Replace NLBs on subnets change

mikkeloscar · mikkeloscar · commit bcc95badc107 · 2023-06-09T13:46:12.000+02:00
Signed-off-by: Mikkel Oscar Lyderik Larsen &lt;mikkel.larsen@zalando.de&gt;
diff --git a/aws/cf.go b/aws/cf.go
@@ -35,6 +35,7 @@ type Stack struct {
 	WAFWebACLID       string
 	CertificateARNs   map[string]time.Time
 	tags              map[string]string
+	Subnets           []string
 }
 
 // IsComplete returns true if the stack status is a complete state.
@@ -480,6 +481,11 @@ func mapToManagedStack(stack *cloudformation.Stack) *Stack {
 		http2 = false
 	}
 
+	var subnets []string
+	if parameters[parameterLoadBalancerSubnetsParameter] != "" {
+		subnets = strings.Split(parameters[parameterLoadBalancerSubnetsParameter], ",")
+	}
+
 	return &Stack{
 		Name:              aws.StringValue(stack.StackName),
 		DNSName:           outputs.dnsName(),
@@ -497,6 +503,7 @@ func mapToManagedStack(stack *cloudformation.Stack) *Stack {
 		statusReason:      aws.StringValue(stack.StackStatusReason),
 		CWAlarmConfigHash: tags[cwAlarmConfigHashTag],
 		WAFWebACLID:       parameters[parameterLoadBalancerWAFWebACLIDParameter],
+		Subnets:           subnets,
 	}
 }
 
diff --git a/worker.go b/worker.go
@@ -333,7 +333,7 @@ func doWork(
 	awsAdapter.UpdateTargetGroupsAndAutoScalingGroups(stacks, problems)
 
 	certs := NewCertificates(certificateSummaries)
-	model := buildManagedModel(certs, certsPerALB, certTTL, ingresses, stacks, cwAlarms, globalWAFACL)
+	model := buildManagedModel(certs, certsPerALB, certTTL, ingresses, stacks, cwAlarms, globalWAFACL, awsAdapter.FindLBSubnets)
 	log.Debugf("Have %d model(s)", len(model))
 	for _, loadBalancer := range model {
 		switch loadBalancer.Status() {
@@ -408,6 +408,7 @@ func matchIngressesToLoadBalancers(
 	certs CertificatesFinder,
 	certsPerALB int,
 	ingresses []*kubernetes.Ingress,
+	subnetsByScheme func(scheme string) []string,
 ) []*loadBalancer {
 	clusterLocalLB := &loadBalancer{
 		clusterLocal: true,
@@ -451,6 +452,15 @@ func matchIngressesToLoadBalancers(
 				continue
 			}
 
+			// Ignore NLBs with a wrong set of subnets
+			if lb.loadBalancerType == aws.LoadBalancerTypeNetwork {
+				subnets := subnetsByScheme(lb.scheme)
+
+				if !equalSlices[string](lb.stack.Subnets, subnets) {
+					continue
+				}
+			}
+
 			if lb.addIngress(certificateARNs, ingress, certsPerALB) {
 				added = true
 				break
@@ -516,11 +526,12 @@ func buildManagedModel(
 	stacks []*aws.Stack,
 	cwAlarms aws.CloudWatchAlarmList,
 	globalWAFACL string,
+	subnetsByScheme func(scheme string) []string,
 ) []*loadBalancer {
 	sortStacks(stacks)
 	attachGlobalWAFACL(ingresses, globalWAFACL)
 	model := getAllLoadBalancers(certs, certTTL, stacks)
-	model = matchIngressesToLoadBalancers(model, certs, certsPerALB, ingresses)
+	model = matchIngressesToLoadBalancers(model, certs, certsPerALB, ingresses, subnetsByScheme)
 	attachCloudWatchAlarms(model, cwAlarms)
 
