Merge pull request #4404 from zac-nixon/znixon/gw-no-sg

[gw api] add disable security group flag to lb config for gateway users

Author: k8s-ci-robot

.gitignore

@@ -28,4 +28,5 @@ scripts/aws_sdk_model_override/*
 /gomock_reflect*
 config/crd/bases/gateway.k8s.aws_listenerruleconfigurations.yaml
 config/crd/bases/gateway.k8s.aws_loadbalancerconfigurations.yaml
-config/crd/bases/gateway.k8s.aws_targetgroupconfigurations.yaml
+config/crd/bases/aga.k8s.aws_globalaccelerators.yaml
+config/crd/bases/gateway.k8s.aws_targetgroupconfigurations.yaml

apis/gateway/v1beta1/loadbalancerconfig_types.go

@@ -233,6 +233,11 @@ type LoadBalancerConfigurationSpec struct {
 	// +optional
 	ListenerConfigurations *[]ListenerConfiguration `json:"listenerConfigurations,omitempty"`
 
+	// disableSecurityGroup provisions a load balancer with no security groups.
+	// Allows an NLB to be provisioned with no security groups.
+	// [Network Load Balancer]
+	DisableSecurityGroup *bool `json:"disableSecurityGroup,omitempty"`
+
 	// securityGroups an optional list of security group ids or names to apply to the LB
 	// +optional
 	SecurityGroups *[]string `json:"securityGroups,omitempty"`

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -449,6 +449,12 @@ spec:
                   customerOwnedIpv4Pool [Application LoadBalancer]
                   is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
                 type: string
+              disableSecurityGroup:
+                description: |-
+                  disableSecurityGroup provisions a load balancer with no security groups.
+                  Allows an NLB to be provisioned with no security groups.
+                  [Network Load Balancer]
+                type: boolean
               enableICMP:
                 description: |-
                   EnableICMP [Network LoadBalancer]

config/crd/gateway/gateway-crds.yaml

@@ -50,6 +50,12 @@ spec:
                   customerOwnedIpv4Pool [Application LoadBalancer]
                   is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
                 type: string
+              disableSecurityGroup:
+                description: |-
+                  disableSecurityGroup provisions a load balancer with no security groups.
+                  Allows an NLB to be provisioned with no security groups.
+                  [Network Load Balancer]
+                type: boolean
               enableICMP:
                 description: |-
                   EnableICMP [Network LoadBalancer]

config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml

@@ -449,6 +449,12 @@ spec:
                   customerOwnedIpv4Pool [Application LoadBalancer]
                   is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
                 type: string
+              disableSecurityGroup:
+                description: |-
+                  disableSecurityGroup provisions a load balancer with no security groups.
+                  Allows an NLB to be provisioned with no security groups.
+                  [Network Load Balancer]
+                type: boolean
               enableICMP:
                 description: |-
                   EnableICMP [Network LoadBalancer]

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -177,4 +177,10 @@ func (merger *loadBalancerConfigMergerImpl) performTakeOneMerges(merged *elbv2gw
 	} else {
 		merged.ShieldAdvanced = lowPriority.Spec.ShieldAdvanced
 	}
+
+	if highPriority.Spec.DisableSecurityGroup != nil {
+		merged.DisableSecurityGroup = highPriority.Spec.DisableSecurityGroup
+	} else {
+		merged.DisableSecurityGroup = lowPriority.Spec.DisableSecurityGroup
+	}
 }

pkg/gateway/lb_config_merger.go

@@ -45,7 +45,7 @@ func NewModelBuilder(subnetsResolver networking.SubnetsResolver,
 
 	gwTagHelper := newTagHelper(sets.New(lbcConfig.ExternalManagedTags...), lbcConfig.DefaultTags, featureGates.Enabled(config.EnableDefaultTagsLowPriority))
 	subnetBuilder := newSubnetModelBuilder(loadBalancerType, trackingProvider, subnetsResolver, elbv2TaggingManager)
-	sgBuilder := newSecurityGroupBuilder(gwTagHelper, clusterName, enableBackendSG, sgResolver, backendSGProvider, logger)
+	sgBuilder := newSecurityGroupBuilder(gwTagHelper, clusterName, loadBalancerType, enableBackendSG, sgResolver, backendSGProvider, logger)
 	lbBuilder := newLoadBalancerBuilder(loadBalancerType, gwTagHelper, clusterName)
 	tgConfigConstructor := config2.NewTargetGroupConfigConstructor()
 
