add NSG Support for IngressClass

- Added NSG Support for IngressClassess via new annotation
- Fixed LB Shape update by replacing retryToken with etag

Author: piyush-tiwari

pkg/controllers/backend/backend_test.go

@@ -295,6 +295,10 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	return ociloadbalancer.UpdateLoadBalancerShapeResponse{}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context, request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{}, nil
+}
+
 func (m MockLoadBalancerClient) GetLoadBalancer(ctx context.Context, request ociloadbalancer.GetLoadBalancerRequest) (ociloadbalancer.GetLoadBalancerResponse, error) {
 	res := util.SampleLoadBalancerResponse()
 	return res, nil

pkg/controllers/ingress/ingress_test.go

@@ -225,6 +225,10 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	return ociloadbalancer.UpdateLoadBalancerShapeResponse{}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context, request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{}, nil
+}
+
 func (m MockLoadBalancerClient) CreateLoadBalancer(ctx context.Context, request ociloadbalancer.CreateLoadBalancerRequest) (ociloadbalancer.CreateLoadBalancerResponse, error) {
 	return ociloadbalancer.CreateLoadBalancerResponse{}, nil
 }

pkg/controllers/ingressclass/ingressclass.go

@@ -207,33 +207,35 @@ func (c *Controller) sync(key string) error {
 	return nil
 }
 
-func (c *Controller) getLoadBalancer(ctx context.Context, ic *networkingv1.IngressClass) (*ociloadbalancer.LoadBalancer, error) {
+func (c *Controller) getLoadBalancer(ctx context.Context, ic *networkingv1.IngressClass) (*ociloadbalancer.LoadBalancer, string, error) {
 	lbID := util.GetIngressClassLoadBalancerId(ic)
 	if lbID == "" {
-		klog.Errorf("LB id not set for ingressClass: %s", ic.Name)
-		return nil, nil // LoadBalancer ID not set, Trigger new LB creation
+		klog.Infof("LB id not set for ingressClass: %s", ic.Name)
+		return nil, "", nil // LoadBalancer ID not set, Trigger new LB creation
 	}
 	wrapperClient, ok := ctx.Value(util.WrapperClient).(*client.WrapperClient)
 	if !ok {
-		return nil, fmt.Errorf(util.OciClientNotFoundInContextError)
+		return nil, "", fmt.Errorf(util.OciClientNotFoundInContextError)
 	}
-	lb, _, err := wrapperClient.GetLbClient().GetLoadBalancer(context.TODO(), lbID)
+
+	lb, etag, err := wrapperClient.GetLbClient().GetLoadBalancer(context.TODO(), lbID)
 	if err != nil {
 		klog.Errorf("Error while fetching LB %s for ingressClass: %s, err: %s", lbID, ic.Name, err.Error())
 
 		// Check if Service error 404, then ignore it since LB is not found.
 		svcErr, ok := common.IsServiceError(err)
 		if ok && svcErr.GetHTTPStatusCode() == 404 {
-			return nil, nil // Redirect new LB creation
+			return nil, "", nil // Redirect new LB creation
 		}
-		return nil, err
+		return nil, "", err
 	}
-	return lb, nil
+
+	return lb, etag, nil
 }
 
 func (c *Controller) ensureLoadBalancer(ctx context.Context, ic *networkingv1.IngressClass) error {
 
-	lb, err := c.getLoadBalancer(ctx, ic)
+	lb, etag, err := c.getLoadBalancer(ctx, ic)
 	if err != nil {
 		return err
 	}
@@ -262,11 +264,12 @@ func (c *Controller) ensureLoadBalancer(ctx context.Context, ic *networkingv1.In
 		klog.V(2).InfoS("Creating load balancer for ingress class", "ingressClass", ic.Name)
 
