feat: support loadBalancerClass-scoped service handling (#200)

note: This patch is AI-generated, submitted by an external contributor

Author: Skaronator

Dockerfile

@@ -1,16 +1,22 @@
-FROM rust:latest AS build-env
-RUN apt update
-RUN apt install -y libssl-dev mold
+FROM docker.io/library/rust:1.89.0-slim-trixie AS build-env
+
+RUN apt-get update
+RUN apt-get install -y --no-install-recommends build-essential pkg-config libssl-dev clang mold git
+
 WORKDIR /app
 COPY . /app
+
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-ENV RUSTFLAGS="-C link-arg=-B/usr/bin/mold"
-# copy build artifact somewhere accessible so we can copy it in the next stage
-RUN --mount=type=cache,target=/root/.cargo \
+ENV RUSTFLAGS="-C link-arg=-fuse-ld=mold"
+
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
     cargo build --release
 
-FROM redhat/ubi9-micro:latest
-# RUN useradd -u 1001 chisel
-USER 1001
-COPY --from=build-env --chown=chisel /app/target/release/chisel-operator /usr/bin/chisel-operator
+FROM docker.io/library/debian:trixie-slim
+
+RUN groupadd -r chisel && useradd -r -g chisel -d /chisel -s /usr/sbin/nologin chisel
+USER chisel
+
+COPY --from=build-env --chown=chisel:chisel /app/target/release/chisel-operator /usr/bin/chisel-operator
 CMD ["chisel-operator"]

README.md

@@ -124,6 +124,22 @@ helm install chisel-operator oci://ghcr.io/fyralabs/chisel-operator/chisel-opera
 
 ## Usage
 
+### Restricting reconciliation to a LoadBalancer class
+
+By default the operator watches every Kubernetes service of type `LoadBalancer`. If you only want it to manage services that target a specific [`loadBalancerClass`](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class), set the `LOAD_BALANCER_CLASS` environment variable (or the `loadBalancerClass` Helm value) to the class name you want the operator to handle. Only services whose `spec.loadBalancerClass` matches that string will be reconciled; other services will be ignored.
+
+When deploying a filtered operator you must also add the same `loadBalancerClass` to each Service you expect it to control:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+spec:
+  type: LoadBalancer
+  loadBalancerClass: my.chisel.class
+```
+
 ### Operator-managed exit nodes
 
 This operator can automatically provision exit nodes on cloud providers.

charts/chisel-operator/templates/deployment.yaml

@@ -30,6 +30,11 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.loadBalancerClass }}
+          env:
+            - name: LOAD_BALANCER_CLASS
+              value: {{ . | quote }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
 
@@ -45,4 +50,3 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-

charts/chisel-operator/values.yaml

@@ -47,5 +47,9 @@ tolerations: []
 
 affinity: {}
 
+# Optional load balancer class handled by the operator. When empty, all LoadBalancer
+# services are reconciled, matching the default behavior.
+loadBalancerClass: ""
+
 # Create CRDs for Chisel Operator
 createCrds: true

site/src/content/docs/guides/exposing-a-service.md

@@ -26,6 +26,30 @@ spec:
 As you can see, the type of this service is `LoadBalancer`, which is required for chisel-operator to pick up on the service.
 Note that Chisel Operator acts on all LoadBalancer services in the cluster by default.
 
+## Limiting reconciliation to a LoadBalancer class
+
+If you only want the operator to manage services that opt in to a specific load balancer class, you can set the `LOAD_BALANCER_CLASS` environment variable (or the `loadBalancerClass` Helm value) when deploying it.
+Once the operator is running with that filter, only services whose `spec.loadBalancerClass` matches the configured class name will be reconciled; other services are ignored.
+
+To opt a service in, add the same `loadBalancerClass` to the Service spec:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+spec:
+  type: LoadBalancer
+  loadBalancerClass: my.chisel.class
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+      targetPort: 80
+```
+
+Leaving the value empty (or omitting the field) continues to expose the service through any unfiltered operator instance.
+
 Additionally, there's also a commented out annotation, `chisel-operator.io/exit-node-name`.
 By default, Chisel Operator will automatically select a random, unused `ExitNode` on the cluster if a cloud provisioner or exit node annotation is not set.
 If you'd like to force the service to a particular exit node, you can uncomment out the annotation, setting it to the name of the `ExitNode` to target.

