Pull request kubernetes-sigs#5: Upgrade aws-load-balancer-controller …

…to 2.6.0 Merge in DEL/aws-load-balancer-controller-fork from merge-up to main * commit '195e896b0efbd467694bb9a19de7c5a12c5dde8c': (71 commits) check the canary test result and exit if it failed Apply suggestions from code review Update docs/guide/service/annotations.md Addressing the comment Remove dependency on aws-sdk-go-v2 (kubernetes-sigs#3320) Update live docs for NLB-SG feature release cut v2.6.0 release refactor targetGroupBinding network builder Add support for NLB security groups Allow TLS 1.2 with restricted ciphers for webhooks Update the RSA filter for Cert discovery Doc: Add note for rename behavior of IngressGroup (kubernetes-sigs#3283) Make Ingress validating webhook ignore ingresses not managed by AWS LBC (kubernetes-sigs#3272) add oliviassss as reviewer fix the race condition in pod cache and endpoint resolver Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.11.0 Bump github.com/aws/aws-sdk-go from 1.44.184 to 1.44.294 (kubernetes-sigs#3271) Provide better explanation of failure to find a subnet (kubernetes-sigs#3292) test/framework: replace deprecated ioutil.ReadAll (kubernetes-sigs#3256) Add warning in doc for ServiceMutatorWebhook (kubernetes-sigs#3180) ...
johngmyers · Aug 21, 2023 · 6946b9a · 6946b9a
2 parents d9b1d81 + 195e896
commit 6946b9a
Show file tree

Hide file tree

Showing 94 changed files with 8,176 additions and 681 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -7,7 +7,7 @@
 <!--
 Please explain the changes you made here.
 
-Help your reviewers my guiding them through your key changes,
+Help your reviewers by guiding them through your key changes,
 implementation decisions etc.
 You can even include snippets of output or screenshots.
 

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+# See https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#package-ecosystem
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "monthly"
diff --git a/.ko.yaml b/.ko.yaml
@@ -1,4 +1,4 @@
-defaultBaseImage: repocache.nonprod.ppops.net/docker-ecr-public-remote/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-02-22-1677092456.2
+defaultBaseImage: repocache.nonprod.ppops.net/docker-ecr-public-remote/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-06-06-1686078098.2
 builds:
 - env:
   - CGO_ENABLED=0

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:experimental
+ARG BASE_IMAGE
+ARG BUILD_IMAGE
+
+FROM --platform=${TARGETPLATFORM} $BUILD_IMAGE AS base
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN --mount=type=bind,target=. \
+    GOPROXY=direct go mod download
+
+FROM base AS build
+ARG TARGETOS
+ARG TARGETARCH
+ENV VERSION_PKG=sigs.k8s.io/aws-load-balancer-controller/pkg/version
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    GIT_VERSION=$(git describe --tags --dirty --always) && \
+    GIT_COMMIT=$(git rev-parse HEAD) && \
+    BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%S%z) && \
+    GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on \
+    CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2" \
+    CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
+    go build -buildmode=pie -tags 'osusergo,netgo,static_build' -ldflags="-s -w -linkmode=external -extldflags '-static-pie' -X ${VERSION_PKG}.GitVersion=${GIT_VERSION} -X ${VERSION_PKG}.GitCommit=${GIT_COMMIT} -X ${VERSION_PKG}.BuildDate=${BUILD_DATE}" -mod=readonly -a -o /out/controller main.go
+
+FROM $BASE_IMAGE as bin-unix
+
+COPY --from=build /out/controller /controller
+ENTRYPOINT ["/controller"]
+
+FROM bin-unix AS bin-linux
+FROM bin-unix AS bin-darwin
+
+FROM bin-${TARGETOS} as bin
diff --git a/Makefile b/Makefile
@@ -2,9 +2,13 @@
 MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 
 # Image URL to use all building/pushing image targets
-VERSION ?= v2.4.6
+VERSION ?= v2.6.0
 DOCKER_REPO ?= repocache.nonprod.ppops.net/temp-docker-local
 IMG ?= ${DOCKER_REPO}/aws-load-balancer-controller:${VERSION}
+# Image URL to use for builder stage in Docker build
+BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:1.20.5
+# Image URL to use for base layer in Docker build
+BASE_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2023-06-06-1686078098.2
 IMG_PLATFORM ?= linux/amd64,linux/arm64
 # ECR doesn't appear to support SPDX SBOM
 IMG_SBOM ?= none
@@ -112,6 +116,15 @@ aws-load-balancer-controller-push: # This target assumes ko is installed. Use `d
       --sbom ${IMG_SBOM} \
       .
 
