Provide an option to skip private IP in LB Status for public NLBs

Author: pranavsriram8

pkg/cloudprovider/providers/oci/load_balancer.go

@@ -212,8 +212,11 @@ func (cp *CloudProvider) GetLoadBalancer(ctx context.Context, clusterName string
 
 		return nil, false, err
 	}
-
-	lbStatus, err := loadBalancerToStatus(lb)
+	skipPrivateIP, err := isSkipPrivateIP(service)
+	if err != nil {
+		return nil, false, err
+	}
+	lbStatus, err := loadBalancerToStatus(lb, nil, skipPrivateIP)
 	return lbStatus, err == nil, err
 }
 
@@ -464,7 +467,12 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 	}
 
 	logger.With("loadBalancerID", *lb.Id).Info("Load balancer created")
-	status, err := loadBalancerToStatus(lb)
+
+	skipPrivateIP, err := isSkipPrivateIP(spec.service)
+	if err != nil {
+		return nil, "", err
+	}
+	status, err := loadBalancerToStatus(lb, spec.ingressIpMode, skipPrivateIP)
 
 	if status != nil && len(status.Ingress) > 0 {
 		// If the LB is successfully provisioned then open lb/node subnet seclists egress/ingress.
@@ -835,6 +843,7 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 			dimensionsMap[metrics.ResourceOCIDDimension] = newLBOCID
 			metrics.SendMetricData(cp.metricPusher, getMetric(loadBalancerType, Create), time.Since(startTime).Seconds(), dimensionsMap)
 		}
+
 		return lbStatus, err
 	}
 
@@ -901,7 +910,12 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 	dimensionsMap[metrics.ComponentDimension] = lbMetricDimension
 	dimensionsMap[metrics.BackendSetsCountDimension] = strconv.Itoa(len(lb.BackendSets))
 	metrics.SendMetricData(cp.metricPusher, getMetric(loadBalancerType, Update), syncTime, dimensionsMap)
-	return loadBalancerToStatus(lb)
+
+	skipPrivateIP, err := isSkipPrivateIP(service)
+	if err != nil {
+		return nil, err
+	}
+	return loadBalancerToStatus(lb, spec.ingressIpMode, skipPrivateIP)
 }
 
 func getDefaultLBSubnets(subnet1, subnet2 string) []string {
@@ -1952,7 +1966,7 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancerIpVersion(ctx context.Co
 }
 
 // Given an OCI load balancer, return a LoadBalancerStatus
-func loadBalancerToStatus(lb *client.GenericLoadBalancer) (*v1.LoadBalancerStatus, error) {
+func loadBalancerToStatus(lb *client.GenericLoadBalancer, ipMode *v1.LoadBalancerIPMode, skipPrivateIp bool) (*v1.LoadBalancerStatus, error) {
 	if len(lb.IpAddresses) == 0 {
 		return nil, errors.Errorf("no ip addresses found for load balancer %q", *lb.DisplayName)
 	}
@@ -1962,8 +1976,15 @@ func loadBalancerToStatus(lb *client.GenericLoadBalancer) (*v1.LoadBalancerStatu
 		if ip.IpAddress == nil {
 			continue // should never happen but appears to when EnsureLoadBalancer is called with 0 nodes.
 		}
-		ingress = append(ingress, v1.LoadBalancerIngress{IP: *ip.IpAddress})
+
+		if skipPrivateIp {
+			if !pointer.BoolDeref(ip.IsPublic, false) {
+				continue
+			}
+		}
+		ingress = append(ingress, v1.LoadBalancerIngress{IP: *ip.IpAddress, IPMode: ipMode})
 	}
+
 	return &v1.LoadBalancerStatus{Ingress: ingress}, nil
 }
 

pkg/cloudprovider/providers/oci/load_balancer_spec.go

@@ -175,6 +175,11 @@ const (
 
 	// ServiceAnnotationLoadbalancerBackendSetSSLConfig is a service annotation allows you to set the cipher suite on the backendSet
 	ServiceAnnotationLoadbalancerBackendSetSSLConfig = "oci.oraclecloud.com/oci-load-balancer-backendset-ssl-config"
+
+	// ServiceAnnotationIngressIpMode is a service annotation allows you to set the ".status.loadBalancer.ingress.ipMode" for a Service
+	// with type set to LoadBalancer.
+	// https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode:~:text=Specifying%20IPMode%20of%20load%20balancer%20status
+	ServiceAnnotationIngressIpMode = "oci.oraclecloud.com/ingress-ip-mode"
 )
 
