ingress-controller: update ingresses only if the load balancer is active

As per the existing behavior, once the stack update completes, the
ingress controller immediately updates the status of all ingresses and
routegroups to reference the new load balancer. This update may
sometimes happens before the new load balancer has marked its targets
(skipper-ingress) as healthy, leading clients being routed to a load
balancer that is not ready to serve traffic yet.

To improve this behavior we retrieve the ELBs via aws api and build
the models including the ELB state of the corresponding ELB. Then
before updating the ingresses/routegroups (updateIngress func) we
check whether the ELB is in active state, if not we skip updating
the ingresses/routegroups status with the ELB hostname.

Signed-off-by: Thilina Madumal <[email protected]>

Author: Thilina Madumal

.gitignore

@@ -36,3 +36,4 @@ Dockerfile.upstream
 profile.cov
 
 .idea/
+.vscode/

aws/adapter.go

@@ -660,6 +660,60 @@ func (a *Adapter) FindManagedStacks(ctx context.Context) ([]*Stack, error) {
 	return stacks, nil
 }
 
+// GetStackELBs returns the list of load balancers of the managed stacks.
+// While implementing this method it was taken that each stack has its own load
+// balancer and never refer to the same load balancer from multiple stacks.
+//
+// If a stack does not have a load balancer ARN it will be returned with an empty
+// ELB field.
+func (a *Adapter) GetStackELBs(ctx context.Context, stacks []*Stack) ([]*StackELB, error) {
+
+	lbARNs := make([]string, 0, len(stacks))
+	for _, stack := range stacks {
+		if stack == nil || stack.LoadBalancerARN == "" {
+			continue
+		}
+		lbARNs = append(lbARNs, stack.LoadBalancerARN)
+	}
+
+	lbsMap := make(map[string]*elbv2Types.LoadBalancer, len(lbARNs))
+
+	paginator := elbv2.NewDescribeLoadBalancersPaginator(
+		a.elbv2,
+		&elbv2.DescribeLoadBalancersInput{
+			LoadBalancerArns: lbARNs,
+		},
+	)
+	for paginator.HasMorePages() {
+		elbOutput, err := paginator.NextPage(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("describe-load-balancers paginated call to AWS API failed: %w", err)
+		}
+		for _, lb := range elbOutput.LoadBalancers {
+			lbsMap[aws.ToString(lb.LoadBalancerArn)] = &lb
+		}
+	}
+
+	stackELBs := make([]*StackELB, 0, len(stacks))
+	for _, stack := range stacks {
+		if stack == nil {
+			continue
+		}
+		var elb *elbv2Types.LoadBalancer
+		if lbsMap[stack.LoadBalancerARN] != nil {
+			elb = lbsMap[stack.LoadBalancerARN]
+		} else {
+			log.Warnf("load balancer of %s stack is not found", stack.Name)
+		}
+		stackELB := &StackELB{
+			Stack: stack,
+			ELB:   elb,
+		}
+		stackELBs = append(stackELBs, stackELB)
+	}
+	return stackELBs, nil
+}
+
 // UpdateTargetGroupsAndAutoScalingGroups updates Auto Scaling Groups
 // config to have relevant Target Groups and registers/deregisters single
 // instances (that do not belong to ASG) in relevant Target Groups.

aws/adapter_test.go

@@ -1028,3 +1028,112 @@ func TestWithTargetAccessMode(t *testing.T) {
 		assert.False(t, a.TargetCNI.Enabled)
 	})
 }
+
+func TestGetStackELBs(t *testing.T) {
+	tests := []struct {
+		name              string
+		elbv2Outputs      fake.ELBv2Outputs
+		stacks            []*Stack
+		expectedStackELBs []*StackELB
+		expectError       bool
+	}{
+		{
+			name: "success - matching ELBs",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{
+						{LoadBalancerArn: aws.String("arn1"), LoadBalancerName: aws.String("lb1")},
+						{LoadBalancerArn: aws.String("arn2"), LoadBalancerName: aws.String("lb2")},
+					},
+				}, nil),
+			},
+			stacks: []*Stack{
+				{Name: "stack1", LoadBalancerARN: "arn1"},
+				{Name: "stack2", LoadBalancerARN: "arn2"},
+			},
+			expectedStackELBs: []*StackELB{
+				{
+					Stack: &Stack{Name: "stack1", LoadBalancerARN: "arn1"},
+					ELB:   &elbv2Types.LoadBalancer{LoadBalancerArn: aws.String("arn1"), LoadBalancerName: aws.String("lb1")},
+				},
+				{
+					Stack: &Stack{Name: "stack2", LoadBalancerARN: "arn2"},
+					ELB:   &elbv2Types.LoadBalancer{LoadBalancerArn: aws.String("arn2"), LoadBalancerName: aws.String("lb2")},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "success - no matching ELB found for one of the stacks",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{
+						{LoadBalancerArn: aws.String("arn1"), LoadBalancerName: aws.String("lb1")},
+					},
+				}, nil),
+			},
+			stacks: []*Stack{
+				{Name: "stack1", LoadBalancerARN: "arn1"},
+				{Name: "stack2", LoadBalancerARN: "arn2"},
+			},
+			expectedStackELBs: []*StackELB{
+				{
+					Stack: &Stack{Name: "stack1", LoadBalancerARN: "arn1"},
+					ELB:   &elbv2Types.LoadBalancer{LoadBalancerArn: aws.String("arn1"), LoadBalancerName: aws.String("lb1")},
+				},
+				{
+					Stack: &Stack{Name: "stack2", LoadBalancerARN: "arn2"},
+					ELB:   nil, // No matching ELB found for stack2
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "error - paginated DescribeLoadBalancers API failure",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(nil, fmt.Errorf("API error")),
+			},
+			stacks:            []*Stack{{Name: "stack1", LoadBalancerARN: "arn1"}},
+			expectedStackELBs: nil,
+			expectError:       true,
+		},
+		{
+			name: "success - no stacks",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{},
+				}, nil),
+			},
+			stacks:            []*Stack{},
+			expectedStackELBs: []*StackELB{},
+			expectError:       false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			a := &Adapter{
+				elbv2: &fake.ELBv2Client{
+					Outputs: test.elbv2Outputs,
+				},
+			}
+
+			stackELBs, err := a.GetStackELBs(context.Background(), test.stacks)
+
+			if test.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Len(t, stackELBs, len(test.expectedStackELBs))
+				for i, expected := range test.expectedStackELBs {
+					require.Equal(t, expected.Stack, stackELBs[i].Stack)
+					if expected.ELB == nil {
+						require.Nil(t, stackELBs[i].ELB)
+					} else {
+						require.Equal(t, expected.ELB.LoadBalancerArn, stackELBs[i].ELB.LoadBalancerArn)
+					}
+				}
+			}
+		})
+	}
+}

