Skip to content

Commit 9eb784b

Browse files
amoreyzac-nixon
amorey
authored and
zac-nixon
committed
Add support for TCP_UDP to NLB TargetGroups and Listeners
Previously, aws-load-balancer-controller ignored extra overlapping ServicePorts defined in the Kubernetes Service spec if the external port numbers were the same even if the protocols were different (e.g. TCP:53, UDP:53). This behavior prevented users from exposing services that support TCP and UDP on the same external load balancer port number. This patch solves the problem by detecting when a user defines multiple ServicePorts for the same external load balancer port number but using TCP and UDP protocols separately. In such situations, a TCP_UDP TargetGroup and Listener are created and SecurityGroup rules are updated accordingly. If more than two ServicePorts are defined, only the first two mergeable ServicePorts are used. Otherwise, the first ServicePort is used. Note: rebasing errors would be my fault -- Kevin Lyda Signed-off-by: Kevin Lyda <lyda@titanhq.com>
1 parent a6a7230 commit 9eb784b

11 files changed

+1101
-377
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,4 @@ site
2525
*~
2626
*.bak
2727
scripts/aws_sdk_model_override/*
28+
/gomock_reflect*

apis/elbv2/v1beta1/targetgroupbinding_types.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,9 @@ const (
8787

8888
// NetworkingProtocolUDP is the UDP protocol.
8989
NetworkingProtocolUDP NetworkingProtocol = "UDP"
90+
91+
// NetworkingProtocolTCP_UDP is the TCP_UDP protocol.
92+
NetworkingProtocolTCP_UDP NetworkingProtocol = "TCP_UDP"
9093
)
9194

9295
// NetworkingPort defines the port and protocol for networking rules.