 		createDetails := ociloadbalancer.CreateLoadBalancerDetails{
-			CompartmentId: compartmentId,
-			DisplayName:   common.String(util.GetIngressClassLoadBalancerName(ic, icp)),
-			ShapeName:     common.String("flexible"),
-			SubnetIds:     []string{util.GetIngressClassSubnetId(icp, c.defaultSubnetId)},
-			IsPrivate:     common.Bool(icp.Spec.IsPrivate),
+			CompartmentId:           compartmentId,
+			DisplayName:             common.String(util.GetIngressClassLoadBalancerName(ic, icp)),
+			ShapeName:               common.String("flexible"),
+			SubnetIds:               []string{util.GetIngressClassSubnetId(icp, c.defaultSubnetId)},
+			IsPrivate:               common.Bool(icp.Spec.IsPrivate),
+			NetworkSecurityGroupIds: util.GetIngressClassNetworkSecurityGroupIds(ic),
 			BackendSets: map[string]ociloadbalancer.BackendSetDetails{
 				util.DefaultBackendSetName: {
 					Policy: common.String("LEAST_CONNECTIONS"),
@@ -300,7 +303,15 @@ func (c *Controller) ensureLoadBalancer(ctx context.Context, ic *networkingv1.In
 			return err
 		}
 	} else {
-		c.checkForIngressClassParameterUpdates(ctx, lb, ic, icp)
+		err = c.checkForIngressClassParameterUpdates(ctx, lb, ic, icp, etag)
+		if err != nil {
+			return err
+		}
+
+		err = c.checkForNetworkSecurityGroupsUpdate(ctx, ic)
+		if err != nil {
+			return err
+		}
 	}
 
 	if *lb.Id != util.GetIngressClassLoadBalancerId(ic) {
@@ -342,7 +353,8 @@ func (c *Controller) setupWebApplicationFirewall(ctx context.Context, ic *networ
 	return nil
 }
 
-func (c *Controller) checkForIngressClassParameterUpdates(ctx context.Context, lb *ociloadbalancer.LoadBalancer, ic *networkingv1.IngressClass, icp *v1beta1.IngressClassParameters) error {
+func (c *Controller) checkForIngressClassParameterUpdates(ctx context.Context, lb *ociloadbalancer.LoadBalancer,
+	ic *networkingv1.IngressClass, icp *v1beta1.IngressClassParameters, etag string) error {
 	// check LoadBalancerName AND  MinBandwidthMbps ,MaxBandwidthMbps
 	displayName := util.GetIngressClassLoadBalancerName(ic, icp)
 	wrapperClient, ok := ctx.Value(util.WrapperClient).(*client.WrapperClient)
@@ -377,11 +389,11 @@ func (c *Controller) checkForIngressClassParameterUpdates(ctx context.Context, l
 
 		req := ociloadbalancer.UpdateLoadBalancerShapeRequest{
 			LoadBalancerId: lb.Id,
+			IfMatch:        common.String(etag),
 			UpdateLoadBalancerShapeDetails: ociloadbalancer.UpdateLoadBalancerShapeDetails{
 				ShapeName:    common.String("flexible"),
 				ShapeDetails: shapeDetails,
 			},
-			OpcRetryToken: common.String(fmt.Sprintf("update-lb-shape-%s", ic.UID)),
 		}
 		klog.Infof("Update lb shape request: %s", util.PrettyPrint(req))
 		_, err := wrapperClient.GetLbClient().UpdateLoadBalancerShape(context.Background(), req)
@@ -393,6 +405,41 @@ func (c *Controller) checkForIngressClassParameterUpdates(ctx context.Context, l
 	return nil
 }
 
