Merge pull request oracle#309 in OKE/oci-cloud-controller-manager from TASK/OKE-21137-release-1.23 to release-1.23

l-technicore · l-technicore · commit 023da4640f7d · 2022-05-26T09:36:46.000Z
* commit 'c89c504da603b1a26076b896a0729e449134047a':
  Addition of node-label-selector property to load-balancer-annotations document
  Add support for filtering the nodes based on label selectors for an LB service by annotation
diff --git a/docs/load-balancer-annotations.md b/docs/load-balancer-annotations.md
@@ -34,10 +34,11 @@ spec:
 | `oci-load-balancer-health-check-timeout`    | The maximum time, in milliseconds, to wait for a reply to a [health check][6]. A [health check][6] is successful only if a reply returns within this timeout period.                                                                               | `3000`                                           |
 | `oci-load-balancer-health-check-interval`   | The interval between [health checks][6] requests, in milliseconds.                                                                                                                                                                                 | `10000`                                          |
 | `oci-load-balancer-connection-idle-timeout` | The maximum idle time, in seconds, allowed between two successive receive or two successive send operations between the client and backend servers.                                                                                                | `300` for TCP listeners, `60` for HTTP listeners |
-| `oci-load-balancer-security-list-management-mode` | Specifies the [security list mode](##security-list-management-modes) (`"All"`, `"Frontend"`,`"None"`) to configure how security lists are managed by the CCM.                            | `"All"`            
-| `oci-load-balancer-backend-protocol` | Specifies protocol on which the listener accepts connection requests. To get a list of valid protocols, use the [`ListProtocols`][5] operation.                          | `"TCP"`            
-| `loadbalancer-policy` | Specifies loadbalancer traffic policy for the loadbalancer. To get a list of valid policies, use the [`ListPolicies`][7] operation.                       | `"ROUND_ROBIN"`            
-| `oci-network-security-groups` | Specifies Network Security Groups' OCIDs to be associated with the loadbalancer. Please refer [here][8] for NSG details.                      | `N/A`            
+| `oci-load-balancer-security-list-management-mode` | Specifies the [security list mode](##security-list-management-modes) (`"All"`, `"Frontend"`,`"None"`) to configure how security lists are managed by the CCM.                            | `"All"`            |
+| `oci-load-balancer-backend-protocol` | Specifies protocol on which the listener accepts connection requests. To get a list of valid protocols, use the [`ListProtocols`][5] operation.                          | `"TCP"`            |
+| `loadbalancer-policy` | Specifies loadbalancer traffic policy for the loadbalancer. To get a list of valid policies, use the [`ListPolicies`][7] operation.                       | `"ROUND_ROBIN"`            |
+| `oci-network-security-groups` | Specifies Network Security Groups' OCIDs to be associated with the loadbalancer. Please refer [here][8] for NSG details.                      | `N/A`            |
+| `node-label-selector` | Specifies which nodes to add as a backend to the OCI Load Balancer and Network Load Balancer.                                                                                                                            | `N/A`|
 
 Note: 
 - Only one annotation `oci-load-balancer-subnet1` should be passed if it is a regional subnet.
@@ -50,11 +51,11 @@ Note:
 | `oci-load-balancer-ssl-ports` | A `,` separated list of port number(s) for which to enable SSL termination. | `""` |
 
 ## Security List Management Modes
-| Mode | Description | 
-| ---- | ----------- | 
-| `"All"` | CCM will manage all required security list rules for load balancer services | 
-| `"Frontend"` | CCM will manage  only security list rules for ingress to the load balancer. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges.  | 
-| `"None`" | Disables all security list management. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges. *Additionally, requires the user to mange rules to allow inbound traffic to load balancers.* | 
+| Mode | Description |
+| ---- | ----------- |
+| `"All"` | CCM will manage all required security list rules for load balancer services |
+| `"Frontend"` | CCM will manage  only security list rules for ingress to the load balancer. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges.  |
+| `"None`" | Disables all security list management. Requires that the user has setup a rule that allows inbound traffic to the appropriate ports for kube proxy health port, node port ranges, and health check port ranges. *Additionally, requires the user to mange rules to allow inbound traffic to load balancers.* |
 
 Note:
 - If an invalid mode is passed in the annotation, then the default (`"All"`) mode is configured.
diff --git a/pkg/cloudprovider/providers/oci/load_balancer.go b/pkg/cloudprovider/providers/oci/load_balancer.go
@@ -351,13 +351,60 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 
 }
 