config/crd/bases/gateway.k8s.aws_loadbalancerconfigurations.yaml

Lines changed: 298 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,298 @@
1+
---
2+
apiVersion: apiextensions.k8s.io/v1
3+
kind: CustomResourceDefinition
4+
metadata:
5+
annotations:
6+
controller-gen.kubebuilder.io/version: v0.14.0
7+
name: loadbalancerconfigurations.gateway.k8s.aws
8+
spec:
9+
group: gateway.k8s.aws
10+
names:
11+
kind: LoadBalancerConfiguration
12+
listKind: LoadBalancerConfigurationList
13+
plural: loadbalancerconfigurations
14+
singular: loadbalancerconfiguration
15+
scope: Namespaced
16+
versions:
17+
- additionalPrinterColumns:
18+
- jsonPath: .metadata.creationTimestamp
19+
name: AGE
20+
type: date
21+
name: v1beta1
22+
schema:
23+
openAPIV3Schema:
24+
description: LoadBalancerConfiguration is the Schema for the LoadBalancerConfiguration
25+
API
26+
properties:
27+
apiVersion:
28+
description: |-
29+
APIVersion defines the versioned schema of this representation of an object.
30+
Servers should convert recognized schemas to the latest internal value, and
31+
may reject unrecognized values.
32+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
33+
type: string
34+
kind:
35+
description: |-
36+
Kind is a string value representing the REST resource this object represents.
37+
Servers may infer this from the endpoint the client submits requests to.
38+
Cannot be updated.
39+
In CamelCase.
40+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
41+
type: string
42+
metadata:
43+
type: object
44+
spec:
45+
description: LoadBalancerConfigurationSpec defines the desired state of
46+
LoadBalancerConfiguration
47+
properties:
48+
customerOwnedIpv4Pool:
49+
description: |-
50+
customerOwnedIpv4Pool [Application LoadBalancer]
51+
is the ID of the customer-owned address for Application Load Balancers on Outposts pool.
52+
type: string
53+
enableICMP:
54+
description: |-
55+
EnableICMP [Network LoadBalancer]
56+
enables the creation of security group rules to the managed security group
57+
to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs
58+
type: boolean
59+
enforceSecurityGroupInboundRulesOnPrivateLinkTraffic:
60+
description: enforceSecurityGroupInboundRulesOnPrivateLinkTraffic
61+
Indicates whether to evaluate inbound security group rules for traffic
62+
sent to a Network Load Balancer through Amazon Web Services PrivateLink.
63+
type: string
64+
ipAddressType:
65+
description: loadBalancerIPType defines what kind of load balancer
66+
to provision (ipv4, dual stack)
67+
enum:
68+
- ipv4
69+
- dualstack
70+
- dualstack-without-public-ipv4
71+
type: string
72+
ipv4IPAMPoolId:
73+
description: |-
74+
IPv4IPAMPoolId [Application LoadBalancer]
75+
defines the IPAM pool ID used for IPv4 Addresses on the ALB.
76+
type: string
77+
listenerConfigurations:
78+
description: listenerConfigurations is an optional list of configurations
79+
for each listener on LB
80+
items:
81+
properties:
82+
alpnPolicy:
83+
description: alpnPolicy an optional string that allows you to
84+
configure ALPN policies on your Load Balancer
85+
enum:
86+
- HTTP1Only
87+
- HTTP2Only
88+
- HTTP2Optional
89+
- HTTP2Preferred
90+
- None
91+
type: string
92+
certificates:
93+
description: certificates is the list of other certificates
94+
to add to the listener.
95+
items:
96+
type: string
97+
type: array
98+
defaultCertificate:
99+
description: |-
100+
TODO: Add validation in admission webhook to make it required for secure protocols
101+
defaultCertificate the cert arn to be used by default.
102+
type: string
103+
listenerAttributes:
104+
description: listenerAttributes defines the attributes for the
105+
listener
106+
items:
107+
description: ListenerAttribute defines listener attribute.
108+
properties:
109+
key:
110+
description: The key of the attribute.
111+
type: string
112+
value:
113+
description: The value of the attribute.
114+
type: string
115+
required:
116+
- key
117+
- value
118+
type: object
119+
type: array
120+
mutualAuthentication:
121+
description: mutualAuthentication defines the mutual authentication
122+
configuration information.
123+
properties:
124+
advertiseTrustStoreCaNames:
125+
description: Indicates whether trust store CA certificate
126+
names are advertised.
127+
enum:
128+
- "on"
129+
- "off"
130+
type: string
131+
ignoreClientCertificateExpiry:
132+
description: Indicates whether expired client certificates
133+
are ignored.
134+
type: boolean
135+
mode:
136+
description: The client certificate handling method. Options
137+
are off , passthrough or verify
138+
enum:
139+
- "off"
140+
- passthrough
141+
- verify
142+
type: string
143+
trustStore:
144+
description: The Name or ARN of the trust store.
145+
type: string
146+
required:
147+
- mode
148+
type: object
149+
protocolPort:
150+
description: protocolPort is identifier for the listener on