+func (c *Controller) checkForNetworkSecurityGroupsUpdate(ctx context.Context, ic *networkingv1.IngressClass) error {
+	lb, etag, err := c.getLoadBalancer(ctx, ic)
+	if err != nil {
+		return err
+	}
+
+	wrapperClient, ok := ctx.Value(util.WrapperClient).(*client.WrapperClient)
+	if !ok {
+		return fmt.Errorf(util.OciClientNotFoundInContextError)
+	}
+
+	nsgIdsFromSpec := util.GetIngressClassNetworkSecurityGroupIds(ic)
+
+	/*
+		Only check if desired and actual slices have the same elements, ignoring order and duplicates
+		We don't check if lb.NetworkSecurityGroupIds is nil since util.StringSlicesHaveSameElements returns true if
+		one argument is nil and the other is empty.
+	*/
+	if util.StringSlicesHaveSameElements(nsgIdsFromSpec, lb.NetworkSecurityGroupIds) {
+		return nil
+	}
+
+	req := ociloadbalancer.UpdateNetworkSecurityGroupsRequest{
+		LoadBalancerId: lb.Id,
+		IfMatch:        common.String(etag),
+		UpdateNetworkSecurityGroupsDetails: ociloadbalancer.UpdateNetworkSecurityGroupsDetails{
+			NetworkSecurityGroupIds: nsgIdsFromSpec,
+		},
+	}
+	klog.Infof("Update lb nsg ids request: %s", util.PrettyPrint(req))
+
+	_, err = wrapperClient.GetLbClient().UpdateNetworkSecurityGroups(context.Background(), req)
+	return err
+}
+
 func (c *Controller) deleteIngressClass(ctx context.Context, ic *networkingv1.IngressClass) error {
 
 	err := c.deleteLoadBalancer(ctx, ic)

pkg/controllers/ingressclass/ingressclass_test.go

@@ -182,10 +182,27 @@ func TestCheckForIngressClassParameterUpdates(t *testing.T) {
 			MaxBandwidthMbps: 400,
 		},
 	}
-	err = c.checkForIngressClassParameterUpdates(getContextWithClient(c, ctx), loadBalancer, &ingressClassList.Items[0], &icp)
+	err = c.checkForIngressClassParameterUpdates(getContextWithClient(c, ctx), loadBalancer, &ingressClassList.Items[0], &icp, "etag")
 	Expect(err).Should(BeNil())
 }
 
+func TestCheckForNetworkSecurityGroupsUpdate(t *testing.T) {
+	RegisterTestingT(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ingressClassList := util.GetIngressClassResourceWithAnnotation("ingress-class-with-nsg",
+		map[string]string{
+			util.IngressClassNetworkSecurityGroupIdsAnnotation: "id1,id2,  id3",
+			util.IngressClassLoadBalancerIdAnnotation:          "id",
+		}, "oci.oraclecloud.com/native-ingress-controller")
+	c := inits(ctx, ingressClassList)
+
+	err := c.checkForNetworkSecurityGroupsUpdate(getContextWithClient(c, ctx), &ingressClassList.Items[0])
+	Expect(err).To(BeNil())
+}
+
 func TestDeleteFinalizer(t *testing.T) {
 	RegisterTestingT(t)
 	ctx, cancel := context.WithCancel(context.Background())
@@ -332,6 +349,15 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context,
+	request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{
+		RawResponse:      nil,
+		OpcWorkRequestId: common.String("id"),
+		OpcRequestId:     common.String("id"),
+	}, nil
+}
+
 func (m MockLoadBalancerClient) CreateLoadBalancer(ctx context.Context, request ociloadbalancer.CreateLoadBalancerRequest) (ociloadbalancer.CreateLoadBalancerResponse, error) {
 	id := "id"
 	return ociloadbalancer.CreateLoadBalancerResponse{

pkg/controllers/nodeBackend/nodeBackend_test.go

@@ -248,6 +248,10 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	return ociloadbalancer.UpdateLoadBalancerShapeResponse{}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context, request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{}, nil
+}
+
 func (m MockLoadBalancerClient) GetLoadBalancer(ctx context.Context, request ociloadbalancer.GetLoadBalancerRequest) (ociloadbalancer.GetLoadBalancerResponse, error) {
 	res := util.SampleLoadBalancerResponse()
 	return res, nil

pkg/controllers/routingpolicy/routingpolicy_test.go

@@ -220,6 +220,10 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	return ociloadbalancer.UpdateLoadBalancerShapeResponse{}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context, request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{}, nil
+}
+
 func (m MockLoadBalancerClient) CreateLoadBalancer(ctx context.Context, request ociloadbalancer.CreateLoadBalancerRequest) (ociloadbalancer.CreateLoadBalancerResponse, error) {
 	return ociloadbalancer.CreateLoadBalancerResponse{}, nil
 }

pkg/loadbalancer/loadbalancer.go

@@ -86,6 +86,21 @@ func (lbc *LoadBalancerClient) GetBackendSetHealth(ctx context.Context, lbID str
 	return &resp.BackendSetHealth, nil
 }
 
