ingress-controller: update ingresses only if the load balancer is active

As per the existing behavior, once the stack update completes, the
ingress controller immediately updates the status of all ingresses and
routegroups to reference the new load balancer. This update may
sometimes happens before the new load balancer has marked its targets
(skipper-ingress) as healthy, leading clients being routed to a load
balancer that is not ready to serve traffic yet.

To improve this behavior we retrieve the ELBs via aws api and build
the models including the ELB state of the corresponding ELB. Then
before updating the ingresses/routegroups (updateIngress func) we
check whether the ELB is in active state, if not we skip updating
the ingresses/routegroups status with the ELB hostname.

Signed-off-by: Thilina Madumal <[email protected]>

Author: Thilina Madumal

aws/adapter.go

@@ -852,6 +852,29 @@ func (a *Adapter) UpdateStack(ctx context.Context, stackName string, certificate
 	return updateStack(ctx, a.cloudformation, spec)
 }
 
+func (a *Adapter) GetLoadBalancer(ctx context.Context, stackName string) (*elbv2Types.LoadBalancer, error) {
+	lbStackResources, err := getLoadBalancerStackResource(ctx, a.cloudformation, stackName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get load balancer stack resource: %w", err)
+	}
+
+	loadBalancerID := aws.ToString(lbStackResources.PhysicalResourceId)
+	lbs, err := a.elbv2.DescribeLoadBalancers(ctx, &elbv2.DescribeLoadBalancersInput{
+		LoadBalancerArns: []string{loadBalancerID},
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to describe load balancer %q: %w", loadBalancerID, err)
+	}
+	if len(lbs.LoadBalancers) == 0 {
+		return nil, fmt.Errorf("load balancer %q not found", loadBalancerID)
+	}
+	if len(lbs.LoadBalancers) > 1 {
+		return nil, fmt.Errorf("multiple load balancers found for physical-Id %q", loadBalancerID)
+	}
+	return &lbs.LoadBalancers[0], nil
+}
+
 func (a *Adapter) httpTargetPort(loadBalancerType string) uint {
 	if loadBalancerType == LoadBalancerTypeApplication && a.albHTTPTargetPort != 0 {
 		return a.albHTTPTargetPort

aws/cf.go

@@ -207,6 +207,7 @@ type denyResp struct {
 
 type CloudFormationAPI interface {
 	cloudformation.DescribeStacksAPIClient
+	cloudformation.ListStackResourcesAPIClient
 	CreateStack(context.Context, *cloudformation.CreateStackInput, ...func(*cloudformation.Options)) (*cloudformation.CreateStackOutput, error)
 	UpdateTerminationProtection(context.Context, *cloudformation.UpdateTerminationProtectionInput, ...func(*cloudformation.Options)) (*cloudformation.UpdateTerminationProtectionOutput, error)
 	UpdateStack(context.Context, *cloudformation.UpdateStackInput, ...func(*cloudformation.Options)) (*cloudformation.UpdateStackOutput, error)
@@ -434,6 +435,46 @@ func getStack(ctx context.Context, svc CloudFormationAPI, stackName string) (*St
 	return mapToManagedStack(stack), nil
 }
 
+// getLoadBalancerStackResource retrieves the load balancer resource from a
+// CloudFormation stack. It returns the first resource of type
+// AWS::ElasticLoadBalancingV2::LoadBalancer found in the stack. The stack
+// should only have one such resource, as it is expected to be a managed load
+// balancer stack.
+func getLoadBalancerStackResource(
+	ctx context.Context,
+	svc CloudFormationAPI,
+	stackName string,
+) (
+	*types.StackResourceSummary,
+	error,
+) {
+
+	var nextToken *string
+
+	for {
+		resp, err := svc.ListStackResources(ctx, &cloudformation.ListStackResourcesInput{
+			StackName: aws.String(stackName),
+			NextToken: nextToken,
+		})
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to list stack resources for stack %s: %w", stackName, err)
+		}
+
+		for _, resource := range resp.StackResourceSummaries {
+			if aws.ToString(resource.LogicalResourceId) == LoadBalancerResourceLogicalID {
+				return &resource, nil
+			}
+		}
+
+		if resp.NextToken == nil {
+			return nil, fmt.Errorf("no load balancer resource found in stack %s", stackName)
+		}
+
+		nextToken = resp.NextToken
+	}
+}
+
 func getCFStackByName(ctx context.Context, svc CloudFormationAPI, stackName string) (*types.Stack, error) {
 	params := &cloudformation.DescribeStacksInput{StackName: aws.String(stackName)}
 

aws/cf_template.go

@@ -24,6 +24,13 @@ const (
 	//
 	// [0]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html#cfn-elasticloadbalancingv2-listenerrule-priority
 	internalTrafficDenyRulePriority int64 = 1
+
+	// LoadBalancerResou  rceLogicalID is the logical ID of the LoadBalancer
+	// resource in the CloudFormation template.
+	//
+	// !!!Caution
+	//    Changing this value will recreate the LoadBalancer resource.
+	LoadBalancerResourceLogicalID = "LB"
 )
 