site/src/content/docs/guides/installation.md

@@ -32,4 +32,12 @@ You can configure the helm chart values by creating a `values.yaml` file and pas
 helm install chisel-operator oci://ghcr.io/fyralabs/chisel-operator/chisel-operator -f values.yaml
 ```
 
+For example, to limit reconciliation to services that declare a custom load balancer class, set the `loadBalancerClass` value to the class name you want the operator to handle:
+
+```yaml
+loadBalancerClass: my.chisel.class
+```
+
+Make sure every Service you expect the operator to manage sets the same value in `spec.loadBalancerClass`.
+
 See [the Helm chart directory](https://github.com/FyraLabs/chisel-operator/tree/main/charts/chisel-operator) for more information on the Helm chart.

src/daemon.rs

@@ -26,7 +26,9 @@ use color_eyre::Result;
 use futures::{FutureExt, StreamExt};
 use k8s_openapi::api::{
     apps::v1::Deployment,
-    core::v1::{LoadBalancerIngress, LoadBalancerStatus, Secret, Service, ServiceStatus},
+    core::v1::{
+        LoadBalancerIngress, LoadBalancerStatus, Secret, Service, ServiceSpec, ServiceStatus,
+    },
 };
 use kube::{
     api::{Api, ListParams, Patch, PatchParams, ResourceExt},
@@ -41,7 +43,7 @@ use kube::{
     },
     Client, Resource,
 };
-use std::{collections::BTreeMap, sync::Arc};
+use std::{collections::BTreeMap, env, sync::Arc};
 
 use std::time::Duration;
 use tracing::{debug, error, info, instrument, trace, warn};
@@ -71,12 +73,48 @@ pub const SVCS_FINALIZER: &str = "service.chisel-operator.io/finalizer";
 //         .trace_id()
 // }
 
+#[derive(Clone, Debug, Default)]
+pub struct OperatorConfig {
+    pub load_balancer_class: Option<String>,
+}
+
+impl OperatorConfig {
+    fn from_env() -> Self {
+        let load_balancer_class = env::var("LOAD_BALANCER_CLASS").ok().and_then(|value| {
+            let trimmed = value.trim();
+            if trimmed.is_empty() {
+                None
+            } else {
+                Some(trimmed.to_string())
+            }
+        });
+
+        Self {
+            load_balancer_class,
+        }
+    }
+}
+
+fn service_matches_operator_class(spec: &ServiceSpec, operator_config: &OperatorConfig) -> bool {
+    let lb_class = spec.load_balancer_class.as_deref();
+
+    if let Some(expected_class) = operator_config.load_balancer_class.as_deref() {
+        return lb_class == Some(expected_class);
+    }
+
+    match lb_class {
+        None => true,
+        Some(class_name) => class_name == OPERATOR_CLASS,
+    }
+}
+
 // this is actually used to pass clients around
 pub struct Context {
     pub client: Client,
     // Let's implement a lock here to prevent multiple reconciles assigning the same exit node
     // to multiple services implicitly (#143)
     pub exit_node_lock: Arc<tokio::sync::Mutex<Option<(std::time::Instant, String)>>>,
+    pub operator_config: OperatorConfig,
 }
 
 /// Parses the `query` string to extract the namespace and name.
@@ -395,20 +433,32 @@ async fn reconcile_svcs(obj: Arc<Service>, ctx: Arc<Context>) -> Result<Action,
     // Return if service is not LoadBalancer or if the loadBalancerClass is not blank or set to $OPERATOR_CLASS
 
     // todo: is there anything different need to be done for OpenShift? We use vanilla k8s and k3s/rke2 so we don't know
-    if obj
-        .spec
-        .as_ref()
-        .filter(|spec| spec.type_ == Some("LoadBalancer".to_string()))
-        .is_none()
-        || obj
-            .spec
-            .as_ref()
-            .filter(|spec| {
-                spec.load_balancer_class.is_none()
-                    || spec.load_balancer_class == Some(OPERATOR_CLASS.to_string())
-            })
-            .is_none()
-    {
+    let Some(spec) = obj.spec.as_ref() else {
+        return Ok(Action::await_change());
+    };
+
+    if spec.type_.as_deref() != Some("LoadBalancer") {
