Update protocol ports

Author: justinsb

providers/gce/gce_loadbalancer_external.go

@@ -377,7 +377,7 @@ func (g *Cloud) getExistingForwardingRules(loadBalancerName string) (map[string]
 // buildDesiredForwardingRules builds the desired forwarding rules for the given load balancer.
 func (g *Cloud) buildDesiredForwardingRules(loadBalancerName, serviceName, ipAddress, targetPoolURL string, apiService *v1.Service, netTier cloud.NetworkTier, existingFRs map[string]*compute.ForwardingRule) (map[string]*compute.ForwardingRule, error) {
 	desiredFRs := make(map[string]*compute.ForwardingRule)
-	groupedPorts := groupPortsByProtocol(apiService.Spec.Ports)
+	groupedPorts := getPortsAndProtocols(apiService.Spec.Ports)
 	desc := makeServiceDescription(serviceName)
 
 	// Find the legacy forwarding rule to minimize changes.
@@ -398,7 +398,7 @@ func (g *Cloud) buildDesiredForwardingRules(loadBalancerName, serviceName, ipAdd
 			frName = loadBalancerName
 		}
 
-		portRange, err := loadBalancerPortRange(protocolPorts)
+		portRange, err := loadBalancerPortRange(protocolPorts.ports)
 		if err != nil {
 			return nil, err
 		}
@@ -413,9 +413,9 @@ func (g *Cloud) buildDesiredForwardingRules(loadBalancerName, serviceName, ipAdd
 			NetworkTier: netTier.ToGCEValue(),
 		}
 
-		if len(protocolPorts) <= maxForwardedPorts && g.enableDiscretePortForwarding {
-			for _, p := range protocolPorts {
-				rule.Ports = append(rule.Ports, strconv.Itoa(int(p.Port)))
+		if len(protocolPorts.ports) <= maxForwardedPorts && g.enableDiscretePortForwarding {
+			for _, p := range protocolPorts.ports {
+				rule.Ports = append(rule.Ports, strconv.Itoa(p))
 			}
 			rule.PortRange = ""
 		}
@@ -1003,46 +1003,22 @@ func hostURLToComparablePath(hostURL string) string {
 	return hostURL[idx:]
 }
 
-// func getPorts(svcPorts []v1.ServicePort) []string {
-// 	ports := []string{}
-// 	for _, p := range svcPorts {
-// 		ports = append(ports, strconv.Itoa(int(p.Port)))
-// 	}
-
-// 	return ports
-// }
-
-func minMaxPort[T v1.ServicePort | string](svcPorts []T) (int32, int32) {
-	minPort := int32(65536)
-	maxPort := int32(0)
-	for _, svcPort := range svcPorts {
-		port := func(value any) int32 {
-			switch value.(type) {
-			case v1.ServicePort:
-				return value.(v1.ServicePort).Port
-			case string:
-				i, _ := strconv.ParseInt(value.(string), 10, 32)
-				return int32(i)
-			default:
-				return 0
-			}
-		}(svcPort)
+func loadBalancerPortRange(ports []int) (string, error) {
+	if len(ports) == 0 {
+		return "", fmt.Errorf("no ports specified for GCE load balancer")
+	}
+
+	minPort := 65536
+	maxPort := 0
+
+	for _, port := range ports {
 		if port < minPort {
 			minPort = port
 		}
 		if port > maxPort {
 			maxPort = port
 		}
 	}
-	return minPort, maxPort
-}
-
-func loadBalancerPortRange[T v1.ServicePort | string](svcPorts []T) (string, error) {
-	if len(svcPorts) == 0 {
-		return "", fmt.Errorf("no ports specified for GCE load balancer")
-	}
-
-	minPort, maxPort := minMaxPort(svcPorts)
 	return fmt.Sprintf("%d-%d", minPort, maxPort), nil
 }
 
@@ -1058,19 +1034,19 @@ func equalPorts(existingPorts, newPorts []string, existingPortRange, newPortRang
 	// Existing forwarding rule contains a port range. To keep it that way,
 	// compare new list of ports as if it was a port range, too.
 	if len(newPorts) != 0 {
-		newPortRange, _ = loadBalancerPortRange(newPorts)
+		var portInts []int
+		for _, port := range newPorts {
+			portInt, err := strconv.Atoi(port)
+			if err != nil {
+				klog.Errorf("invalid port %s: %v", port, err)
+			}
+			portInts = append(portInts, portInt)
+		}
+		newPortRange, _ = loadBalancerPortRange(portInts)
 	}
 	return existingPortRange == newPortRange
 }
 