 func hashARNs(certARNs []string) []byte {
@@ -117,7 +124,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 	template.Outputs = map[string]*cloudformation.Output{
 		outputLoadBalancerDNSName: {
 			Description: "DNS name for the LoadBalancer",
-			Value:       cloudformation.GetAtt("LB", "DNSName").String(),
+			Value:       cloudformation.GetAtt(LoadBalancerResourceLogicalID, "DNSName").String(),
 		},
 		outputTargetGroupARN: {
 			Description: "The ARN of the TargetGroup",
@@ -160,7 +167,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							},
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -172,7 +179,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -196,7 +203,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(80),
 				Protocol:        cloudformation.String("TCP"),
 			})
@@ -227,7 +234,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("HTTPS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -256,7 +263,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("TLS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -379,17 +386,17 @@ func generateTemplate(spec *stackSpec) (string, error) {
 		lb.Type = cloudformation.Ref(parameterLoadBalancerTypeParameter).String()
 	}
 
-	template.AddResource("LB", lb)
+	template.AddResource(LoadBalancerResourceLogicalID, lb)
 
 	if spec.loadbalancerType == LoadBalancerTypeApplication && spec.wafWebAclId != "" {
 		if strings.HasPrefix(spec.wafWebAclId, "arn:aws:wafv2:") {
 			template.AddResource("WAFAssociation", &cloudformation.WAFv2WebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLArn:   cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		} else {
 			template.AddResource("WAFAssociation", &cloudformation.WAFRegionalWebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLID:    cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		}

aws/cf_template_test.go

@@ -123,7 +123,7 @@ func TestGenerateTemplate(t *testing.T) {
 					&cloudformation.CloudWatchAlarmDimensionList{
 						{
 							Name:  cloudformation.String("LoadBalancer"),
-							Value: cloudformation.GetAtt("LB", "LoadBalancerFullName").String(),
+							Value: cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String(),
 						},
 					},
 					props.Dimensions,
@@ -270,8 +270,8 @@ func TestGenerateTemplate(t *testing.T) {
 				nlbCrossZone:     true,
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[0].Key.Literal, "load_balancing.cross_zone.enabled")
 				require.Equal(t, attributes[0].Value.Literal, "true")
@@ -284,8 +284,8 @@ func TestGenerateTemplate(t *testing.T) {
 				nlbCrossZone:     false,
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[0].Key.Literal, "load_balancing.cross_zone.enabled")
 				require.Equal(t, attributes[0].Value.Literal, "false")
@@ -298,8 +298,8 @@ func TestGenerateTemplate(t *testing.T) {
 				nlbZoneAffinity:  "any_availability_zone",
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[1].Key.Literal, "dns_record.client_routing_policy")
 				require.Equal(t, attributes[1].Value.Literal, "any_availability_zone")
@@ -312,8 +312,8 @@ func TestGenerateTemplate(t *testing.T) {
 				nlbZoneAffinity:  "availability_zone_affinity",
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[1].Key.Literal, "dns_record.client_routing_policy")
 				require.Equal(t, attributes[1].Value.Literal, "availability_zone_affinity")
@@ -326,8 +326,8 @@ func TestGenerateTemplate(t *testing.T) {
 				nlbZoneAffinity:  "partial_availability_zone_affinity",
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[1].Key.Literal, "dns_record.client_routing_policy")
 				require.Equal(t, attributes[1].Value.Literal, "partial_availability_zone_affinity")
@@ -352,8 +352,8 @@ func TestGenerateTemplate(t *testing.T) {
 				http2:            true,
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[1].Key.Literal, "routing.http2.enabled")
 				require.Equal(t, attributes[1].Value.Literal, "true")
@@ -366,8 +366,8 @@ func TestGenerateTemplate(t *testing.T) {
 				http2:            false,
 			},
 			validate: func(t *testing.T, template *cloudformation.Template) {
-				require.NotNil(t, template.Resources["LB"])
-				properties := template.Resources["LB"].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
+				require.NotNil(t, template.Resources[LoadBalancerResourceLogicalID])
+				properties := template.Resources[LoadBalancerResourceLogicalID].Properties.(*cloudformation.ElasticLoadBalancingV2LoadBalancer)
 				attributes := []cloudformation.ElasticLoadBalancingV2LoadBalancerLoadBalancerAttribute(*properties.LoadBalancerAttributes)
 				require.Equal(t, attributes[1].Key.Literal, "routing.http2.enabled")
 				require.Equal(t, attributes[1].Value.Literal, "false")

