oracle
diff --git a/‎docs/load-balancer-annotations.md
Lines changed: 14 additions & 13 deletions b/‎docs/load-balancer-annotations.md
Lines changed: 14 additions & 13 deletions
diff --git a/‎pkg/cloudprovider/providers/oci/load_balancer.go
Lines changed: 13 additions & 9 deletions b/‎pkg/cloudprovider/providers/oci/load_balancer.go
Lines changed: 13 additions & 9 deletions
diff --git a/‎pkg/cloudprovider/providers/oci/load_balancer_spec.go
Lines changed: 79 additions & 47 deletions b/‎pkg/cloudprovider/providers/oci/load_balancer_spec.go
Lines changed: 79 additions & 47 deletions
@@ -78,19 +78,20 @@ Note:
 
 ## Network Load Balancer Specific Annotations
 
-| Name                                                                       | Description                                                                                                                                                | Default                   |
-|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
-| `oci-network-load-balancer.oraclecloud.com/internal`                       | Create an [internal network load balancer][1]. Cannot be modified after load balancer creation.                                                            | `false`                   |
-| `oci-network-load-balancer.oraclecloud.com/subnet`                         | The OCID of the required regional or AD specific subnet to attach the network load balancer.	                                                              | Value set for the cluster |
-| `oci-network-load-balancer.oraclecloud.com/oci-network-security-groups`    | Specifies Network Security Groups' OCIDs to be associated with the network load balancer.	                                                                 | `""`                      |
-| `oci-network-load-balancer.oraclecloud.com/initial-freeform-tags-override` | Specifies one or multiple Freeform tags to apply to the OCI Network Load Balancer.                                                                         | `""`                      |
-| `oci-network-load-balancer.oraclecloud.com/initial-defined-tags-override`  | Specifies one or multiple Defined tags to apply to the OCI Network Load Balancer.                                                                          | `""`                      |
-| `oci-network-load-balancer.oraclecloud.com/health-check-retries`           | The number of retries to attempt before a backend server is considered "unhealthy".	                                                                       | `3`                       |
-| `oci-network-load-balancer.oraclecloud.com/health-check-timeout`           | The maximum time, in milliseconds, to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. | `3000 ms`                 |
-| `oci-network-load-balancer.oraclecloud.com/health-check-interval`          | The interval between health checks requests, in milliseconds.                                                                                              | `3000 ms`                 |
-| `oci-network-load-balancer.oraclecloud.com/backend-policy`                 | The network load balancer policy for the backend set. Valid values: "TWO_TUPLE", "THREE_TUPLE", or "FIVE_TUPLE"		                                          | `"FIVE_TUPLE"`            |
-| `oci-network-load-balancer.oraclecloud.com/security-list-management-mode`  | Specifies the security list mode ("All", "Frontend","None") to configure how security lists are managed.		                                                 | `"None"`                  |
-| `oci-network-load-balancer.oraclecloud.com/node-label-selector`            | Specifies which nodes to add as a backend to the OCI Network Load Balancer.		                                                                              | `"None"`                  |
+| Name                                                                        | Description                                                                                                                                               | Default                   |
+|-----------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
+| `oci-network-load-balancer.oraclecloud.com/internal`                        | Create an [internal network load balancer][1]. Cannot be modified after load balancer creation.                                                           | `false`                   |
+| `oci-network-load-balancer.oraclecloud.com/subnet`                          | The OCID of the required regional or AD specific subnet to attach the network load balancer.	                                                             | Value set for the cluster |
+| `oci-network-load-balancer.oraclecloud.com/oci-network-security-groups`     | Specifies Network Security Groups' OCIDs to be associated with the network load balancer.	                                                                | `""`                      |
+| `oci-network-load-balancer.oraclecloud.com/initial-freeform-tags-override`  | Specifies one or multiple Freeform tags to apply to the OCI Network Load Balancer.                                                                        | `""`                      |
+| `oci-network-load-balancer.oraclecloud.com/initial-defined-tags-override`   | Specifies one or multiple Defined tags to apply to the OCI Network Load Balancer.                                                                         | `""`                      |
+| `oci-network-load-balancer.oraclecloud.com/health-check-retries`            | The number of retries to attempt before a backend server is considered "unhealthy".	                                                                      | `3`                       |
+| `oci-network-load-balancer.oraclecloud.com/health-check-timeout`            | The maximum time, in milliseconds, to wait for a reply to a health check. A health check is successful only if a reply returns within this timeout period. | `3000 ms`                 |
+| `oci-network-load-balancer.oraclecloud.com/health-check-interval`           | The interval between health checks requests, in milliseconds.                                                                                             | `3000 ms`                 |
+| `oci-network-load-balancer.oraclecloud.com/backend-policy`                  | The network load balancer policy for the backend set. Valid values: "TWO_TUPLE", "THREE_TUPLE", or "FIVE_TUPLE"		                                         | `"FIVE_TUPLE"`            |
+| `oci-network-load-balancer.oraclecloud.com/security-list-management-mode`   | Specifies the security list mode ("All", "Frontend","None") to configure how security lists are managed.		                                                | `"None"`                  |
+| `oci-network-load-balancer.oraclecloud.com/node-label-selector`             | Specifies which nodes to add as a backend to the OCI Network Load Balancer.		                                                                             | `"None"`                  |
+| `oci-network-load-balancer.oraclecloud.com/is-preserve-source`              | Enable or disable the network load balancer to preserve source address of incoming traffic. Can be set only when externalTrafficPolicy is set to Local.	  | `"true" (if externalTrafficPolicy=Local)`                 |
 