151+
load balancer. It should be of the form PROTOCOL:PORT
152+
pattern: ^(HTTP|HTTPS|TLS|TCP|UDP)?:(6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})?$
153+
type: string
154+
sslPolicy:
155+
description: sslPolicy is the security policy that defines which
156+
protocols and ciphers are supported for secure listeners [HTTPS
157+
or TLS listener].
158+
type: string
159+
required:
160+
- protocolPort
161+
type: object
162+
type: array
163+
loadBalancerAttributes:
164+
description: LoadBalancerAttributes defines the attribute of LB
165+
items:
166+
description: LoadBalancerAttribute defines LB attribute.
167+
properties:
168+
key:
169+
description: The key of the attribute.
170+
type: string
171+
value:
172+
description: The value of the attribute.
173+
type: string
174+
required:
175+
- key
176+
- value
177+
type: object
178+
type: array
179+
loadBalancerName:
180+
description: loadBalancerName defines the name of the LB to provision.
181+
If unspecified, it will be automatically generated.
182+
maxLength: 32
183+
minLength: 1
184+
type: string
185+
loadBalancerSubnets:
186+
description: |-
187+
loadBalancerSubnets is an optional list of subnet configurations to be used in the LB
188+
This value takes precedence over loadBalancerSubnetsSelector if both are selected.
189+
items:
190+
description: SubnetConfiguration defines the subnet settings for
191+
a Load Balancer.
192+
properties:
193+
eipAllocation:
194+
description: eipAllocation [Network LoadBalancer] the EIP name
195+
for this subnet.
196+
type: string
197+
identifier:
198+
description: identifier [Application LoadBalancer / Network
199+
LoadBalancer] name or id for the subnet
200+
type: string
201+
ipv6Allocation:
202+
description: IPv6Allocation [Network LoadBalancer] the ipv6
203+
address to assign to this subnet.
204+
type: string
205+
privateIPv4Allocation:
206+
description: privateIPv4Allocation [Network LoadBalancer] the
207+
private ipv4 address to assign to this subnet.
208+
type: string
209+
sourceNatIPv6Prefix:
210+
description: SourceNatIPv6Prefix [Network LoadBalancer] The
211+
IPv6 prefix to use for source NAT. Specify an IPv6 prefix
212+
(/80 netmask) from the subnet CIDR block or auto_assigned
213+
to use an IPv6 prefix selected at random from the subnet CIDR
214+
block.
215+
type: string
216+
type: object
217+
type: array
218+
loadBalancerSubnetsSelector:
219+
additionalProperties:
220+
items:
221+
type: string
222+
type: array
223+
description: |-
224+
LoadBalancerSubnetsSelector specifies subnets in the load balancer's VPC where each
225+
tag specified in the map key contains one of the values in the corresponding
226+
value list.
227+
type: object
228+
manageBackendSecurityGroupRules:
229+
description: |-
230+
ManageBackendSecurityGroupRules [Application / Network LoadBalancer]
231+
specifies whether you want the controller to configure security group rules on Node/Pod for traffic access
232+
when you specify securityGroups
233+
type: boolean
234+
scheme:
235+
description: scheme defines the type of LB to provision. If unspecified,
236+
it will be automatically inferred.
237+
enum:
238+
- internal
239+
- internet-facing
240+
type: string
241+
securityGroupPrefixes:
242+
description: securityGroupPrefixes an optional list of prefixes that
243+
are allowed to access the LB.
244+
items:
245+
type: string
246+
type: array
247+
securityGroups:
248+
description: securityGroups an optional list of security group ids
249+
or names to apply to the LB
250+
items:
251+
type: string
252+
type: array
253+
sourceRanges:
254+
description: sourceRanges an optional list of CIDRs that are allowed
255+
to access the LB.
256+
items:
257+
type: string
258+
type: array
259+
tags:
260+
description: Tags defines list of Tags on LB.
261+
items:
262+
description: AWSTag defines a AWS Tag on resources.
263+
properties:
264+
key:
265+
description: The key of the tag.
266+
type: string
267+
value:
268+
description: The value of the tag.
269+
type: string
270+
required:
271+
- key
272+
- value
273+
type: object
274+
type: array
275+
vpcId:
276+
description: vpcId is the ID of the VPC for the load balancer.
277+
type: string
278+
type: object
279+
status:
280+
description: LoadBalancerConfigurationStatus defines the observed state
281+
of TargetGroupBinding
282+
properties:
283+
observedGatewayClassConfigurationGeneration:
284+
description: The generation of the Gateway Configuration attached
285+
to the GatewayClass object.
286+
format: int64
287+
type: integer
288+
observedGatewayConfigurationGeneration:
289+
description: The generation of the Gateway Configuration attached
290+
to the Gateway object.
291+
format: int64
292+
type: integer
293+
type: object
294+
type: object
295+
served: true
296+
storage: true
297+
subresources:
298+
status: {}

0 commit comments

Comments
 (0)