aws/cf_test.go

@@ -784,6 +784,84 @@ func TestGetStack(t *testing.T) {
 	}
 }
 
+func TestGetLoadBalancerStackResource(t *testing.T) {
+
+	for _, ti := range []struct {
+		name    string
+		given   fake.CFOutputs
+		want    *types.StackResourceSummary
+		wantErr bool
+	}{
+		{
+			"managed load balancer resource found",
+			fake.CFOutputs{
+				ListStackResources: fake.R(&cloudformation.ListStackResourcesOutput{
+					StackResourceSummaries: []types.StackResourceSummary{
+						{
+							LogicalResourceId:    aws.String(LoadBalancerResourceLogicalID),
+							ResourceType:         aws.String("AWS::ElasticLoadBalancingV2::LoadBalancer"),
+							ResourceStatus:       types.ResourceStatusCreateComplete,
+							ResourceStatusReason: aws.String(""),
+						},
+					}}, nil),
+			},
+			&types.StackResourceSummary{
+				LogicalResourceId:    aws.String(LoadBalancerResourceLogicalID),
+				ResourceType:         aws.String("AWS::ElasticLoadBalancingV2::LoadBalancer"),
+				ResourceStatus:       types.ResourceStatusCreateComplete,
+				ResourceStatusReason: aws.String(""),
+			},
+			false,
+		},
+		{
+			"no load balancer resource",
+			fake.CFOutputs{
+				ListStackResources: fake.R(&cloudformation.ListStackResourcesOutput{
+					StackResourceSummaries: []types.StackResourceSummary{
+						{
+							LogicalResourceId:    aws.String("SomeOtherResourceLogicalID"),
+							ResourceType:         aws.String("AWS::Some::OtherResource"),
+							ResourceStatus:       types.ResourceStatusCreateComplete,
+							ResourceStatusReason: aws.String(""),
+						},
+					}}, nil),
+			},
+			nil,
+			true,
+		},
+		{
+			"unmanaged load balancer",
+			fake.CFOutputs{
+				ListStackResources: fake.R(&cloudformation.ListStackResourcesOutput{
+					StackResourceSummaries: []types.StackResourceSummary{
+						{
+							LogicalResourceId:    aws.String("unmanaged-load-balancer"),
+							ResourceType:         aws.String("AWS::ElasticLoadBalancingV2::LoadBalancer"),
+							ResourceStatus:       types.ResourceStatusCreateComplete,
+							ResourceStatusReason: aws.String(""),
+						},
+					}}, nil),
+			},
+			nil,
+			true,
+		},
+	} {
+		t.Run(ti.name, func(t *testing.T) {
+			c := &fake.CFClient{Outputs: ti.given}
+			got, err := getLoadBalancerStackResource(context.Background(), c, "dontcare")
+			if err != nil {
+				if !ti.wantErr {
+					t.Error("unexpected error", err)
+				}
+			} else {
+				if !reflect.DeepEqual(ti.want, got) {
+					t.Errorf("unexpected result. wanted %+v, got %+v", ti.want, got)
+				}
+			}
+		})
+	}
+}
+
 func TestShouldDelete(t *testing.T) {
 	for _, ti := range []struct {
 		msg   string

aws/cloudwatch.go

@@ -77,7 +77,7 @@ func normalizeCloudWatchAlarmDimensions(alarmDimensions *cloudformation.CloudWat
 		return &cloudformation.CloudWatchAlarmDimensionList{
 			{
 				Name:  cloudformation.String("LoadBalancer"),
-				Value: cloudformation.GetAtt("LB", "LoadBalancerFullName").String(),
+				Value: cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String(),
 			},
 		}
 	}
@@ -89,7 +89,7 @@ func normalizeCloudWatchAlarmDimensions(alarmDimensions *cloudformation.CloudWat
 
 		switch dimension.Name.Literal {
 		case "LoadBalancer":
-			value = cloudformation.GetAtt("LB", "LoadBalancerFullName").String()
+			value = cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String()
 		case "TargetGroup":
 			value = cloudformation.GetAtt("TG", "TargetGroupFullName").String()
 		}

aws/cloudwatch_test.go

@@ -103,7 +103,7 @@ func TestNormalizeCloudWatchAlarmDimensions(t *testing.T) {
 			expected: &cloudformation.CloudWatchAlarmDimensionList{
 				{
 					Name:  cloudformation.String("LoadBalancer"),
-					Value: cloudformation.GetAtt("LB", "LoadBalancerFullName").String(),
+					Value: cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String(),
 				},
 			},
 		},
@@ -113,7 +113,7 @@ func TestNormalizeCloudWatchAlarmDimensions(t *testing.T) {
 			expected: &cloudformation.CloudWatchAlarmDimensionList{
 				{
 					Name:  cloudformation.String("LoadBalancer"),
-					Value: cloudformation.GetAtt("LB", "LoadBalancerFullName").String(),
+					Value: cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String(),
 				},
 			},
 		},
@@ -135,7 +135,7 @@ func TestNormalizeCloudWatchAlarmDimensions(t *testing.T) {
 			expected: &cloudformation.CloudWatchAlarmDimensionList{
 				{
 					Name:  cloudformation.String("LoadBalancer"),
-					Value: cloudformation.GetAtt("LB", "LoadBalancerFullName").String(),
+					Value: cloudformation.GetAtt(LoadBalancerResourceLogicalID, "LoadBalancerFullName").String(),
 				},
 				{
 					Name:  cloudformation.String("TargetGroup"),