 Note:
 - The only security list management mode allowed when backend protocol is UDP is "None"
 
@@ -339,7 +339,7 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 	if status != nil && len(status.Ingress) > 0 {
 		// If the LB is successfully provisioned then open lb/node subnet seclists egress/ingress.
 		for _, ports := range spec.Ports {
-			if err = spec.securityListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, nil, ports, *spec.IsPreserveSourceDestination); err != nil {
+			if err = spec.securityListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, nil, ports, *spec.IsPreserveSource); err != nil {
 				return nil, "", err
 			}
 		}
@@ -701,7 +701,7 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancer(ctx context.Context, lb
 		// We try to update the seclist this way to prevent replication
 		// of seclist reconciliation logic
 		for _, ports := range spec.Ports {
-			if err = spec.securityListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, nil, ports, *spec.IsPreserveSourceDestination); err != nil {
+			if err = spec.securityListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, nil, ports, *spec.IsPreserveSource); err != nil {
 				return err
 			}
 		}
@@ -756,7 +756,7 @@ func (clb *CloudLoadBalancerProvider) updateBackendSet(ctx context.Context, lbID
 
 	switch action.Type() {
 	case Create:
-		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSourceDestination)
+		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSource)
 		if err != nil {
 			return err
 		}
@@ -765,12 +765,12 @@ func (clb *CloudLoadBalancerProvider) updateBackendSet(ctx context.Context, lbID
 	case Update:
 		// For NLB, due to source IP preservation we need to ensure ingress rules from sourceCIDRs are added to
 		// the backends subnet's seclist as well
-		if err = secListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, action.OldPorts, ports, *spec.IsPreserveSourceDestination); err != nil {
+		if err = secListManager.Update(ctx, lbSubnets, nodeSubnets, spec.SourceCIDRs, action.OldPorts, ports, *spec.IsPreserveSource); err != nil {
 			return err
 		}
 		workRequestID, err = clb.lbClient.UpdateBackendSet(ctx, lbID, action.Name(), &bs)
 	case Delete:
-		err = secListManager.Delete(ctx, lbSubnets, nodeSubnets, ports, sourceCIDRs, *spec.IsPreserveSourceDestination)
+		err = secListManager.Delete(ctx, lbSubnets, nodeSubnets, ports, sourceCIDRs, *spec.IsPreserveSource)
 		if err != nil {
 			return err
 		}
@@ -808,21 +808,21 @@ func (clb *CloudLoadBalancerProvider) updateListener(ctx context.Context, lbID s
 
 	switch action.Type() {
 	case Create:
-		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSourceDestination)
+		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSource)
 		if err != nil {
 			return err
 		}
 
 		workRequestID, err = clb.lbClient.CreateListener(ctx, lbID, action.Name(), &listener)
 	case Update:
-		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSourceDestination)
+		err = secListManager.Update(ctx, lbSubnets, nodeSubnets, sourceCIDRs, nil, ports, *spec.IsPreserveSource)
 		if err != nil {
 			return err
 		}
 
 		workRequestID, err = clb.lbClient.UpdateListener(ctx, lbID, action.Name(), &listener)
 	case Delete:
-		err = secListManager.Delete(ctx, lbSubnets, nodeSubnets, ports, sourceCIDRs, *spec.IsPreserveSourceDestination)
+		err = secListManager.Delete(ctx, lbSubnets, nodeSubnets, ports, sourceCIDRs, *spec.IsPreserveSource)
 		if err != nil {
 			return err
 		}
@@ -989,7 +989,11 @@ func (cp *CloudProvider) cleanupSecListForLoadBalancerDelete(lb *client.GenericL
 	securityListManager := cp.securityListManagerFactory(
 		secListManagerMode)
 
