add feature gate to allow default tags to be overridden by annotation tags (#4384)

Co-authored-by: Zachary Nixon <nixozach@amazon.com>

Author: mwhittington21

docs/deploy/configurations.md

@@ -189,3 +189,4 @@ There are a set of key=value pairs that describe AWS load balancer controller fe
 | LBCapacityReservation                 | string                          | true         | Enable or disable the capacity reservation feature on ALB and NLB                                                                                                                                                                                                 |
 | EnableTCPUDPListenerType              | string                          | false        | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by  the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`                                                                  |
 | EnhancedDefaultBehavior              | string                          | false        | Enable this feature to allow the controller to remove Provisioned Capacity or mTLS settings by removing the corresponding annotation.                                                                                                                             |
+| EnableDefaultTagsLowPriority          | string                          | false        | If enabled, tags supplied via `--default-tags` will be overridden by tags specified in other manners, like via annotations.                            |

helm/aws-load-balancer-controller/values.yaml

@@ -377,6 +377,7 @@ controllerConfig:
   # LBCapacityReservation: true
   # AGAController: true
   # EnhancedDefaultBehavior: false
+  # EnableDefaultTagsLowPriority: false
 
 certDiscovery:
   allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope

main.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"os"
+
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/controllers/gateway"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
@@ -123,6 +124,7 @@ func main() {
 		infoLogger.Error(err, "unable to load controller config")
 		os.Exit(1)
 	}
+
 	appLogger := getLoggerWithLogLevel(controllerCFG.LogLevel)
 	ctrl.SetLogger(appLogger)
 	klog.SetLoggerWithOptions(appLogger, klog.ContextualLogger(true))

pkg/config/feature_gates.go

@@ -29,6 +29,7 @@ const (
 	ALBGatewayAPI                 Feature = "ALBGatewayAPI"
 	AGAController                 Feature = "AGAController"
 	EnhancedDefaultBehavior       Feature = "EnhancedDefaultBehavior"
+	EnableDefaultTagsLowPriority  Feature = "EnableDefaultTagsLowPriority"
 )
 
 type FeatureGates interface {
@@ -74,6 +75,7 @@ func NewFeatureGates() FeatureGates {
 			AGAController:                 true,
 			EnableTCPUDPListenerType:      false,
 			EnhancedDefaultBehavior:       false,
+			EnableDefaultTagsLowPriority:  false,
 		},
 	}
 }

pkg/gateway/model/base_model_builder.go

@@ -2,6 +2,7 @@ package model
 
 import (
 	"context"
+
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/addon"
 	config2 "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway"
@@ -42,7 +43,7 @@ func NewModelBuilder(subnetsResolver networking.SubnetsResolver,
 	backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, enableBackendSG bool,
 	disableRestrictedSGRules bool, allowedCAARNs []string, supportedAddons []addon.Addon, logger logr.Logger) Builder {
 
-	gwTagHelper := newTagHelper(sets.New(lbcConfig.ExternalManagedTags...), lbcConfig.DefaultTags)
+	gwTagHelper := newTagHelper(sets.New(lbcConfig.ExternalManagedTags...), lbcConfig.DefaultTags, featureGates.Enabled(config.EnableDefaultTagsLowPriority))
 	subnetBuilder := newSubnetModelBuilder(loadBalancerType, trackingProvider, subnetsResolver, elbv2TaggingManager)
 	sgBuilder := newSecurityGroupBuilder(gwTagHelper, clusterName, enableBackendSG, sgResolver, backendSGProvider, logger)
 	lbBuilder := newLoadBalancerBuilder(loadBalancerType, gwTagHelper, clusterName)

pkg/gateway/model/gateway_tag_helper.go

@@ -12,14 +12,16 @@ type tagHelper interface {
 }
 
 type tagHelperImpl struct {
-	externalManagedTags sets.Set[string]
-	defaultTags         map[string]string
+	externalManagedTags               sets.Set[string]
+	defaultTags                       map[string]string
+	additionalTagsOverrideDefaultTags bool
 }
 