-func groupPortsByProtocol(ports []v1.ServicePort) map[v1.Protocol][]v1.ServicePort {
-	grouped := make(map[v1.Protocol][]v1.ServicePort)
-	for _, port := range ports {
-		grouped[port.Protocol] = append(grouped[port.Protocol], port)
-	}
-	return grouped
-}
-
 // translate from what K8s supports to what the cloud provider supports for session affinity.
 func translateAffinityType(affinityType v1.ServiceAffinity) string {
 	switch affinityType {
@@ -1096,11 +1072,10 @@ func (g *Cloud) firewallNeedsUpdate(name, serviceName, ipAddress string, ports [
 		return true, true, nil
 	}
 
-	groupedPorts := groupPortsByProtocol(ports)
+	groupedPorts := getPortsAndProtocols(ports)
 	expectedAllowed := make(map[string][]string)
 	for protocol, protocolPorts := range groupedPorts {
-		_, portRanges, _ := getPortsAndProtocol(protocolPorts)
-		expectedAllowed[strings.ToLower(string(protocol))] = portRanges
+		expectedAllowed[strings.ToLower(string(protocol))] = protocolPorts.portRanges
 	}
 
 	actualAllowed := make(map[string][]string)
@@ -1214,13 +1189,12 @@ func (g *Cloud) firewallObject(name, desc, destinationIP string, sourceRanges ut
 	// GCE considers empty destinationRanges as "all" for ingress firewall-rules.
 	// Concatenate service ports into port ranges. This help to workaround the gce firewall limitation where only
 	// 100 ports or port ranges can be used in a firewall rule.
-	groupedPorts := groupPortsByProtocol(ports)
+	groupedPorts := getPortsAndProtocols(ports)
 	var allowed []*compute.FirewallAllowed
 	for protocol, protocolPorts := range groupedPorts {
-		_, portRanges, _ := getPortsAndProtocol(protocolPorts)
 		allowed = append(allowed, &compute.FirewallAllowed{
 			IPProtocol: strings.ToLower(string(protocol)),
-			Ports:      portRanges,
+			Ports:      protocolPorts.portRanges,
 		})
 	}
 

providers/gce/gce_loadbalancer_internal.go

@@ -94,10 +94,13 @@ func (g *Cloud) ensureInternalLoadBalancer(clusterName, clusterID string, svc *v
 		return nil, err
 	}
 
-	ports, _, protocol := getPortsAndProtocol(svc.Spec.Ports)
-	if protocol != v1.ProtocolTCP && protocol != v1.ProtocolUDP {
-		return nil, fmt.Errorf("Invalid protocol %s, only TCP and UDP are supported", string(protocol))
+	groupedPorts := getPortsAndProtocols(svc.Spec.Ports)
+	for protocol := range groupedPorts {
+		if protocol != v1.ProtocolTCP && protocol != v1.ProtocolUDP {
+			return nil, fmt.Errorf("Invalid protocol %s, only TCP and UDP are supported", string(protocol))
+		}
 	}
+
 	scheme := cloud.SchemeInternal
 	options := getILBOptions(svc)
 	if g.IsLegacyNetwork() {
@@ -106,7 +109,7 @@ func (g *Cloud) ensureInternalLoadBalancer(clusterName, clusterID string, svc *v
 	}
 
 	sharedBackend := shareBackendService(svc)
-	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, sharedBackend, scheme, protocol, svc.Spec.SessionAffinity)
+	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, sharedBackend, scheme, groupedPorts, svc.Spec.SessionAffinity)
 	backendServiceLink := g.getBackendServiceLink(backendServiceName)
 
 	// Ensure instance groups exist and nodes are assigned to groups
@@ -359,10 +362,10 @@ func (g *Cloud) updateInternalLoadBalancer(clusterName, clusterID string, svc *v
 	}
 
