
 	}
@@ -3681,6 +3784,10 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			if defaultTargetType == "" {
 				defaultTargetType = "instance"
 			}
+			defaultLoadBalancerScheme := tt.defaultLoadBalancerScheme
+			if defaultLoadBalancerScheme == "" {
+				defaultLoadBalancerScheme = string(elbv2model.LoadBalancerSchemeInternal)
+			}
 
 			b := &defaultModelBuilder{
 				k8sClient:              k8sClient,
@@ -3703,8 +3810,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 				featureGates:           config.NewFeatureGates(),
 				logger:                 logr.New(&log.NullLogSink{}),
 
-				defaultSSLPolicy:  "ELBSecurityPolicy-2016-08",
-				defaultTargetType: elbv2model.TargetType(defaultTargetType),
+				defaultSSLPolicy:          "ELBSecurityPolicy-2016-08",
+				defaultTargetType:         elbv2model.TargetType(defaultTargetType),
+				defaultLoadBalancerScheme: elbv2model.LoadBalancerScheme(defaultLoadBalancerScheme),
 			}
 
 			if tt.enableIPTargetType == nil {
diff --git a/pkg/service/model_build_load_balancer.go b/pkg/service/model_build_load_balancer.go
@@ -245,7 +245,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerScheme(ctx context.Context) (el
 			return "", errors.New("invalid load balancer scheme")
 		}
 	}
-	return elbv2model.LoadBalancerSchemeInternal, nil
+	return t.defaultLoadBalancerScheme, nil
 }
 
 func (t *defaultModelBuildTask) buildLoadBalancerSchemeViaAnnotation(ctx context.Context) (elbv2model.LoadBalancerScheme, bool, error) {
diff --git a/pkg/service/model_builder.go b/pkg/service/model_builder.go
diff --git a/pkg/service/model_builder_test.go b/pkg/service/model_builder_test.go

Original file line number	Diff line number	Diff line change
`@@ -245,7 +245,7 @@ func (t *defaultModelBuildTask) buildLoadBalancerScheme(ctx context.Context) (el`
`245`	`245`	`return "", errors.New("invalid load balancer scheme")`
`246`	`246`	`}`
`247`	`247`	`}`
`248`		`- return elbv2model.LoadBalancerSchemeInternal, nil`
	`248`	`+ return t.defaultLoadBalancerScheme, nil`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`func (t *defaultModelBuildTask) buildLoadBalancerSchemeViaAnnotation(ctx context.Context) (elbv2model.LoadBalancerScheme, bool, error) {`