aws/validations: introduce pre-flight validations for EnsureLoadBalancer

mtulio · mtulio · commit 32347f71137f · 2025-08-21T08:43:44.000-03:00
Introduce pre-flight validations adding pre-flight checks for
EnsureLoadBalancer with tasks to validate Service object constraints
prior making calls to the provider.

This aims to prevent changes to the resources when invalid configuration
is provided.

Currently only NLB target group attributes validations is added as part of this change.

feat/tg-attr: support target group attrib annotation on NLB
diff --git a/pkg/providers/v1/aws_validations.go b/pkg/providers/v1/aws_validations.go
@@ -0,0 +1,116 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"fmt"
+
+	v1 "k8s.io/api/core/v1"
+)
+
+// validationInput is the input parameters for validations.
+// TODO: ensure validations receive copy of values preventing mutation.
+type awsValidationInput struct {
+	apiService  *v1.Service
+	annotations map[string]string
+}
+
+// ensureLoadBalancerValidation validates the Service configuration early on EnsureLoadBalancer.
+// It validates the Service annotations and other constraints provided by the user are valid and supported by the controller.
+// It does not validate the AWS constraints.
+//
+// input:
+// v: awsValidationInput containing the required configuration to validate the Service object.
+//
+// returns:
+// - error: validation errors.
+func ensureLoadBalancerValidation(v *awsValidationInput) error {
+	// Validate Service annotations.
+	if err := validateServiceAnnotations(v); err != nil {
+		return err
+	}
+
+	// TODO: migrate other validations from EnsureLoadBalancer to this function.
+	return nil
+}
+
+// validateServiceAnnotations validates the service annotations constraints provided by the user
+// are valid and supported by the controller.
+func validateServiceAnnotations(v *awsValidationInput) error {
+	isNLB := isNLB(v.annotations)
+
+	// ServiceAnnotationLoadBalancerTargetGroupAttributes
+	if _, present := v.annotations[ServiceAnnotationLoadBalancerTargetGroupAttributes]; present {
+		if !isNLB {
+			return fmt.Errorf("target group annotations attribute is only supported for NLB")
+		}
+		if err := validateServiceAnnotationTargetGroupAttributes(v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// validateServiceAnnotationTargetGroupAttributes validates the target group attributes set through annotation:
+// Annotation: service.beta.kubernetes.io/aws-load-balancer-target-group-attributes
+//
+// input:
+// v: awsValidationInput containing the required configuration to validate the Service object.
+//
+// returns:
+// - error: validation errors.
+func validateServiceAnnotationTargetGroupAttributes(v *awsValidationInput) error {
+	errPrefix := "error validating target group attributes"
+
+	// Attributes are in format key=value separated by comma.
+	annotationGroupAttributes := getKeyValuePropertiesFromAnnotation(v.annotations, ServiceAnnotationLoadBalancerTargetGroupAttributes)
+	targetGroupAttributes := make(map[string]string, len(annotationGroupAttributes))
+
+	for attrKey, attrValue := range annotationGroupAttributes {
+		if _, ok := targetGroupAttributes[attrKey]; ok {
+			return fmt.Errorf("%s: %q is set twice in the annotation", errPrefix, attrKey)
+		}
+		if len(attrValue) == 0 {
+			return fmt.Errorf("%s: attribute value is empty for %q", errPrefix, attrKey)
+		}
+
+		switch attrKey {
+		case targetGroupAttributePreserveClientIPEnabled:
+			if attrValue != "true" && attrValue != "false" {
+				return fmt.Errorf("%s: invalid attribute value for %q: %s", errPrefix, attrKey, attrValue)
+			}
+			// AWS restriction: Client IP preservation can't be disabled for UDP and TCP_UDP target groups.
+			for _, port := range v.apiService.Spec.Ports {
+				if (port.Protocol == v1.ProtocolUDP || port.Protocol == "TCP_UDP") && attrValue == "false" {
+					return fmt.Errorf("%s: client IP preservation can't be disabled for UDP ports", errPrefix)
+				}
+			}
+			targetGroupAttributes[attrKey] = attrValue
+
+		case targetGroupAttributeProxyProtocolV2Enabled:
+			if attrValue != "true" && attrValue != "false" {
+				return fmt.Errorf("%s: invalid attribute value for %q: %s", errPrefix, attrKey, attrValue)
+			}
+			targetGroupAttributes[attrKey] = attrValue
+
+		default:
+			return fmt.Errorf("%s: the attribute %q is not supported by the controller or is invalid", errPrefix, attrKey)
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/providers/v1/aws_validations_test.go b/pkg/providers/v1/aws_validations_test.go
@@ -0,0 +1,268 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestValidateServiceAnnotationTargetGroupAttributes(t *testing.T) {
+	tests := []struct {
+		name          string
+		annotations   map[string]string
+		servicePorts  []v1.ServicePort
+		expectedError string
+	}{
+		{
+			name:        "no target group attributes annotation",