 	// Generate the backend service name
-	_, _, protocol := getPortsAndProtocol(svc.Spec.Ports)
+	groupedPorts := getPortsAndProtocols(svc.Spec.Ports)
 	scheme := cloud.SchemeInternal
 	loadBalancerName := g.GetLoadBalancerName(context.TODO(), clusterName, svc)
-	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, shareBackendService(svc), scheme, protocol, svc.Spec.SessionAffinity)
+	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, shareBackendService(svc), scheme, groupedPorts, svc.Spec.SessionAffinity)
 	// Ensure the backend service has the proper backend/instance-group links
 	return g.ensureInternalBackendServiceGroups(backendServiceName, igLinks)
 }
@@ -383,7 +386,7 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
 
 	loadBalancerName := g.GetLoadBalancerName(context.TODO(), clusterName, svc)
 	svcNamespacedName := types.NamespacedName{Name: svc.Name, Namespace: svc.Namespace}
-	_, _, protocol := getPortsAndProtocol(svc.Spec.Ports)
+	groupedPorts := getPortsAndProtocols(svc.Spec.Ports)
 	scheme := cloud.SchemeInternal
 	sharedBackend := shareBackendService(svc)
 	sharedHealthCheck := !servicehelpers.RequestsOnlyLocalTraffic(svc)
@@ -399,7 +402,7 @@ func (g *Cloud) ensureInternalLoadBalancerDeleted(clusterName, clusterID string,
 		return err
 	}
 
-	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, sharedBackend, scheme, protocol, svc.Spec.SessionAffinity)
+	backendServiceName := makeBackendServiceName(loadBalancerName, clusterID, sharedBackend, scheme, groupedPorts, svc.Spec.SessionAffinity)
 	klog.V(2).Infof("ensureInternalLoadBalancerDeleted(%v): deleting region backend service %v", loadBalancerName, backendServiceName)
 	if err := g.teardownInternalBackendService(backendServiceName); err != nil {
 		return err
@@ -495,7 +498,7 @@ func (g *Cloud) teardownInternalHealthCheckAndFirewall(svc *v1.Service, hcName s
 	return nil
 }
 
-func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc, destinationIP string, sourceRanges []string, portRanges []string, protocol v1.Protocol, nodes []*v1.Node, legacyFwName string) error {
+func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc, destinationIP string, sourceRanges []string, groupedPorts map[v1.Protocol]ProtocolPorts, nodes []*v1.Node, legacyFwName string) error {
 	klog.V(2).Infof("ensureInternalFirewall(%v): checking existing firewall", fwName)
 	targetTags, err := g.GetNodeTags(nodeNames(nodes))
 	if err != nil {
@@ -536,12 +539,13 @@ func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc, destinat
 		Network:      g.networkURL,
 		SourceRanges: sourceRanges,
 		TargetTags:   targetTags,
-		Allowed: []*compute.FirewallAllowed{
-			{
-				IPProtocol: strings.ToLower(string(protocol)),
-				Ports:      portRanges,
-			},
-		},
+	}
+
+	for protocol, protocolPorts := range groupedPorts {
+		expectedFirewall.Allowed = append(expectedFirewall.Allowed, &compute.FirewallAllowed{
+			IPProtocol: strings.ToLower(string(protocol)),
+			Ports:      protocolPorts.portRanges,
+		})
 	}
 
 	if destinationIP != "" {
@@ -576,12 +580,12 @@ func (g *Cloud) ensureInternalFirewall(svc *v1.Service, fwName, fwDesc, destinat
 func (g *Cloud) ensureInternalFirewalls(loadBalancerName, ipAddress, clusterID string, nm types.NamespacedName, svc *v1.Service, healthCheckPort string, sharedHealthCheck bool, nodes []*v1.Node) error {
 	// First firewall is for ingress traffic
 	fwDesc := makeFirewallDescription(nm.String(), ipAddress)
-	_, portRanges, protocol := getPortsAndProtocol(svc.Spec.Ports)
+	groupedPorts := getPortsAndProtocols(svc.Spec.Ports)
 	sourceRanges, err := servicehelpers.GetLoadBalancerSourceRanges(svc)
 	if err != nil {
 		return err
 	}
-	err = g.ensureInternalFirewall(svc, MakeFirewallName(loadBalancerName), fwDesc, ipAddress, sourceRanges.StringSlice(), portRanges, protocol, nodes, loadBalancerName)
+	err = g.ensureInternalFirewall(svc, MakeFirewallName(loadBalancerName), fwDesc, ipAddress, sourceRanges.StringSlice(), groupedPorts, nodes, loadBalancerName)
 	if err != nil {
 		return err
 	}
@@ -957,20 +961,28 @@ func backendSvcEqual(a, b *compute.BackendService) bool {
 		backendsListEqual(a.Backends, b.Backends)
 }
 