 // NLB specific annotations
@@ -239,6 +244,9 @@ const (
 
 	// ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled is a service annotation to enable/disable PPv2 feature for the listeners of this NLB.
 	ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled = "oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled"
+
+	// ServiceAnnotationNetworkLoadBalancerExternalIpOnly is a service a boolean annotation to skip private ip when assigning to ingress resource for NLB service
+	ServiceAnnotationNetworkLoadBalancerExternalIpOnly = "oci-network-load-balancer.oraclecloud.com/external-ip-only"
 )
 
 const (
@@ -344,6 +352,7 @@ type LBSpec struct {
 	FreeformTags                map[string]string
 	DefinedTags                 map[string]map[string]interface{}
 	SystemTags                  map[string]map[string]interface{}
+	ingressIpMode               *v1.LoadBalancerIPMode
 
 	service *v1.Service
 	nodes   []*v1.Node
@@ -433,6 +442,11 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, provisionedNodes []*v
 		managedNsg.backendNsgId = backendNsgOcids
 	}
 
+	ingressIpMode, err := getIngressIpMode(svc)
+	if err != nil {
+		return nil, err
+	}
+
 	return &LBSpec{
 		Type:                        lbType,
 		Name:                        GetLoadBalancerName(svc),
@@ -457,6 +471,7 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, provisionedNodes []*v
 		FreeformTags:                lbTags.FreeformTags,
 		DefinedTags:                 lbTags.DefinedTags,
 		SystemTags:                  getResourceTrackingSystemTagsFromConfig(logger, initialLBTags),
+		ingressIpMode:               ingressIpMode,
 	}, nil
 }
 
@@ -1570,3 +1585,53 @@ func isServiceDualStack(svc *v1.Service) bool {
 	}
 	return false
 }
+
+// getIngressIpMode reads ingress ipMode specified in the service annotation if exists
+func getIngressIpMode(service *v1.Service) (*v1.LoadBalancerIPMode, error) {
+	var ipMode, exists = "", false
+
+	if ipMode, exists = service.Annotations[ServiceAnnotationIngressIpMode]; !exists {
+		return nil, nil
+	}
+
+	switch strings.ToLower(ipMode) {
+	case "proxy":
+		ipModeProxy := v1.LoadBalancerIPModeProxy
+		return &ipModeProxy, nil
+	case "vip":
+		ipModeProxy := v1.LoadBalancerIPModeVIP
+		return &ipModeProxy, nil
+	default:
+		return nil, errors.New("IpMode can only be set as Proxy or VIP")
+	}
+}
+
+// isSkipPrivateIP determines if skipPrivateIP annotation is set or not
+func isSkipPrivateIP(svc *v1.Service) (bool, error) {
+	lbType := getLoadBalancerType(svc)
+	annotationValue := ""
+	annotationExists := false
+	annotationString := ""
+	annotationValue, annotationExists = svc.Annotations[ServiceAnnotationNetworkLoadBalancerExternalIpOnly]
+	if !annotationExists {
+		return false, nil
+	}
+
+	if lbType != NLB {
+		return false, nil
+	}
+
+	internal, err := isInternalLB(svc)
+	if err != nil {
+		return false, err
+	}
+	if internal {
+		return false, nil
+	}
+
+	skipPrivateIp, err := strconv.ParseBool(annotationValue)
+	if err != nil {
+		return false, errors.Wrap(err, fmt.Sprintf("invalid value: %s provided for annotation: %s", annotationValue, annotationString))
+	}
+	return skipPrivateIp, nil
+}

pkg/cloudprovider/providers/oci/load_balancer_spec_test.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"k8s.io/utils/pointer"
 	"net/http"
 	"reflect"
 	"testing"
@@ -28,6 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/utils/pointer"
 
 	providercfg "github.com/oracle/oci-cloud-controller-manager/pkg/cloudprovider/providers/oci/config"
 	"github.com/oracle/oci-cloud-controller-manager/pkg/oci/client"
@@ -11782,3 +11782,74 @@ func Test_getLoadBalancerSourceRanges(t *testing.T) {
 		})
 	}
 }
+
+func TestIsSkipPrivateIP_NLB(t *testing.T) {
+	tests := []struct {
+		name           string
+		svcAnnotations map[string]string
+		expected       bool
+		wantErr        bool
+	}{
+		{
+			name: "skip-private-ip-enabled",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "true",
+			},
+			expected: true,
+			wantErr:  false,
+		},
+		{
+			name: "skip-private-ip-disabled",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "false",
+			},
+			expected: false,
+			wantErr:  false,
+		},
+		{
+			name: "skip-private-ip-invalid-value",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "invalid",
+			},
+			expected: false,
+			wantErr:  true,
+		},
+		{
+			name: "skip-private-ip with internal loadbalancer",
+			svcAnnotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  NLB,
+				ServiceAnnotationNetworkLoadBalancerInternal:       "true",
+				ServiceAnnotationNetworkLoadBalancerExternalIpOnly: "true",
+			},
+			expected: false,
+			wantErr:  false,
+		},
+		{
+			name:           "no-skip-private-ip-annotation",
+			svcAnnotations: map[string]string{},
+			expected:       false,
+			wantErr:        false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			svc := &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tt.svcAnnotations,
+				},
+			}
+			got, err := isSkipPrivateIP(svc)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("isSkipPrivateIP() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.expected {
+				t.Errorf("isSkipPrivateIP() = %v, expected %v", got, tt.expected)
+			}
+		})
+	}
+}