Add support for VPC Endpoint Services

[hintofbasil]

Issue

#1859

Description

This change adds support for creating, deleting and updating VPC endpoint
services along with their permissions. It supports the three suggested
configuration options - allowed priciples, acceptance required, and private DNS
name.

An enable annotation was also added so support enabling/disabling the feature
on a per load balancer basis. The proposed design only supported
enabling/disabling this at the controller level.

Outputting the created VPC Endpoint Service parameters is deliberatly not
supported as there are still open questions as to the best approach to be used
and this change is already far too big and adding more to it does not seem
sensible. This feature can be added in a follow-up change.

This change has been manually tested on a Kubernetes service.

I apologise for the large PR. I couldn't determine suitable breakpoints to split
this change up into smaller changes. I can do so if you can suggest the break
points. I'm also fairly new to Golang so am very happy for any feedback as I
know the code quality isn't amazing here.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

Hi @hintofbasil. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[maruina]

Generally LGTM, just a couple of questions

[maruina]

Can we add a comment here to explain what this function does?

[hintofbasil]

Added one.

[maruina]

Is this missing the implementation, or am I missing something?

[hintofbasil]

This was templated by rifelpet but I ended up using the tagging manager implementation instead of duplicating the logic. Removed it.

[maruina]

Why not adding a wantErr to every test case and just assert.Equal(t, tt.want, got)?

[hintofbasil]

The errors returned are generally wrapped errors. Wrapped errors include a stack trace so can't be compared an error generated in the test.
If there is a nice way to tests for equality with wrapped errors I'd be very happy to change it.

[kishorj]

@hintofbasil, thanks for your changes. We are currently finalizing the v2.4.2 patch release, I will review your changes after the patch release.

[codecov-commenter]

Codecov Report

Patch coverage: 63.57% and project coverage change: +0.48 🎉

Comparison is base (ff8c13d) 55.05% compared to head (afa4b7e) 55.53%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2636      +/-   ##
==========================================
+ Coverage   55.05%   55.53%   +0.48%     
==========================================
  Files         148      157       +9     
  Lines        8532     9002     +470     
==========================================
+ Hits         4697     4999     +302     
- Misses       3505     3662     +157     
- Partials      330      341      +11     

Impacted Files	Coverage Δ
pkg/config/addons_config.go	0.00% <0.00%> (ø)
pkg/deploy/elbv2/listener_manager.go	1.08% <ø> (ø)
pkg/deploy/stack_deployer.go	0.00% <0.00%> (ø)
pkg/deploy/tracking/provider_mocks.go	0.00% <0.00%> (ø)
pkg/networking/vpc_endpoint_service_info.go	0.00% <0.00%> (ø)
pkg/networking/vpc_endpoint_service_manager.go	0.00% <0.00%> (ø)
...g/networking/vpc_endpoint_service_manager_mocks.go	0.00% <0.00%> (ø)
pkg/service/model_build_endpoint_service.go	54.00% <54.00%> (ø)
pkg/service/model_builder.go	86.86% <60.00%> (-1.43%)	⬇️
pkg/deploy/ec2/tagging_manager__mocks.go	69.69% <69.69%> (ø)
... and 5 more

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[hintofbasil]

Hi @kishorj, thanks for agreeing to take a look. A few people in Skyscanner have agreed to review it in the mean time. Matteo has already put one review in. Hopefully this makes things easier for you.

We are planning on deploying this internally in the next few weeks. We understand it likely won't be reviewed by then - but would it be possible to get the e2e tests ran against this? I would make us feel much more confident in running a fork and setting these up ourselves seems unrealistic.

[kishorj]

/ok-to-test

[gjtempleton]

I've only got through 11 of the files, but a few nits and some style questions.