+# Push the docker image using docker buildx
+docker-push-w-buildx:
+	docker buildx build . --target bin \
+        		--tag $(IMG) \
+				--build-arg BASE_IMAGE=$(BASE_IMAGE) \
+				--build-arg BUILD_IMAGE=$(BUILD_IMAGE) \
+				--push \
+        		--platform ${IMG_PLATFORM}
+
 # find or download controller-gen
 # download controller-gen if necessary
 controller-gen:
@@ -173,7 +186,7 @@ docs-preview: docs-dependencies
 
 # publish the versioned docs using mkdocs mike util
 docs-publish: docs-dependencies
-	pipenv run mike deploy v2.4 latest -p --update-aliases
+	pipenv run mike deploy v2.6 latest -p --update-aliases
 
 # install dependencies needed to preview and publish docs
 docs-dependencies:

diff --git a/OWNERS b/OWNERS
@@ -1,10 +1,16 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+# This OWNERS file should stay in sync:
+# https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes-sigs/aws-load-balancer-controller/OWNERS
+
 approvers:
 - M00nF1sh
 - kishorj
 reviewers:
 - M00nF1sh
 - kishorj
 - johngmyers
+- oliviassss
 emeritus_approvers:
 - bigkraig
 - alejandrox1
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
@@ -9,4 +9,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: public.ecr.aws/eks/aws-load-balancer-controller
-  newTag: v2.4.6
+  newTag: v2.6.0
diff --git a/config/webhook/ingressclassparams_validator_patch.yaml b/config/webhook/ingressclassparams_validator_patch.yaml
@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: webhook
+webhooks:
+  - name: vingressclassparams.elbv2.k8s.aws
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/name
+          operator: NotIn
+          values:
+            - aws-load-balancer-controller
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
@@ -7,3 +7,5 @@ configurations:
 
 patchesStrategicMerge:
   - pod_mutator_patch.yaml
+  - service_mutator_patch.yaml
+  - ingressclassparams_validator_patch.yaml
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -24,6 +24,25 @@ webhooks:
         resources:
           - pods
     sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: system
+        path: /mutate-v1-service
+    failurePolicy: Fail
+    name: mservice.elbv2.k8s.aws
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - services
+    sideEffects: None
   - admissionReviewVersions:
       - v1beta1
     clientConfig:

diff --git a/config/webhook/service_mutator_patch.yaml b/config/webhook/service_mutator_patch.yaml
@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: webhook
+webhooks:
+  - name: mservice.elbv2.k8s.aws
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/name
+          operator: NotIn
+          values:
+            - aws-load-balancer-controller
diff --git a/controllers/ingress/eventhandlers/ingress_events.go b/controllers/ingress/eventhandlers/ingress_events.go
@@ -44,10 +44,12 @@ func (h *enqueueRequestsForIngressEvent) Update(e event.UpdateEvent, queue workq
 	//	1. Ingress annotation updates
 	//	2. Ingress spec updates
 	//	3. Ingress deletion
-	if equality.Semantic.DeepEqual(ingOld.Annotations, ingNew.Annotations) &&
-		equality.Semantic.DeepEqual(ingOld.Spec, ingNew.Spec) &&
-		equality.Semantic.DeepEqual(ingOld.DeletionTimestamp.IsZero(), ingNew.DeletionTimestamp.IsZero()) {
-		return
+	if !equality.Semantic.DeepEqual(ingOld.ResourceVersion, ingNew.ResourceVersion) {
+		if equality.Semantic.DeepEqual(ingOld.Annotations, ingNew.Annotations) &&
+			equality.Semantic.DeepEqual(ingOld.Spec, ingNew.Spec) &&
+			equality.Semantic.DeepEqual(ingOld.DeletionTimestamp.IsZero(), ingNew.DeletionTimestamp.IsZero()) {
+			return
+		}
 	}
 
 	h.enqueueIfBelongsToGroup(queue, ingNew)

diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go
@@ -9,6 +9,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
@@ -45,25 +46,26 @@ const (
 func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
 	finalizerManager k8s.FinalizerManager, networkingSGManager networkingpkg.SecurityGroupManager,
 	networkingSGReconciler networkingpkg.SecurityGroupReconciler, subnetsResolver networkingpkg.SubnetsResolver,
-	controllerConfig config.ControllerConfig, backendSGProvider networkingpkg.BackendSGProvider, logger logr.Logger) *groupReconciler {
+	controllerConfig config.ControllerConfig, backendSGProvider networkingpkg.BackendSGProvider,
+	sgResolver networkingpkg.SecurityGroupResolver, logger logr.Logger) *groupReconciler {
 
