Support for gRPC Protocol on OKE managed LB and add e2e test case

pranavsriram8 · YashwantGohokar · commit af2e79e744a9 · 2025-02-18T11:11:54.000+05:30
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_spec.go b/pkg/cloudprovider/providers/oci/load_balancer_spec.go
@@ -246,6 +246,11 @@ const (
 	ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled = "oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled"
 )
 
+const (
+	ProtocolGrpc              = "GRPC"
+	DefaultCipherSuiteForGRPC = "oci-default-http2-ssl-cipher-suite-v1"
+)
+
 // certificateData is a structure containing the data about a K8S secret required
 // to store SSL information required for BackendSets and Listeners
 type certificateData struct {
@@ -1032,10 +1037,10 @@ func getListenersOciLoadBalancer(svc *v1.Service, sslCfg *SSLConfig) (map[string
 			if p == "" {
 				p = DefaultLoadBalancerBEProtocol
 			}
-			if strings.EqualFold(p, "HTTP") || strings.EqualFold(p, "TCP") {
+			if strings.EqualFold(p, "HTTP") || strings.EqualFold(p, "TCP") || strings.EqualFold(p, "GRPC") {
 				protocol = p
 			} else {
-				return nil, fmt.Errorf("invalid backend protocol %q requested for load balancer listener. Only 'HTTP' and 'TCP' protocols supported", p)
+				return nil, fmt.Errorf("invalid backend protocol %q requested for load balancer listener. Only 'HTTP', 'TCP' and 'GRPC' protocols supported", p)
 			}
 		}
 		port := int(servicePort.Port)
@@ -1051,6 +1056,15 @@ func getListenersOciLoadBalancer(svc *v1.Service, sslCfg *SSLConfig) (map[string
 				return nil, err
 			}
 		}
+		if strings.EqualFold(protocol, "GRPC") {
+			protocol = ProtocolGrpc
+			if sslConfiguration == nil {
+				return nil, fmt.Errorf("SSL configuration cannot be empty for GRPC protocol")
+			}
+			if sslConfiguration.CipherSuiteName == nil {
+				sslConfiguration.CipherSuiteName = common.String(DefaultCipherSuiteForGRPC)
+			}
+		}
 		name := getListenerName(protocol, port)
 