@@ -163,7 +163,7 @@ func (baseBuilder *baseModelBuilder) Build(ctx context.Context, gw *gwv1.Gateway
 
 	/* Security Groups */
 
-	securityGroups, err := baseBuilder.securityGroupBuilder.buildSecurityGroups(ctx, stack, lbConf, gw, routes, ipAddressType)
+	securityGroups, err := baseBuilder.securityGroupBuilder.buildSecurityGroups(ctx, stack, lbConf, gw, ipAddressType)
 
 	if err != nil {
 		return nil, nil, nil, false, nil, err

pkg/gateway/model/base_model_builder.go

@@ -12,7 +12,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"regexp"
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	ec2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/ec2"
@@ -39,44 +38,50 @@ type securityGroupOutput struct {
 }
 
 type securityGroupBuilder interface {
-	buildSecurityGroups(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, routes map[int32][]routeutils.RouteDescriptor, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error)
+	buildSecurityGroups(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error)
 }
 
 type securityGroupBuilderImpl struct {
 	tagHelper         tagHelper
 	clusterName       string
 	sgResolver        networking.SecurityGroupResolver
 	backendSGProvider networking.BackendSGProvider
+	loadBalancerType  elbv2model.LoadBalancerType
 
 	enableBackendSG bool
 	logger          logr.Logger
 }
 
-func newSecurityGroupBuilder(tagHelper tagHelper, clusterName string, enableBackendSG bool, sgResolver networking.SecurityGroupResolver, backendSGProvider networking.BackendSGProvider, logger logr.Logger) securityGroupBuilder {
+func newSecurityGroupBuilder(tagHelper tagHelper, clusterName string, loadBalancerType elbv2model.LoadBalancerType, enableBackendSG bool, sgResolver networking.SecurityGroupResolver, backendSGProvider networking.BackendSGProvider, logger logr.Logger) securityGroupBuilder {
 	return &securityGroupBuilderImpl{
 		tagHelper:         tagHelper,
 		clusterName:       clusterName,
 		logger:            logger,
 		enableBackendSG:   enableBackendSG,
 		sgResolver:        sgResolver,
 		backendSGProvider: backendSGProvider,
+		loadBalancerType:  loadBalancerType,
 	}
 }
 
-func (builder *securityGroupBuilderImpl) buildSecurityGroups(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, routes map[int32][]routeutils.RouteDescriptor, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error) {
+func (builder *securityGroupBuilderImpl) buildSecurityGroups(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error) {
 	var sgNameOrIds []string
 	if lbConf.Spec.SecurityGroups != nil {
 		sgNameOrIds = *lbConf.Spec.SecurityGroups
 	}
 
+	if lbConf.Spec.DisableSecurityGroup != nil && *lbConf.Spec.DisableSecurityGroup && builder.loadBalancerType == elbv2model.LoadBalancerTypeNetwork {
+		return securityGroupOutput{}, nil
+	}
+
 	if len(sgNameOrIds) == 0 {
-		return builder.handleManagedSecurityGroup(ctx, stack, lbConf, gw, routes, ipAddressType)
+		return builder.handleManagedSecurityGroup(ctx, stack, lbConf, gw, ipAddressType)
 	}
 
 	return builder.handleExplicitSecurityGroups(ctx, lbConf, gw, sgNameOrIds)
 }
 
-func (builder *securityGroupBuilderImpl) handleManagedSecurityGroup(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, routes map[int32][]routeutils.RouteDescriptor, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error) {
+func (builder *securityGroupBuilderImpl) handleManagedSecurityGroup(ctx context.Context, stack core.Stack, lbConf elbv2gw.LoadBalancerConfiguration, gw *gwv1.Gateway, ipAddressType elbv2model.IPAddressType) (securityGroupOutput, error) {
 	var lbSGTokens []core.StringToken
 	managedSG, err := builder.buildManagedSecurityGroup(stack, lbConf, gw, ipAddressType)
 	if err != nil {