-func newTagHelper(externalManagedTags sets.Set[string], defaultTags map[string]string) tagHelper {
+func newTagHelper(externalManagedTags sets.Set[string], defaultTags map[string]string, additionalTagsOverrideDefaultTags bool) tagHelper {
 	return &tagHelperImpl{
-		externalManagedTags: externalManagedTags,
-		defaultTags:         defaultTags,
+		externalManagedTags:               externalManagedTags,
+		defaultTags:                       defaultTags,
+		additionalTagsOverrideDefaultTags: additionalTagsOverrideDefaultTags,
 	}
 }
 
@@ -36,6 +38,9 @@ func (t *tagHelperImpl) getGatewayTags(lbConf elbv2gw.LoadBalancerConfiguration)
 		return nil, err
 	}
 
+	if t.additionalTagsOverrideDefaultTags {
+		return algorithm.MergeStringMap(annotationTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, annotationTags), nil
 }
 

pkg/gateway/model/gateway_tag_helper_test.go

@@ -0,0 +1,134 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+)
+
+func Test_tagHelperImpl_getGatewayTags(t *testing.T) {
+	tests := []struct {
+		name                   string
+		defaultTags            map[string]string
+		specTags               map[string]string
+		defaultTagsLowPriority bool
+		want                   map[string]string
+		wantErr                bool
+	}{
+		{
+			name: "when defaultTagsLowPriority is false, default tags override spec tags",
+			defaultTags: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"env": "dev",
+				"app": "web",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+				"app":  "web",
+			},
+		},
+		{
+			name: "when defaultTagsLowPriority is true, spec tags override default tags",
+			defaultTags: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"env": "dev",
+				"app": "web",
+			},
+			defaultTagsLowPriority: true,
+			want: map[string]string{
+				"env":  "dev",
+				"team": "platform",
+				"app":  "web",
+			},
+		},
+		{
+			name: "when no overlapping tags, order doesn't matter",
+			defaultTags: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+			specTags: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+				"app":         "web",
+				"env":         "dev",
+			},
+		},
+		{
+			name:        "when defaultTags is empty, all spec tags are used",
+			defaultTags: map[string]string{},
+			specTags: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+		},
+		{
+			name: "when specTags is empty, all default tags are used",
+			defaultTags: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+			specTags:               map[string]string{},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+		},
+		{
+			name: "when specTags contains external managed tag, returns error",
+			defaultTags: map[string]string{
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"external-tag": "value",
+			},
+			defaultTagsLowPriority: false,
+			want:                   nil,
+			wantErr:                true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := &tagHelperImpl{
+				externalManagedTags:               sets.New("external-tag"),
+				defaultTags:                       tt.defaultTags,
+				additionalTagsOverrideDefaultTags: tt.defaultTagsLowPriority,
+			}
+
+			lbConf := &elbv2gw.LoadBalancerConfiguration{}
+			if len(tt.specTags) > 0 {
+				lbConf.Spec.Tags = &tt.specTags
+			}
+
+			got, err := h.getGatewayTags(*lbConf)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}

pkg/ingress/model_build_frontend_nlb_test.go

@@ -15,6 +15,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -987,7 +988,8 @@ func Test_buildFrontendNlbTags(t *testing.T) {
 				ingGroup:         tt.ingGroup,
 				annotationParser: annotations.NewSuffixAnnotationParser("alb.ingress.kubernetes.io"),
 				// Default implementation will return an empty map when no tags are specified
-				defaultTags: tt.defaultTags,
+				defaultTags:  tt.defaultTags,
+				featureGates: config.NewFeatureGates(),
 			}
 
 			got, err := task.buildFrontendNlbTags(context.Background(), nil)

pkg/ingress/model_build_listener.go

@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/algorithm"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -102,6 +103,9 @@ func (t *defaultModelBuildTask) buildListenerTags(_ context.Context, ingList []C
 	if err != nil {
 		return nil, err
 	}
+	if t.featureGates.Enabled(config.EnableDefaultTagsLowPriority) {
+		return algorithm.MergeStringMap(ingGroupTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, ingGroupTags), nil
 }
 

pkg/ingress/model_build_listener_rules.go

@@ -10,6 +10,7 @@ import (
 	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/algorithm"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -385,6 +386,9 @@ func (t *defaultModelBuildTask) buildListenerRuleTags(_ context.Context, ing Cla
 		return nil, err
 	}
 
+	if t.featureGates.Enabled(config.EnableDefaultTagsLowPriority) {
+		return algorithm.MergeStringMap(ingTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, ingTags), nil
 }