[gjtempleton]

Nit:

Suggested change

	| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principles)| stringList | | |
	| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principals)| stringList | | |

[gjtempleton]

Matching nit:

Suggested change

	- <a name="endpoint-allowed-principles">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals`</a> is a list of principles from which an Endpoint can be attached to this Endpoint Service.
	- <a name="endpoint-allowed-principals">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals`</a> is a list of principles from which an Endpoint can be attached to this Endpoint Service.

[gjtempleton]

Suggested change

	- <a name="endpoint-private-dns">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name`</a> is the private DNS name given to the Endpoint Service. This will need to be verifies through a valid DNS record.
	- <a name="endpoint-private-dns">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name`</a> is the private DNS name given to the Endpoint Service. This will need to be verified through a valid DNS record.

[gjtempleton]

Nit:

Suggested change

	// NewdefaultEndpointServiceManager constructs new defaultEndpointServiceManager.
	// NewDefaultEndpointServiceManager constructs new defaultEndpointServiceManager.

[gjtempleton]

Seems there's still a few references to SG rather than ES throughout this function.

Suggested change

	func (m *defaultEndpointServiceManager) Create(ctx context.Context, resSG *ec2model.VPCEndpointService) (ec2model.VPCEndpointServiceStatus, error) {
	func (m *defaultEndpointServiceManager) Create(ctx context.Context, resES *ec2model.VPCEndpointService) (ec2model.VPCEndpointServiceStatus, error) {

[gjtempleton]

Do we want to log this if no changes are being made?

[hintofbasil]

In pkg/deploy/ec2/endpoint_service_synthesizer.go we calculate the endpoint services that need created, deleted and updated and only call the relevant function. If no endpoint services need updated then this function is never called. It feels safe to me.

[gjtempleton]

The pattern through the rest of the codebase is lower case logging. Do we want to deviate from that here?

[gjtempleton]

Suggested change

	m.logger.Info("Build priciples",
	"AddPrinciples", addPrinciples,
	"RemovePrinciples", removePrinciples,
	)
	m.logger.Info("build principals",
	"addPrinciples", addPrincipals,
	"removePrinciples", removePrincipals,
	)

[gjtempleton]

Nit:

Suggested change

	|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principles)|stringList||
	|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principals)|stringList||

[gjtempleton]

Same question as with logging casing.

[hintofbasil]

This has been rebased and the formatting changes above implemented.

[hintofbasil]

I'm unable to replicate the e2e test failure.

I've added the following resources to a cluster running this branch of the controller.

apiVersion: v1
kind: Namespace
metadata:
  name: test
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: aws-load-balancer-controller-test
spec:
  controller: ingress.k8s.aws/alb
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: aws-load-balancer-controller-test
  namespace: test
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: subnet-id-1,subnet-id-2
spec:
  ingressClassName: aws-load-balancer-controller-test
  rules:
  - host: ""
    http:
      paths:
      - path: /path
        pathType: Exact
        backend:
          service:
            name: aws-load-balancer-controller-test
            port:
              name: http
---
apiVersion: v1
kind: Service
metadata:
  name: aws-load-balancer-controller-test
  namespace: test
spec:
  ports:
  - name: http
    port: 80
    targetPort: http
  selector:
    service: 'null'
  type: NodePort

This brings up a load balancer which successfully provisions.

I've then deleted the Ingress and the load balancer successfully deletes. Then deleted the namespace which also successfully deletes.

From what I can see this follows the exact logic of the test.

As such I'm going to trigger a rerun to see if it was a flake.

[hintofbasil]

/retest

[seh]

How does this approach differ from @rifelpet's initial pass in #1948?

[seh]

I didn't see it while reading the code, but I'm wondering whether there are more IAM actions that we'll need to allow in the IAM policy used by this controller.

[hintofbasil]

I didn't see it while reading the code, but I'm wondering whether there are more IAM actions that we'll need to allow in the IAM policy used by this controller.

You were correct, after adding these the tests are passing. Thanks!

[hintofbasil]

How does this approach differ from @rifelpet's initial pass in #1948?