+func (lbc *LoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context, req loadbalancer.UpdateNetworkSecurityGroupsRequest) (loadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	resp, err := lbc.LbClient.UpdateNetworkSecurityGroups(ctx, req)
+	if err != nil {
+		return resp, err
+	}
+
+	lbID, err := lbc.waitForWorkRequest(ctx, *resp.OpcWorkRequestId)
+	if err != nil {
+		return resp, err
+	}
+
+	_, _, err = lbc.getLoadBalancerBustCache(ctx, lbID)
+	return resp, err
+}
+
 func (lbc *LoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req loadbalancer.UpdateLoadBalancerShapeRequest) (response loadbalancer.UpdateLoadBalancerShapeResponse, err error) {
 	resp, err := lbc.LbClient.UpdateLoadBalancerShape(ctx, req)
 	if err != nil {

pkg/loadbalancer/loadbalancer_test.go

@@ -205,6 +205,21 @@ func TestLoadBalancerClient_UpdateListener(t *testing.T) {
 	Expect(err).To(BeNil())
 }
 
+func TestLoadBalancerClient_UpdateNetworkSecurityGroups(t *testing.T) {
+	RegisterTestingT(t)
+	loadBalancerClient := setupLBClient()
+	req := ociloadbalancer.UpdateNetworkSecurityGroupsRequest{
+		LoadBalancerId: common.String("id"),
+		UpdateNetworkSecurityGroupsDetails: ociloadbalancer.UpdateNetworkSecurityGroupsDetails{
+			NetworkSecurityGroupIds: []string{"id1", "id2"},
+		},
+		OpcRetryToken: common.String("token"),
+	}
+
+	_, err := loadBalancerClient.UpdateNetworkSecurityGroups(context.TODO(), req)
+	Expect(err).To(BeNil())
+}
+
 func setupLBClient() *LoadBalancerClient {
 	lbClient := GetLoadBalancerClient()
 
@@ -231,6 +246,15 @@ func (m MockLoadBalancerClient) UpdateLoadBalancerShape(ctx context.Context, req
 	return ociloadbalancer.UpdateLoadBalancerShapeResponse{}, nil
 }
 
+func (m MockLoadBalancerClient) UpdateNetworkSecurityGroups(ctx context.Context,
+	request ociloadbalancer.UpdateNetworkSecurityGroupsRequest) (ociloadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return ociloadbalancer.UpdateNetworkSecurityGroupsResponse{
+		RawResponse:      nil,
+		OpcWorkRequestId: common.String("id"),
+		OpcRequestId:     common.String("id"),
+	}, nil
+}
+
 func (m MockLoadBalancerClient) GetLoadBalancer(ctx context.Context, request ociloadbalancer.GetLoadBalancerRequest) (ociloadbalancer.GetLoadBalancerResponse, error) {
 	res := util.SampleLoadBalancerResponse()
 	return res, nil

pkg/oci/client/loadbalancer.go

@@ -11,6 +11,7 @@ type LoadBalancerInterface interface {
 	CreateLoadBalancer(ctx context.Context, request loadbalancer.CreateLoadBalancerRequest) (loadbalancer.CreateLoadBalancerResponse, error)
 	UpdateLoadBalancer(ctx context.Context, request loadbalancer.UpdateLoadBalancerRequest) (response loadbalancer.UpdateLoadBalancerResponse, err error)
 	UpdateLoadBalancerShape(ctx context.Context, request loadbalancer.UpdateLoadBalancerShapeRequest) (response loadbalancer.UpdateLoadBalancerShapeResponse, err error)
+	UpdateNetworkSecurityGroups(ctx context.Context, request loadbalancer.UpdateNetworkSecurityGroupsRequest) (loadbalancer.UpdateNetworkSecurityGroupsResponse, error)
 	DeleteLoadBalancer(ctx context.Context, request loadbalancer.DeleteLoadBalancerRequest) (loadbalancer.DeleteLoadBalancerResponse, error)
 