+        return Ok(Action::await_change());
+    }
+
+    let operator_config = &ctx.operator_config;
+    if !service_matches_operator_class(spec, operator_config) {
+        let lb_class = spec.load_balancer_class.as_deref();
+        if let Some(expected_class) = operator_config.load_balancer_class.as_deref() {
+            trace!(
+                service = obj.name_any(),
+                ?lb_class,
+                expected = expected_class,
+                "Skipping service due to loadBalancerClass filter"
+            );
+        } else if let Some(class_name) = lb_class {
+            trace!(
+                service = obj.name_any(),
+                loadBalancerClass = class_name,
+                "Skipping service due to mismatched loadBalancerClass"
+            );
+        }
+
         return Ok(Action::await_change());
     }
 
@@ -812,6 +862,16 @@ pub async fn run() -> color_eyre::Result<()> {
     let mut reconcilers = vec![];
 
     let lock = Arc::new(tokio::sync::Mutex::new(None));
+    let operator_config = OperatorConfig::from_env();
+
+    if let Some(class_name) = operator_config.load_balancer_class.as_deref() {
+        info!(
+            loadBalancerClass = class_name,
+            "Filtering LoadBalancer services by class"
+        );
+    } else {
+        info!("No loadBalancerClass filter configured; reconciling services without restriction");
+    }
 
     info!("Starting reconcilers...");
 
@@ -841,6 +901,7 @@ pub async fn run() -> color_eyre::Result<()> {
                 Arc::new(Context {
                     client: client.clone(),
                     exit_node_lock: lock.clone(),
+                    operator_config: operator_config.clone(),
                 }),
             )
             .for_each(|_| futures::future::ready(()))
@@ -869,6 +930,7 @@ pub async fn run() -> color_eyre::Result<()> {
                 Arc::new(Context {
                     client,
                     exit_node_lock: lock,
+                    operator_config,
                 }),
             )
             .for_each(|_| futures::future::ready(()))
@@ -879,3 +941,60 @@ pub async fn run() -> color_eyre::Result<()> {
 
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn make_service_spec(class: Option<&str>) -> ServiceSpec {
+        ServiceSpec {
+            type_: Some("LoadBalancer".to_string()),
+            load_balancer_class: class.map(|c| c.to_string()),
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn helper_accepts_unclassified_services_without_filter() {
+        let spec = make_service_spec(None);
+        let config = OperatorConfig::default();
+
+        assert!(service_matches_operator_class(&spec, &config));
+    }
+
+    #[test]
+    fn helper_accepts_operator_class_without_filter() {
+        let spec = make_service_spec(Some(OPERATOR_CLASS));
+        let config = OperatorConfig::default();
+
+        assert!(service_matches_operator_class(&spec, &config));
+    }
+
+    #[test]
+    fn helper_rejects_other_class_without_filter() {
+        let spec = make_service_spec(Some("other.class"));
+        let config = OperatorConfig::default();
+
+        assert!(!service_matches_operator_class(&spec, &config));
+    }
+
+    #[test]
+    fn helper_accepts_matching_explicit_filter() {
+        let spec = make_service_spec(Some("custom.class"));
+        let config = OperatorConfig {
+            load_balancer_class: Some("custom.class".to_string()),
+        };
+
+        assert!(service_matches_operator_class(&spec, &config));
+    }
+
+    #[test]
+    fn helper_rejects_when_filter_set_and_class_missing() {
+        let spec = make_service_spec(None);
+        let config = OperatorConfig {
+            load_balancer_class: Some("custom.class".to_string()),
+        };
+
+        assert!(!service_matches_operator_class(&spec, &config));
+    }
+}