pkg/gateway/model/model_build_security_group.go

@@ -10,7 +10,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/types"
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	coremodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	ec2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/ec2"
@@ -36,6 +35,7 @@ func Test_BuildSecurityGroups_Specified(t *testing.T) {
 	testCases := []struct {
 		name            string
 		lbConf          elbv2gw.LoadBalancerConfiguration
+		lbType          elbv2model.LoadBalancerType
 		ipAddressType   elbv2model.IPAddressType
 		expectedTags    map[string]string
 		tagErr          error
@@ -70,6 +70,38 @@ func Test_BuildSecurityGroups_Specified(t *testing.T) {
 				coremodel.LiteralStringToken("sg2"),
 			},
 		},
+		{
+			name: "sg disabled - nlb",
+			lbConf: elbv2gw.LoadBalancerConfiguration{
+				Spec: elbv2gw.LoadBalancerConfigurationSpec{
+					DisableSecurityGroup: awssdk.Bool(true),
+				},
+			},
+			lbType: elbv2model.LoadBalancerTypeNetwork,
+		},
+		{
+			name: "sg disabled - alb",
+			lbConf: elbv2gw.LoadBalancerConfiguration{
+				Spec: elbv2gw.LoadBalancerConfigurationSpec{
+					DisableSecurityGroup: awssdk.Bool(true),
+					SecurityGroups: &[]string{
+						"sg1",
+						"sg2",
+					},
+				},
+			},
+			lbType: elbv2model.LoadBalancerTypeApplication,
+			resolveSg: &resolveSgCall{
+				securityGroups: []string{
+					"sg1",
+					"sg2",
+				},
+			},
+			expectedSgTokens: []coremodel.StringToken{
+				coremodel.LiteralStringToken("sg1"),
+				coremodel.LiteralStringToken("sg2"),
+			},
+		},
 		{
 			name:            "sg specified - with backend sg",
 			enableBackendSg: true,
@@ -186,9 +218,9 @@ func Test_BuildSecurityGroups_Specified(t *testing.T) {
 			}
 
 			stack := coremodel.NewDefaultStack(coremodel.StackID{Namespace: "namespace", Name: "name"})
-			builder := newSecurityGroupBuilder(mockTagger, clusterName, tc.enableBackendSg, mockSgResolver, mockSgProvider, logr.Discard())
+			builder := newSecurityGroupBuilder(mockTagger, clusterName, tc.lbType, tc.enableBackendSg, mockSgResolver, mockSgProvider, logr.Discard())
 
-			out, err := builder.buildSecurityGroups(context.Background(), stack, tc.lbConf, gw, make(map[int32][]routeutils.RouteDescriptor), tc.ipAddressType)
+			out, err := builder.buildSecurityGroups(context.Background(), stack, tc.lbConf, gw, tc.ipAddressType)
 
 			if tc.expectErr {
 				assert.Error(t, err)
@@ -291,9 +323,9 @@ func Test_BuildSecurityGroups_Allocate(t *testing.T) {
 			}
 
 			stack := coremodel.NewDefaultStack(coremodel.StackID{Namespace: "namespace", Name: "name"})
-			builder := newSecurityGroupBuilder(mockTagger, clusterName, tc.enableBackendSg, mockSgResolver, mockSgProvider, logr.Discard())
+			builder := newSecurityGroupBuilder(mockTagger, clusterName, elbv2model.LoadBalancerTypeApplication, tc.enableBackendSg, mockSgResolver, mockSgProvider, logr.Discard())
 
-			out, err := builder.buildSecurityGroups(context.Background(), stack, tc.lbConf, gw, make(map[int32][]routeutils.RouteDescriptor), tc.ipAddressType)
+			out, err := builder.buildSecurityGroups(context.Background(), stack, tc.lbConf, gw, tc.ipAddressType)
 
 			if tc.expectErr {
 				assert.Error(t, err)