-	isPreserveSource := getPreserveSourceDestination(service)
+	isPreserveSource, err := getPreserveSource(logger, service)
+	if err != nil {
+		logger.With(zap.Error(err)).Error("failed to determine value for is-preserve-source")
+		return errors.Wrap(err, "failed to determine value for is-preserve-source")
+	}
 
 	for listenerName, listener := range lb.Listeners {
 		backendSetName := *listener.DefaultBackendSetName
 
@@ -202,6 +202,10 @@ const (
 	// ServiceAnnotationNetworkLoadBalancerNodeFilter is a service annotation to select specific nodes as your backend in the NLB
 	// based on label selector.
 	ServiceAnnotationNetworkLoadBalancerNodeFilter = "oci-network-load-balancer.oraclecloud.com/node-label-selector"
+
+	// ServiceAnnotationNetworkLoadBalancerIsPreserveSource is a service annotation to enable/disable preserving source information
+	// on the NLB traffic. Default value when no annotation is given is to enable this for NLBs with externalTrafficPolicy=Local.
+	ServiceAnnotationNetworkLoadBalancerIsPreserveSource = "oci-network-load-balancer.oraclecloud.com/is-preserve-source"
 )
 
 // certificateData is a structure containing the data about a K8S secret required
@@ -267,24 +271,24 @@ func NewSSLConfig(secretListenerString string, secretBackendSetString string, se
 // LBSpec holds the data required to build a OCI load balancer from a
 // kubernetes service.
 type LBSpec struct {
-	Type                        string
-	Name                        string
-	Shape                       string
-	FlexMin                     *int
-	FlexMax                     *int
-	Subnets                     []string
-	Internal                    bool
-	Listeners                   map[string]client.GenericListener
-	BackendSets                 map[string]client.GenericBackendSetDetails
-	LoadBalancerIP              string
-	IsPreserveSourceDestination *bool
-	Ports                       map[string]portSpec
-	SourceCIDRs                 []string
-	SSLConfig                   *SSLConfig
-	securityListManager         securityListManager
-	NetworkSecurityGroupIds     []string
-	FreeformTags                map[string]string
-	DefinedTags                 map[string]map[string]interface{}
+	Type                    string
+	Name                    string
+	Shape                   string
+	FlexMin                 *int
+	FlexMax                 *int
+	Subnets                 []string
+	Internal                bool
+	Listeners               map[string]client.GenericListener
+	BackendSets             map[string]client.GenericBackendSetDetails
+	LoadBalancerIP          string
+	IsPreserveSource        *bool
+	Ports                   map[string]portSpec
+	SourceCIDRs             []string
+	SSLConfig               *SSLConfig
+	securityListManager     securityListManager
+	NetworkSecurityGroupIds []string
+	FreeformTags            map[string]string
+	DefinedTags             map[string]map[string]interface{}
 
 	service *v1.Service
 	nodes   []*v1.Node
@@ -316,9 +320,12 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, nodes []*v1.Node, sub
 		return nil, err
 	}
 
-	isPreserveSourceDestination := getPreserveSourceDestination(svc)
+	isPreserveSource, err := getPreserveSource(logger, svc)
+	if err != nil {
+		return nil, err
+	}
 
-	backendSets, err := getBackendSets(logger, svc, nodes, sslConfig, isPreserveSourceDestination)
+	backendSets, err := getBackendSets(logger, svc, nodes, sslConfig, isPreserveSource)
 	if err != nil {
 		return nil, err
 	}
@@ -351,26 +358,26 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, nodes []*v1.Node, sub
 	lbType := getLoadBalancerType(svc)
 