+			annotations: map[string]string{},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "empty target group attributes annotation",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid preserve_client_ip.enabled=true",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid preserve_client_ip.enabled=false",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid proxy_protocol_v2.enabled=true",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "proxy_protocol_v2.enabled=true",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid proxy_protocol_v2.enabled=false",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "proxy_protocol_v2.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid multiple attributes",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true,proxy_protocol_v2.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "duplicate attribute in annotation (last one wins - no error expected)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true,preserve_client_ip.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "", // getKeyValuePropertiesFromAnnotation overwrites, so no duplicate detection
+		},
+		{
+			name: "empty attribute value",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "attribute value is empty for \"preserve_client_ip.enabled\"",
+		},
+		{
+			name: "invalid preserve_client_ip.enabled value",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=invalid",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "invalid attribute value for \"preserve_client_ip.enabled\": invalid",
+		},
+		{
+			name: "invalid proxy_protocol_v2.enabled value",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "proxy_protocol_v2.enabled=yes",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "invalid attribute value for \"proxy_protocol_v2.enabled\": yes",
+		},
+		{
+			name: "unsupported attribute",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "unsupported_attribute=value",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "the attribute \"unsupported_attribute\" is not supported by the controller or is invalid",
+		},
+		{
+			name: "preserve_client_ip.enabled=false with UDP port should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 53, Protocol: v1.ProtocolUDP},
+			},
+			expectedError: "client IP preservation can't be disabled for UDP ports",
+		},
+		{
+			name: "preserve_client_ip.enabled=false with TCP_UDP port should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 53, Protocol: "TCP_UDP"},
+			},
+			expectedError: "client IP preservation can't be disabled for UDP ports",
+		},
+		{
+			name: "preserve_client_ip.enabled=true with UDP port should succeed",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 53, Protocol: v1.ProtocolUDP},
+			},
+			expectedError: "",
+		},
+		{
+			name: "preserve_client_ip.enabled=false with mixed TCP and UDP ports should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=false",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+				{Port: 53, Protocol: v1.ProtocolUDP},
+			},
+			expectedError: "client IP preservation can't be disabled for UDP ports",
+		},
+		{
+			name: "multiple attributes with preserve_client_ip.enabled=false and UDP port should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=false,proxy_protocol_v2.enabled=true",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 53, Protocol: v1.ProtocolUDP},
+			},
+			expectedError: "client IP preservation can't be disabled for UDP ports",
+		},
+		{
+			name: "case sensitivity - preserve_client_ip.enabled with True should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=True",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "invalid attribute value for \"preserve_client_ip.enabled\": True",
+		},
+		{
+			name: "case sensitivity - proxy_protocol_v2.enabled with FALSE should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "proxy_protocol_v2.enabled=FALSE",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "invalid attribute value for \"proxy_protocol_v2.enabled\": FALSE",
+		},
+		{
+			name: "whitespace in attribute values should fail",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled= true ",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "invalid attribute value for \"preserve_client_ip.enabled\":",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a test service with the specified ports
+			service := &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-service",
+					Namespace:   "test-namespace",
+					Annotations: tt.annotations,
+				},
+				Spec: v1.ServiceSpec{
+					Type:  v1.ServiceTypeLoadBalancer,
+					Ports: tt.servicePorts,
+				},
+			}
+
+			// Create validation input
+			input := &awsValidationInput{
+				apiService:  service,
+				annotations: tt.annotations,
+			}
+
+			// Execute the validation
+			err := validateServiceAnnotationTargetGroupAttributes(input)
+
+			// Verify the result
+			if tt.expectedError == "" {
+				assert.NoError(t, err, "Expected no error for test case: %s", tt.name)
+			} else {
+				assert.Error(t, err, "Expected error for test case: %s", tt.name)
+				assert.Contains(t, err.Error(), tt.expectedError, "Error message should contain expected text for test case: %s", tt.name)
+			}
+		})
+	}
+}