This is a continuation of their work. Rifelpet provided a rough outline for the code; function definitions and structs mainly. This adds the actual implementation to make the feature work. It sticks pretty closely to Rifelpet's original design - and even includes their commits showing how it was built up from there.

[seh]

This is a continuation of their work.

Thank you for the detailed explanation.

I was going to say earlier this morning that configuring the private DNS name on the VPC endpoint service side seemed backwards to me, thinking that it would be consumers creating interface VPC endpoints that would decide on the name, but then I went back and read the AWS documentation on the feature, and see that your design matches that feature's interface: the service provider chooses a DNS name. I still find this so confusing. That's not your fault, though.

[rifelpet]

Suggested change

	sgTags := m.trackingProvider.ResourceTags(resES.Stack(), resES, resES.Spec.Tags)
	sdkTags := convertTagsToSDKTags(sgTags)
	esTags := m.trackingProvider.ResourceTags(resES.Stack(), resES, resES.Spec.Tags)
	sdkTags := convertTagsToSDKTags(esTags)

[rifelpet]

Suggested change

	for _, sdkSG := range unmatchedSDKESs {
	if err := s.esManager.Delete(ctx, sdkSG); err != nil {
	for _, sdkES := range unmatchedSDKESs {
	if err := s.esManager.Delete(ctx, sdkES); err != nil {

[rifelpet]

Suggested change

	func matchResAndSDKEndpointServices(resSGs []*ec2model.VPCEndpointService, sdkSGs []networking.VPCEndpointServiceInfo,
	func matchResAndSDKEndpointServices(resESs []*ec2model.VPCEndpointService, sdkESs []networking.VPCEndpointServiceInfo,

[rifelpet]

More references to 'sg' in this function that should be updated to 'es'

[rifelpet]

Suggested change

	for sgID, esInfo := range esInfoByIDForTagFilter {
	esInfoByID[sgID] = esInfo
	for esID, esInfo := range esInfoByIDForTagFilter {
	esInfoByID[esID] = esInfo

[hintofbasil]

Thanks @rifelpet, seems quite a few of these typos escaped me.
I've cleaned them all up in a single commit.

[shoukoo]

just wondering if it's ready to be merged? would like to have this feature in the default branch.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hintofbasil
Once this PR has been reviewed and has the lgtm label, please ask for approval from kishorj. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tculp]

Any update on this?

[hintofbasil]

Any update on this?

The code is up to date on my end. Just waiting for a review from kishorj and/or M00nf1sh. I presume it being added to the v2.7.0 roadmap means they are aware it still needs review.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[z0rc]

/remove-lifecycle stale

[dims]

/assign @oliviassss

[oliviassss]

Thanks for your contribution, and sorry for the delay. I will discuss and review this PR internally with our approvers to gather opinions.

[oliviassss]

Sorry for the delay, we discussed this feature internally, it's a major feature that needs a minor release, and also we need to do a security review with it. So we aim at shipping it with v2.8.0

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[aaroniscode]

/remove-lifecycle stale

[prianna]

Hey @oliviassss AWS has released 2.8.1 of the LB controller and this PR still doesn't seem to have been merged. I don't see support for managing VPC private endpoints natively in the controller's release notes. Any idea what the blocker for this is? We'd love an update, as we have several major architectural changes that depend on this at Salesforce.

[oliviassss]

/assign @M00nF1sh

[m17kea]

Any update on this?

[bsod90]

It would be so awesome if this one got merged. We're considering implementing an alternative solution, but doing it through the load balancer controller would be so much cleaner.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[maruina]

@M00nF1sh and update on this?

[sudheer-gutta]

We already have 2.10.0 version of load-balancer-controller and this PR is not part of it. We are trying to design a solution using multiple VPC endpoint services and having native support is helpful. Can you please share the plan on when this PR will make it into a release?

[vazuev]

Hello @oliviassss @kishorj @M00nF1sh !
This feature would be really liked in ALB-controller solution!