-func getPortsAndProtocol(svcPorts []v1.ServicePort) (ports []string, portRanges []string, protocol v1.Protocol) {
+type ProtocolPorts struct {
+	ports      []int
+	portRanges []string
+}
+
+func getPortsAndProtocols(svcPorts []v1.ServicePort) map[v1.Protocol]ProtocolPorts {
 	if len(svcPorts) == 0 {
-		return []string{}, []string{}, v1.ProtocolUDP
+		return nil
 	}
 
-	// GCP doesn't support multiple protocols for a single load balancer
-	protocol = svcPorts[0].Protocol
-	portInts := []int{}
+	m := make(map[v1.Protocol]ProtocolPorts)
 	for _, p := range svcPorts {
-		ports = append(ports, strconv.Itoa(int(p.Port)))
-		portInts = append(portInts, int(p.Port))
+		ports := m[p.Protocol]
+		ports.ports = append(ports.ports, int(p.Port))
+	}
+
+	for protocol, ports := range m {
+		ports.portRanges = getPortRanges(ports.ports)
+		m[protocol] = ports
 	}
 
-	return ports, getPortRanges(portInts), protocol
+	return m
 }
 
 func getPortRanges(ports []int) (ranges []string) {

providers/gce/gce_loadbalancer_naming.go

@@ -23,10 +23,11 @@ import (
 	"crypto/sha1"
 	"encoding/hex"
 	"fmt"
+	"sort"
 	"strings"
 
 	"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
@@ -42,7 +43,7 @@ func makeInstanceGroupName(clusterID string) string {
 	return fmt.Sprintf("%s--%s", prefix, clusterID)
 }
 
-func makeBackendServiceName(loadBalancerName, clusterID string, shared bool, scheme cloud.LbScheme, protocol v1.Protocol, svcAffinity v1.ServiceAffinity) string {
+func makeBackendServiceName(loadBalancerName, clusterID string, shared bool, scheme cloud.LbScheme, protocols map[v1.Protocol]ProtocolPorts, svcAffinity v1.ServiceAffinity) string {
 	if shared {
 		hash := sha1.New()
 
@@ -52,6 +53,19 @@ func makeBackendServiceName(loadBalancerName, clusterID string, shared bool, sch
 		hashed := hex.EncodeToString(hash.Sum(nil))
 		hashed = hashed[:16]
 
+		// We pick TCP as the default, otherwise we pick the first protocol alphabetically.
+		chosenProtocol := ""
+		if _, found := protocols[v1.ProtocolTCP]; found {
+			chosenProtocol = "tcp"
+		} else {
+			var keys []string
+			for protocol := range protocols {
+				keys = append(keys, strings.ToLower(string(protocol)))
+			}
+			sort.Strings(keys)
+			chosenProtocol = keys[0]
+		}
+
 		// k8s-          4
 		// {clusterid}-  17
 		// {scheme}-     9   (internal/external)
@@ -60,7 +74,7 @@ func makeBackendServiceName(loadBalancerName, clusterID string, shared bool, sch
 		// {suffix}      16  (hash of settings)
 		// -----------------
 		//               55  characters used
-		return fmt.Sprintf("k8s-%s-%s-%s-nmv1-%s", clusterID, strings.ToLower(string(scheme)), strings.ToLower(string(protocol)), hashed)
+		return fmt.Sprintf("k8s-%s-%s-%s-nmv1-%s", clusterID, strings.ToLower(string(scheme)), chosenProtocol, hashed)
 	}
 	return loadBalancerName
 }

providers/gce/gce_loadbalancer_utils_test.go

@@ -248,7 +248,8 @@ func assertInternalLbResources(t *testing.T, gce *Cloud, apiService *v1.Service,
 
 	// Check that BackendService exists
 	sharedBackend := shareBackendService(apiService)
-	backendServiceName := makeBackendServiceName(lbName, vals.ClusterID, sharedBackend, cloud.SchemeInternal, "TCP", apiService.Spec.SessionAffinity)
+	groupedPorts := getPortsAndProtocols(apiService.Spec.Ports)
+	backendServiceName := makeBackendServiceName(lbName, vals.ClusterID, sharedBackend, cloud.SchemeInternal, groupedPorts, apiService.Spec.SessionAffinity)
 	backendServiceLink := gce.getBackendServiceLink(backendServiceName)
 
 	bs, err := gce.GetRegionBackendService(backendServiceName, gce.region)