+// getNodeFilter extracts the node filter based on load balancer type.
+// if no selector is defined then an all label selector object is returned to match everything.
+func getNodeFilter(svc *v1.Service) (labels.Selector, error) {
+	lbType := getLoadBalancerType(svc)
+
+	var labelSelector string
+
+	switch lbType {
+	case NLB:
+		labelSelector = svc.Annotations[ServiceAnnotationNetworkLoadBalancerNodeFilter]
+	default:
+		labelSelector = svc.Annotations[ServiceAnnotationLoadBalancerNodeFilter]
+	}
+
+	if labelSelector == "" {
+		return labels.Everything(), nil
+	}
+
+	return labels.Parse(labelSelector)
+}
+
+// filterNodes based on the label selector, if present, and returns the set of nodes
+// that should be backends in the load balancer.
+func filterNodes(svc *v1.Service, nodes []*v1.Node) ([]*v1.Node, error) {
+
+	selector, err := getNodeFilter(svc)
+	if err != nil {
+		return nil, err
+	}
+
+	var filteredNodes []*v1.Node
+	for _, n := range nodes {
+		if selector.Matches(labels.Set(n.GetLabels())) {
+			filteredNodes = append(filteredNodes, n)
+		}
+	}
+
+	return filteredNodes, nil
+}
+
 // EnsureLoadBalancer creates a new load balancer or updates the existing one.
 // Returns the status of the balancer (i.e it's public IP address if one exists).
 func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName string, service *v1.Service, nodes []*v1.Node) (*v1.LoadBalancerStatus, error) {
 	startTime := time.Now()
 	lbName := GetLoadBalancerName(service)
 	loadBalancerType := getLoadBalancerType(service)
 	logger := cp.logger.With("loadBalancerName", lbName, "serviceName", service.Name, "loadBalancerType", loadBalancerType)
+
+	nodes, err := filterNodes(service, nodes)
+	if err != nil {
+		logger.With(zap.Error(err)).Error("Failed to filter nodes with label selector")
+		return nil, err
+	}
+
 	logger.With("nodes", len(nodes)).Info("Ensuring load balancer")
 
 	dimensionsMap := make(map[string]string)
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_spec.go b/pkg/cloudprovider/providers/oci/load_balancer_spec.go
@@ -138,6 +138,10 @@ const (
 
 	// ServiceAnnotationLoadBalancerType is a service annotation for specifying lb type
 	ServiceAnnotationLoadBalancerType = "oci.oraclecloud.com/load-balancer-type"
+
+	// ServiceAnnotationLoadBalancerNodeFilter is a service annotation to select specific nodes as your backend in the LB
+	// based on label selector.
+	ServiceAnnotationLoadBalancerNodeFilter = "oci.oraclecloud.com/node-label-selector"
 )
 
 // NLB specific annotations
@@ -191,6 +195,10 @@ const (
 	// ServiceAnnotationNetworkLoadBalancerInitialFreeformTagsOverride is a service annotation for specifying
 	// freeform tags on the nlb
 	ServiceAnnotationNetworkLoadBalancerInitialFreeformTagsOverride = "oci-network-load-balancer.oraclecloud.com/initial-freeform-tags-override"
+
+	// ServiceAnnotationNetworkLoadBalancerNodeFilter is a service annotation to select specific nodes as your backend in the NLB
+	// based on label selector.
+	ServiceAnnotationNetworkLoadBalancerNodeFilter = "oci-network-load-balancer.oraclecloud.com/node-label-selector"
 )
 
 // certificateData is a structure containing the data about a K8S secret required
@@ -502,11 +510,17 @@ func getBackends(logger *zap.SugaredLogger, nodes []*v1.Node, nodePort int32) []
 			logger.Warnf("Node %q has an empty Internal IP address.", node.Name)
 			continue
 		}
+		instanceID, err := MapProviderIDToInstanceID(node.Spec.ProviderID)
+		if err != nil {
+			logger.Warnf("Node %q has an empty ProviderID.", node.Name)
+			continue
+		}
+
 		backends = append(backends, client.GenericBackend{
 			IpAddress: nodeAddressString,
 			Port:      common.Int(int(nodePort)),
 			Weight:    common.Int(1),
-			TargetId:  &node.Spec.ProviderID,
+			TargetId:  &instanceID,
 		})
 	}
 	return backends
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_test.go b/pkg/cloudprovider/providers/oci/load_balancer_test.go