 	return model
@@ -710,3 +721,25 @@ func cniEventHandler(ctx context.Context, targetCNIcfg *aws.TargetCNIconfig,
 		}
 	}
 }
+
+func equalSlices[T comparable](a, b []T) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	for _, aElem := range a {
+		found := false
+		for _, bElem := range b {
+			if aElem == bElem {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/worker_test.go b/worker_test.go
@@ -20,6 +20,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zalando-incubator/kube-ingress-aws-controller/aws"
 	awsAdapter "github.com/zalando-incubator/kube-ingress-aws-controller/aws"
 	"github.com/zalando-incubator/kube-ingress-aws-controller/certs"
 	"github.com/zalando-incubator/kube-ingress-aws-controller/kubernetes"
@@ -953,6 +954,7 @@ func TestMatchIngressesToLoadbalancers(t *testing.T) {
 		maxCertsPerLB int
 		lbs           []*loadBalancer
 		ingresses     []*kubernetes.Ingress
+		subnets       []string
 		validate      func(*testing.T, []*loadBalancer)
 	}{{
 		title: "only cluster local",
@@ -1135,6 +1137,37 @@ func TestMatchIngressesToLoadbalancers(t *testing.T) {
 				require.Equal(t, 1, len(lb.ingresses["foo"]))
 			}
 		},
+	}, {
+		title: "load balancer with invalid subnets",
+		ingresses: []*kubernetes.Ingress{{
+			Name: "foo-ingress",
+			Hostnames: []string{
+				"foo.org",
+				"bar.org",
+			},
+			LoadBalancerType: awsAdapter.LoadBalancerTypeNetwork,
+			Shared:           true,
+		}},
+		lbs: []*loadBalancer{{
+			loadBalancerType: awsAdapter.LoadBalancerTypeNetwork,
+			ingresses:        make(map[string][]*kubernetes.Ingress),
+			stack:            &aws.Stack{Subnets: []string{"a", "b", "c"}},
+		}},
+		validate: func(t *testing.T, lbs []*loadBalancer) {
+			require.Equal(t, 3, len(lbs))
+			for _, lb := range lbs {
+				if lb.clusterLocal {
+					continue
+				}
+
+				if lb.stack != nil && equalSlices[string](lb.stack.Subnets, []string{"a", "b", "c"}) {
+					require.Len(t, lb.ingresses, 0)
+				} else {
+					require.Len(t, lb.ingresses, 1)
+				}
+			}
+		},
+		subnets: []string{"x", "y", "z"},
 	}} {
 		t.Run(test.title, func(t *testing.T) {
 			var certs CertificatesFinder = defaultCerts
@@ -1147,7 +1180,11 @@ func TestMatchIngressesToLoadbalancers(t *testing.T) {
 				maxCertsPerLB = test.maxCertsPerLB
 			}
 
-			lbs := matchIngressesToLoadBalancers(test.lbs, certs, maxCertsPerLB, test.ingresses)
+			subnetsByScheme := func(scheme string) []string {
+				return test.subnets
+			}
+
+			lbs := matchIngressesToLoadBalancers(test.lbs, certs, maxCertsPerLB, test.ingresses, subnetsByScheme)
 			test.validate(t, lbs)
 		})
 	}
@@ -1177,6 +1214,7 @@ func TestBuildModel(t *testing.T) {
 		stacks        []*awsAdapter.Stack
 		alarms        awsAdapter.CloudWatchAlarmList
 		globalWAFACL  string
+		subnets       []string
 		validate      func(*testing.T, []*loadBalancer)
 	}{{
 		title: "no alarm, no waf",
@@ -1323,6 +1361,10 @@ func TestBuildModel(t *testing.T) {
 				maxCertsPerLB = test.maxCertsPerLB
 			}
 
+			subnetsByScheme := func(scheme string) []string {
+				return test.subnets
+			}
+
 			m := buildManagedModel(
 				certs,
 				maxCertsPerLB,
@@ -1331,6 +1373,7 @@ func TestBuildModel(t *testing.T) {
 				test.stacks,
 				test.alarms,
 				test.globalWAFACL,
+				subnetsByScheme,
 			)
 
 			test.validate(t, m)

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ type Stack struct {`
`35`	`35`	`WAFWebACLID string`
`36`	`36`	`CertificateARNs map[string]time.Time`
`37`	`37`	`tags map[string]string`
	`38`	`+ Subnets []string`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`// IsComplete returns true if the stack status is a complete state.`
`@@ -480,6 +481,11 @@ func mapToManagedStack(stack cloudformation.Stack) Stack {`
`480`	`481`	`http2 = false`
`481`	`482`	`}`
`482`	`483`
	`484`	`+ var subnets []string`
	`485`	`+ if parameters[parameterLoadBalancerSubnetsParameter] != "" {`
	`486`	`+ subnets = strings.Split(parameters[parameterLoadBalancerSubnetsParameter], ",")`
	`487`	`+ }`
	`488`	`+`
`483`	`489`	`return &Stack{`
`484`	`490`	`Name: aws.StringValue(stack.StackName),`
`485`	`491`	`DNSName: outputs.dnsName(),`
`@@ -497,6 +503,7 @@ func mapToManagedStack(stack cloudformation.Stack) Stack {`
`497`	`503`	`statusReason: aws.StringValue(stack.StackStatusReason),`
`498`	`504`	`CWAlarmConfigHash: tags[cwAlarmConfigHashTag],`
`499`	`505`	`WAFWebACLID: parameters[parameterLoadBalancerWAFWebACLIDParameter],`
	`506`	`+ Subnets: subnets,`
`500`	`507`	`}`
`501`	`508`	`}`
`502`	`509`