aws/cf.go

@@ -24,6 +24,7 @@ type Stack struct {
 	Name              string
 	status            types.StackStatus
 	statusReason      string
+	LoadBalancerARN   string
 	DNSName           string
 	Scheme            string
 	SecurityGroup     string
@@ -105,6 +106,10 @@ func newStackOutput(outputs []types.Output) stackOutput {
 	return result
 }
 
+func (o stackOutput) loadBalancerARN() string {
+	return o[outputLoadBalancerARN]
+}
+
 func (o stackOutput) dnsName() string {
 	return o[outputLoadBalancerDNSName]
 }
@@ -131,6 +136,7 @@ func convertStackParameters(parameters []types.Parameter) map[string]string {
 
 const (
 	// The following constants should be part of the Output section of the CloudFormation template
+	outputLoadBalancerARN     = "LoadBalancerARN"
 	outputLoadBalancerDNSName = "LoadBalancerDNSName"
 	outputTargetGroupARN      = "TargetGroupARN"
 	outputHTTPTargetGroupARN  = "HTTPTargetGroupARN"
@@ -207,6 +213,7 @@ type denyResp struct {
 
 type CloudFormationAPI interface {
 	cloudformation.DescribeStacksAPIClient
+	cloudformation.ListStackResourcesAPIClient
 	CreateStack(context.Context, *cloudformation.CreateStackInput, ...func(*cloudformation.Options)) (*cloudformation.CreateStackOutput, error)
 	UpdateTerminationProtection(context.Context, *cloudformation.UpdateTerminationProtectionInput, ...func(*cloudformation.Options)) (*cloudformation.UpdateTerminationProtectionOutput, error)
 	UpdateStack(context.Context, *cloudformation.UpdateStackInput, ...func(*cloudformation.Options)) (*cloudformation.UpdateStackOutput, error)
@@ -486,6 +493,7 @@ func mapToManagedStack(stack *types.Stack) *Stack {
 
 	return &Stack{
 		Name:              aws.ToString(stack.StackName),
+		LoadBalancerARN:   outputs.loadBalancerARN(),
 		DNSName:           outputs.dnsName(),
 		TargetGroupARNs:   outputs.targetGroupARNs(),
 		Scheme:            parameters[parameterLoadBalancerSchemeParameter],

aws/cf_template.go

@@ -24,6 +24,13 @@ const (
 	//
 	// [0]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html#cfn-elasticloadbalancingv2-listenerrule-priority
 	internalTrafficDenyRulePriority int64 = 1
+
+	// LoadBalancerResou  rceLogicalID is the logical ID of the LoadBalancer
+	// resource in the CloudFormation template.
+	//
+	// !!!Caution
+	//    Changing this value will recreate the LoadBalancer resource.
+	LoadBalancerResourceLogicalID = "LB"
 )
 
 func hashARNs(certARNs []string) []byte {
@@ -115,9 +122,13 @@ func generateTemplate(spec *stackSpec) (string, error) {
 	const httpsTargetGroupName = "TG"
 
 	template.Outputs = map[string]*cloudformation.Output{
+		outputLoadBalancerARN: {
+			Description: "The ARN of the LoadBalancer",
+			Value:       cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
+		},
 		outputLoadBalancerDNSName: {
 			Description: "DNS name for the LoadBalancer",
-			Value:       cloudformation.GetAtt("LB", "DNSName").String(),
+			Value:       cloudformation.GetAtt(LoadBalancerResourceLogicalID, "DNSName").String(),
 		},
 		outputTargetGroupARN: {
 			Description: "The ARN of the TargetGroup",
@@ -160,7 +171,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							},
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -172,7 +183,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -196,7 +207,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(80),
 				Protocol:        cloudformation.String("TCP"),
 			})
@@ -227,7 +238,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("HTTPS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -256,7 +267,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("TLS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -379,17 +390,17 @@ func generateTemplate(spec *stackSpec) (string, error) {
 		lb.Type = cloudformation.Ref(parameterLoadBalancerTypeParameter).String()
 	}
 
-	template.AddResource("LB", lb)
+	template.AddResource(LoadBalancerResourceLogicalID, lb)
 
 	if spec.loadbalancerType == LoadBalancerTypeApplication && spec.wafWebAclId != "" {
 		if strings.HasPrefix(spec.wafWebAclId, "arn:aws:wafv2:") {
 			template.AddResource("WAFAssociation", &cloudformation.WAFv2WebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLArn:   cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		} else {
 			template.AddResource("WAFAssociation", &cloudformation.WAFRegionalWebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLID:    cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		}