 		listener := client.GenericListener{
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_spec_test.go b/pkg/cloudprovider/providers/oci/load_balancer_spec_test.go
@@ -4543,6 +4543,162 @@ func TestNewLBSpecSuccess(t *testing.T) {
 				},
 			},
 		},
+		"GRPC listeners": {
+			defaultSubnetOne: "one",
+			defaultSubnetTwo: "two",
+			IpVersions: &IpVersions{
+				IpFamilies:               []string{IPv4},
+				IpFamilyPolicy:           common.String(string(v1.IPFamilyPolicySingleStack)),
+				LbEndpointIpVersion:      GenericIpVersion(client.GenericIPv4),
+				ListenerBackendIpVersion: []client.GenericIpVersion{client.GenericIPv4},
+			},
+			nodes: []*v1.Node{
+				{
+					TypeMeta:   metav1.TypeMeta{},
+					ObjectMeta: metav1.ObjectMeta{},
+					Spec: v1.NodeSpec{
+						ProviderID: testNodeString,
+					},
+					Status: v1.NodeStatus{
+						Capacity:    nil,
+						Allocatable: nil,
+						Phase:       "",
+						Conditions:  nil,
+						Addresses: []v1.NodeAddress{
+							{
+								Address: "0.0.0.0",
+								Type:    "InternalIP",
+							},
+						},
+						DaemonEndpoints: v1.NodeDaemonEndpoints{},
+						NodeInfo:        v1.NodeSystemInfo{},
+						Images:          nil,
+						VolumesInUse:    nil,
+						VolumesAttached: nil,
+						Config:          nil,
+					},
+				},
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					UID:       "test-uid",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerBEProtocol: "GRPC",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					IPFamilies:      []v1.IPFamily{v1.IPFamily(IPv4)},
+					SessionAffinity: v1.ServiceAffinityNone,
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.ProtocolTCP,
+							Port:     int32(443),
+						},
+					},
+				},
+			},
+			expected: &LBSpec{
+				Name:     "test-uid",
+				Type:     "lb",
+				Shape:    "100Mbps",
+				Internal: false,
+				Subnets:  []string{"one", "two"},
+				Listeners: map[string]client.GenericListener{
+					fmt.Sprintf("GRPC-443"): {
+						Name:                  common.String("GRPC-443"),
+						DefaultBackendSetName: common.String("TCP-443"),
+						Port:                  common.Int(443),
+						Protocol:              common.String("GRPC"),
+						SslConfiguration: &client.GenericSslConfigurationDetails{
+							CertificateName:       &listenerSecret,
+							VerifyDepth:           common.Int(0),
+							VerifyPeerCertificate: common.Bool(false),
+							CipherSuiteName:       common.String(DefaultCipherSuiteForGRPC),
+						},
+					},
+				},
+				BackendSets: map[string]client.GenericBackendSetDetails{
+					"TCP-443": {
+						Name:     common.String("TCP-443"),
+						Backends: []client.GenericBackend{{IpAddress: common.String("0.0.0.0"), Port: common.Int(0), Weight: common.Int(1), TargetId: &testNodeString}},
+						HealthChecker: &client.GenericHealthChecker{
+							Protocol:         "HTTP",
+							IsForcePlainText: common.Bool(false),
+							Port:             common.Int(10256),
+							UrlPath:          common.String("/healthz"),
+							Retries:          common.Int(3),
+							TimeoutInMillis:  common.Int(3000),
+							IntervalInMillis: common.Int(10000),
+							ReturnCode:       common.Int(http.StatusOK),
+						},
+						IsPreserveSource: common.Bool(false),
+						Policy:           common.String("ROUND_ROBIN"),
+						SslConfiguration: &client.GenericSslConfigurationDetails{
+							CertificateName:       &backendSecret,
+							VerifyDepth:           common.Int(0),
+							VerifyPeerCertificate: common.Bool(false),
+						},
+						IpVersion: GenericIpVersion(client.GenericIPv4),
+					},
+				},
+				IsPreserveSource:        common.Bool(false),
+				NetworkSecurityGroupIds: []string{},
+				SourceCIDRs:             []string{"0.0.0.0/0"},
+				Ports: map[string]portSpec{
+					"TCP-443": {
+						ListenerPort:      443,
+						HealthCheckerPort: 10256,
+					},
+				},
+				securityListManager: newSecurityListManagerNOOP(),
+				SSLConfig: &SSLConfig{
+					Ports:                   sets.NewInt(443),
+					ListenerSSLSecretName:   listenerSecret,
+					BackendSetSSLSecretName: backendSecret,
+				},
+				ManagedNetworkSecurityGroup: &ManagedNetworkSecurityGroup{frontendNsgId: "", backendNsgId: []string{}, nsgRuleManagementMode: ManagementModeNone},
+				IpVersions: &IpVersions{
+					IpFamilies:               []string{IPv4},
+					IpFamilyPolicy:           common.String(string(v1.IPFamilyPolicySingleStack)),
+					LbEndpointIpVersion:      GenericIpVersion(client.GenericIPv4),
+					ListenerBackendIpVersion: []client.GenericIpVersion{client.GenericIPv4},
+				},
+				nodes: []*v1.Node{
+					{
+						TypeMeta:   metav1.TypeMeta{},
+						ObjectMeta: metav1.ObjectMeta{},
+						Spec: v1.NodeSpec{
+							ProviderID: testNodeString,
+						},
+						Status: v1.NodeStatus{
+							Capacity:    nil,
+							Allocatable: nil,
+							Phase:       "",
+							Conditions:  nil,
+							Addresses: []v1.NodeAddress{
+								{
+									Address: "0.0.0.0",
+									Type:    "InternalIP",
+								},
+							},
+							DaemonEndpoints: v1.NodeDaemonEndpoints{},
+							NodeInfo:        v1.NodeSystemInfo{},
+							Images:          nil,
+							VolumesInUse:    nil,
+							VolumesAttached: nil,
+							Config:          nil,
+						},
+					},
+				},
+			},
+			sslConfig: &SSLConfig{
+				Ports:                   sets.NewInt(443),
+				ListenerSSLSecretName:   listenerSecret,
+				BackendSetSSLSecretName: backendSecret,
+			},
+		},
 	}
 