 	annotationParser := annotations.NewSuffixAnnotationParser(annotations.AnnotationPrefixIngress)
 	authConfigBuilder := ingress.NewDefaultAuthConfigBuilder(annotationParser)
 	enhancedBackendBuilder := ingress.NewDefaultEnhancedBackendBuilder(k8sClient, annotationParser, authConfigBuilder)
 	referenceIndexer := ingress.NewDefaultReferenceIndexer(enhancedBackendBuilder, authConfigBuilder, logger)
 	trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, controllerConfig.ClusterName)
-	elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, logger)
+	elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, cloud.RGT(), logger)
 	modelBuilder := ingress.NewDefaultModelBuilder(k8sClient, eventRecorder,
 		cloud.EC2(), cloud.ACM(),
 		annotationParser, subnetsResolver,
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager, controllerConfig.FeatureGates,
 		cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
-		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, backendSGProvider,
+		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, backendSGProvider, sgResolver,
 		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
 		controllerConfig, ingressTagPrefix, logger)
-	classLoader := ingress.NewDefaultClassLoader(k8sClient)
+	classLoader := ingress.NewDefaultClassLoader(k8sClient, true)
 	classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
 	manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""
 	groupLoader := ingress.NewDefaultGroupLoader(k8sClient, eventRecorder, annotationParser, classLoader, classAnnotationMatcher, manageIngressesWithoutIngressClass)
@@ -144,12 +146,6 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error
 		}
 	}
 
-	if len(ingGroup.Members) == 0 {
-		if err := r.backendSGProvider.Release(ctx); err != nil {
-			return err
-		}
-	}
-
 	if len(ingGroup.InactiveMembers) > 0 {
 		if err := r.groupFinalizerManager.RemoveGroupFinalizer(ctx, ingGroupID, ingGroup.InactiveMembers); err != nil {
 			r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedRemoveFinalizer, fmt.Sprintf("Failed remove finalizer due to %v", err))
@@ -162,7 +158,7 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error
 }
 
 func (r *groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingress.Group) (core.Stack, *elbv2model.LoadBalancer, error) {
-	stack, lb, secrets, err := r.modelBuilder.Build(ctx, ingGroup)
+	stack, lb, secrets, backendSGRequired, err := r.modelBuilder.Build(ctx, ingGroup)
 	if err != nil {
 		r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedBuildModel, fmt.Sprintf("Failed build model due to %v", err))
 		return nil, nil, err
@@ -180,7 +176,15 @@ func (r *groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingr
 	}
 	r.logger.Info("successfully deployed model", "ingressGroup", ingGroup.ID)
 	r.secretsManager.MonitorSecrets(ingGroup.ID.String(), secrets)
-	return stack, lb, err
+	var inactiveResources []types.NamespacedName
+	inactiveResources = append(inactiveResources, k8s.ToSliceOfNamespacedNames(ingGroup.InactiveMembers)...)
+	if !backendSGRequired {
+		inactiveResources = append(inactiveResources, k8s.ToSliceOfNamespacedNames(ingGroup.Members)...)
+	}
+	if err := r.backendSGProvider.Release(ctx, networkingpkg.ResourceTypeIngress, inactiveResources); err != nil {
+		return nil, nil, err
+	}
+	return stack, lb, nil
 }
 
 func (r *groupReconciler) recordIngressGroupEvent(_ context.Context, ingGroup ingress.Group, eventType string, reason string, message string) {

diff --git a/controllers/service/eventhandlers/service_events.go b/controllers/service/eventhandlers/service_events.go
@@ -39,10 +39,12 @@ func (h *enqueueRequestsForServiceEvent) Update(e event.UpdateEvent, queue workq
 	oldSvc := e.ObjectOld.(*corev1.Service)
 	newSvc := e.ObjectNew.(*corev1.Service)
 
-	if equality.Semantic.DeepEqual(oldSvc.Annotations, newSvc.Annotations) &&
-		equality.Semantic.DeepEqual(oldSvc.Spec, newSvc.Spec) &&
-		equality.Semantic.DeepEqual(oldSvc.DeletionTimestamp.IsZero(), newSvc.DeletionTimestamp.IsZero()) {
-		return
+	if !equality.Semantic.DeepEqual(oldSvc.ResourceVersion, newSvc.ResourceVersion) {
+		if equality.Semantic.DeepEqual(oldSvc.Annotations, newSvc.Annotations) &&
+			equality.Semantic.DeepEqual(oldSvc.Spec, newSvc.Spec) &&
+			equality.Semantic.DeepEqual(oldSvc.DeletionTimestamp.IsZero(), newSvc.DeletionTimestamp.IsZero()) {
+			return
+		}
 	}
 
 	h.enqueueManagedService(queue, newSvc)