 	GetWorkRequest(ctx context.Context, request loadbalancer.GetWorkRequestRequest) (loadbalancer.GetWorkRequestResponse, error)
@@ -58,6 +59,10 @@ func (client LBClient) UpdateLoadBalancer(ctx context.Context, request loadbalan
 	return client.lbClient.UpdateLoadBalancer(ctx, request)
 }
 
+func (client LBClient) UpdateNetworkSecurityGroups(ctx context.Context, request loadbalancer.UpdateNetworkSecurityGroupsRequest) (loadbalancer.UpdateNetworkSecurityGroupsResponse, error) {
+	return client.lbClient.UpdateNetworkSecurityGroups(ctx, request)
+}
+
 func (client LBClient) DeleteLoadBalancer(ctx context.Context,
 	request loadbalancer.DeleteLoadBalancerRequest) (loadbalancer.DeleteLoadBalancerResponse, error) {
 	return client.lbClient.DeleteLoadBalancer(ctx, request)

pkg/util/util.go

@@ -63,9 +63,10 @@ const (
 	// HTTP, HTTP2, TCP - accepted.
 	IngressProtocolAnnotation = "oci-native-ingress.oraclecloud.com/protocol"
 
-	IngressPolicyAnnotation          = "oci-native-ingress.oraclecloud.com/policy"
-	IngressClassWafPolicyAnnotation  = "oci-native-ingress.oraclecloud.com/waf-policy-ocid"
-	IngressClassFireWallIdAnnotation = "oci-native-ingress.oraclecloud.com/firewall-id"
+	IngressPolicyAnnotation                       = "oci-native-ingress.oraclecloud.com/policy"
+	IngressClassWafPolicyAnnotation               = "oci-native-ingress.oraclecloud.com/waf-policy-ocid"
+	IngressClassFireWallIdAnnotation              = "oci-native-ingress.oraclecloud.com/firewall-id"
+	IngressClassNetworkSecurityGroupIdsAnnotation = "oci-native-ingress.oraclecloud.com/network-security-group-ids"
 
 	IngressHealthCheckProtocolAnnotation             = "oci-native-ingress.oraclecloud.com/healthcheck-protocol"
 	IngressHealthCheckPortAnnotation                 = "oci-native-ingress.oraclecloud.com/healthcheck-port"
@@ -153,6 +154,23 @@ func GetIngressClassFireWallId(ic *networkingv1.IngressClass) string {
 	return value
 }
 
+func GetIngressClassNetworkSecurityGroupIds(ic *networkingv1.IngressClass) []string {
+	networkSecurityGroupIds := make([]string, 0)
+	value, ok := ic.Annotations[IngressClassNetworkSecurityGroupIdsAnnotation]
+	if !ok {
+		return networkSecurityGroupIds
+	}
+
+	for _, id := range strings.Split(value, ",") {
+		trimmedId := strings.TrimSpace(id)
+		if trimmedId != "" {
+			networkSecurityGroupIds = append(networkSecurityGroupIds, trimmedId)
+		}
+	}
+
+	return networkSecurityGroupIds
+}
+
 func GetIngressProtocol(i *networkingv1.Ingress) string {
 	protocol, ok := i.Annotations[IngressProtocolAnnotation]
 	if !ok {
@@ -719,3 +737,9 @@ func IsBackendServiceEqual(b1 *networkingv1.IngressBackend, b2 *networkingv1.Ing
 func IsIngressProtocolTCP(ingress *networkingv1.Ingress) bool {
 	return GetIngressProtocol(ingress) == ProtocolTCP
 }
+
+// StringSlicesHaveSameElements checks if s1 and s2 have the same elements, ignoring order and duplicates.
+// Returns true if one slice is nil and the other is empty.
+func StringSlicesHaveSameElements(s1 []string, s2 []string) bool {
+	return sets.New(s1...).Equal(sets.New(s2...))
+}