 	cp := &CloudProvider{
@@ -4577,7 +4733,7 @@ func TestNewLBSpecSuccess(t *testing.T) {
 			if !reflect.DeepEqual(result, tc.expected) {
 				results, _ := json.Marshal(result)
 				expected, _ := json.Marshal(tc.expected)
-				t.Errorf("Expected load balancer spec failed want: %s \n got: %s \n", expected, results)
+				t.Errorf("Expected load balancer spec failed\nExpected: %s\nResults: %s\n", expected, results)
 			}
 		})
 	}
@@ -8291,6 +8447,132 @@ func Test_getListeners(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "grpc protocol no ssl",
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.Protocol("GRPC"),
+							Port:     int32(80),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+			},
+			sslConfig:                nil,
+			listenerBackendIpVersion: []string{IPv4},
+			want:                     nil,
+		},
+		{
+			name: "grpc protocol with ssl configuration and smart default cipher suite",
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.Protocol("TCP"),
+							Port:     int32(443),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerBEProtocol: ProtocolGrpc,
+					},
+				},
+			},
+			listenerBackendIpVersion: []string{IPv4},
+			sslConfig: &SSLConfig{
+				Ports:                   sets.NewInt(443),
+				ListenerSSLSecretName:   listenerSecret,
+				BackendSetSSLSecretName: backendSecret,
+			},
+			want: map[string]client.GenericListener{
+				"GRPC-443": {
+					Name:                  common.String("GRPC-443"),
+					Port:                  common.Int(443),
+					Protocol:              common.String("GRPC"),
+					DefaultBackendSetName: common.String("TCP-443"),
+					SslConfiguration: &client.GenericSslConfigurationDetails{
+						CertificateName:       &listenerSecret,
+						VerifyDepth:           common.Int(0),
+						VerifyPeerCertificate: common.Bool(false),
+						CipherSuiteName:       common.String(DefaultCipherSuiteForGRPC),
+					},
+				},
+			},
+		},
+		{
+			name: "grpc protocol with ssl configuration and cipher suite",
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.Protocol("TCP"),
+							Port:     int32(443),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerBEProtocol:        ProtocolGrpc,
+						ServiceAnnotationLoadbalancerListenerSSLConfig: `{"cipherSuiteName":"oci-default-http2-ssl-cipher-suite-v1", "protocols":["TLSv1.2"]}`,
+						ServiceAnnotationLoadBalancerSSLPorts:          "443",
+					},
+				},
+			},
+			listenerBackendIpVersion: []string{IPv4},
+			sslConfig: &SSLConfig{
+				Ports:                   sets.NewInt(443),
+				ListenerSSLSecretName:   listenerSecret,
+				BackendSetSSLSecretName: backendSecret,
+			},
+			want: map[string]client.GenericListener{
+				"GRPC-443": {
+					Name:                  common.String("GRPC-443"),
+					Port:                  common.Int(443),
+					Protocol:              common.String("GRPC"),
+					DefaultBackendSetName: common.String("TCP-443"),
+					SslConfiguration: &client.GenericSslConfigurationDetails{
+						CertificateName:       &listenerSecret,
+						VerifyDepth:           common.Int(0),
+						VerifyPeerCertificate: common.Bool(false),
+						CipherSuiteName:       common.String("oci-default-http2-ssl-cipher-suite-v1"),
+						Protocols:             []string{"TLSv1.2"},
+					},
+				},
+			},
+		},
+		{
+			name: "Listeners with cipher suites",
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.ProtocolTCP,
+							Port:     int32(80),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ServiceAnnotationLoadbalancerListenerSSLConfig: `{"cipherSuiteName":"oci-default-http2-ssl-cipher-suite-v1", "protocols":["TLSv1.2"]}`,
+					},
+				},
+			},
+			listenerBackendIpVersion: []string{IPv4},
+			sslConfig:                nil,
+			want: map[string]client.GenericListener{
+				"TCP-80": {
+					Name:                  common.String("TCP-80"),
+					Port:                  common.Int(80),
+					Protocol:              common.String("TCP"),
+					DefaultBackendSetName: common.String("TCP-80"),
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_util_test.go b/pkg/cloudprovider/providers/oci/load_balancer_util_test.go
@@ -1555,6 +1555,22 @@ func TestHasListenerChanged(t *testing.T) {
 
 			expected: false,
 		},
+		{
+			name: "GRPC protocol",
+			desired: client.GenericListener{
+				Name:                  common.String("TCP-443"),
+				DefaultBackendSetName: common.String("TCP-443"),
+				Port:                  common.Int(443),
+				Protocol:              common.String("TCP"),
+			},
+			actual: client.GenericListener{
+				Name:                  common.String("GRPC-443"),
+				DefaultBackendSetName: common.String("TCP-443"),
+				Port:                  common.Int(443),
+				Protocol:              common.String("GRPC"),
+			},
+			expected: true,
+		},
 	}
 
 	for _, tt := range testCases {
diff --git a/test/e2e/cloud-provider-oci/load_balancer.go b/test/e2e/cloud-provider-oci/load_balancer.go