 	return &LBSpec{
-		Type:                        lbType,
-		Name:                        GetLoadBalancerName(svc),
-		Shape:                       shape,
-		FlexMin:                     flexShapeMinMbps,
-		FlexMax:                     flexShapeMaxMbps,
-		Internal:                    internal,
-		Subnets:                     subnets,
-		Listeners:                   listeners,
-		BackendSets:                 backendSets,
-		LoadBalancerIP:              loadbalancerIP,
-		IsPreserveSourceDestination: &isPreserveSourceDestination,
-		Ports:                       ports,
-		SSLConfig:                   sslConfig,
-		SourceCIDRs:                 sourceCIDRs,
-		NetworkSecurityGroupIds:     networkSecurityGroupIds,
-		service:                     svc,
-		nodes:                       nodes,
-		securityListManager:         secListFactory(secListManagerMode),
-		FreeformTags:                lbTags.FreeformTags,
-		DefinedTags:                 lbTags.DefinedTags,
+		Type:                    lbType,
+		Name:                    GetLoadBalancerName(svc),
+		Shape:                   shape,
+		FlexMin:                 flexShapeMinMbps,
+		FlexMax:                 flexShapeMaxMbps,
+		Internal:                internal,
+		Subnets:                 subnets,
+		Listeners:               listeners,
+		BackendSets:             backendSets,
+		LoadBalancerIP:          loadbalancerIP,
+		IsPreserveSource:        &isPreserveSource,
+		Ports:                   ports,
+		SSLConfig:               sslConfig,
+		SourceCIDRs:             sourceCIDRs,
+		NetworkSecurityGroupIds: networkSecurityGroupIds,
+		service:                 svc,
+		nodes:                   nodes,
+		securityListManager:     secListFactory(secListManagerMode),
+		FreeformTags:            lbTags.FreeformTags,
+		DefinedTags:             lbTags.DefinedTags,
 	}, nil
 }
 
@@ -459,15 +466,40 @@ func validateService(svc *v1.Service) error {
 	return nil
 }
 
-func getPreserveSourceDestination(svc *v1.Service) bool {
+func getPreserveSource(logger *zap.SugaredLogger, svc *v1.Service) (bool, error) {
 	if svc.Annotations[ServiceAnnotationLoadBalancerType] != NLB {
-		return false
+		return false, nil
+	}
+	// fail the request if externalTrafficPolicy is set to Cluster and is-preserve-source annotation is set
+	if svc.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeCluster {
+		_, ok := svc.Annotations[ServiceAnnotationNetworkLoadBalancerIsPreserveSource]
+		if ok {
+			logger.Error("error : externalTrafficPolicy is set to Cluster and the %s annotation is set", ServiceAnnotationNetworkLoadBalancerIsPreserveSource)
+			return false, fmt.Errorf("%s annotation cannot be set when externalTrafficPolicy is set to Cluster", ServiceAnnotationNetworkLoadBalancerIsPreserveSource)
+		}
+	}
+
+	enablePreservation, err := getPreserveSourceAnnotation(logger, svc)
+	if err != nil {
+		return false, err
 	}
+	if svc.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeLocal && enablePreservation {
+		return true, nil
+	}
+	return false, nil
+}
 
-	if svc.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeLocal {
-		return true
+func getPreserveSourceAnnotation(logger *zap.SugaredLogger, svc *v1.Service) (bool, error) {
+	if annotationString, ok := svc.Annotations[ServiceAnnotationNetworkLoadBalancerIsPreserveSource]; ok {
+		enable, err := strconv.ParseBool(annotationString)
+		if err != nil {
+			logger.Error("failed to to parse %s annotation value - %s", ServiceAnnotationNetworkLoadBalancerIsPreserveSource, annotationString)
+			return false, fmt.Errorf("failed to to parse %s annotation value - %s", ServiceAnnotationNetworkLoadBalancerIsPreserveSource, annotationString)
+		}
+		return enable, nil
 	}
-	return false
+	// default behavior is to enable source destination preservation
+	return true, nil
 }
 
 func getLoadBalancerSourceRanges(service *v1.Service) ([]string, error) {
@@ -544,7 +576,7 @@ func getBackends(logger *zap.SugaredLogger, nodes []*v1.Node, nodePort int32) []
 	return backends
 }
 
-func getBackendSets(logger *zap.SugaredLogger, svc *v1.Service, nodes []*v1.Node, sslCfg *SSLConfig, isPreserveSourceDestination bool) (map[string]client.GenericBackendSetDetails, error) {
+func getBackendSets(logger *zap.SugaredLogger, svc *v1.Service, nodes []*v1.Node, sslCfg *SSLConfig, isPreserveSource bool) (map[string]client.GenericBackendSetDetails, error) {
 	backendSets := make(map[string]client.GenericBackendSetDetails)
 	loadbalancerPolicy, err := getLoadBalancerPolicy(svc)
 	if err != nil {
@@ -579,7 +611,7 @@ func getBackendSets(logger *zap.SugaredLogger, svc *v1.Service, nodes []*v1.Node
 			Policy:           &loadbalancerPolicy,
 			Backends:         getBackends(logger, nodes, servicePort.NodePort),
 			HealthChecker:    healthChecker,
-			IsPreserveSource: &isPreserveSourceDestination,
+			IsPreserveSource: &isPreserveSource,
 			SslConfiguration: getSSLConfiguration(sslCfg, secretName, port),
 		}
 	}