Merge pull request #385 from jhorwit2/jah/filter-backend-nodes

Add support for filtering the nodes based on label selectors for an LB service by annotation

Author: l-technicore

pkg/cloudprovider/providers/oci/load_balancer.go

@@ -351,13 +351,60 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 
 }
 
+// getNodeFilter extracts the node filter based on load balancer type.
+// if no selector is defined then an all label selector object is returned to match everything.
+func getNodeFilter(svc *v1.Service) (labels.Selector, error) {
+	lbType := getLoadBalancerType(svc)
+
+	var labelSelector string
+
+	switch lbType {
+	case NLB:
+		labelSelector = svc.Annotations[ServiceAnnotationNetworkLoadBalancerNodeFilter]
+	default:
+		labelSelector = svc.Annotations[ServiceAnnotationLoadBalancerNodeFilter]
+	}
+
+	if labelSelector == "" {
+		return labels.Everything(), nil
+	}
+
+	return labels.Parse(labelSelector)
+}
+
+// filterNodes based on the label selector, if present, and returns the set of nodes
+// that should be backends in the load balancer.
+func filterNodes(svc *v1.Service, nodes []*v1.Node) ([]*v1.Node, error) {
+
+	selector, err := getNodeFilter(svc)
+	if err != nil {
+		return nil, err
+	}
+
+	var filteredNodes []*v1.Node
+	for _, n := range nodes {
+		if selector.Matches(labels.Set(n.GetLabels())) {
+			filteredNodes = append(filteredNodes, n)
+		}
+	}
+
+	return filteredNodes, nil
+}
+
 // EnsureLoadBalancer creates a new load balancer or updates the existing one.
 // Returns the status of the balancer (i.e it's public IP address if one exists).
 func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName string, service *v1.Service, nodes []*v1.Node) (*v1.LoadBalancerStatus, error) {
 	startTime := time.Now()
 	lbName := GetLoadBalancerName(service)
 	loadBalancerType := getLoadBalancerType(service)
 	logger := cp.logger.With("loadBalancerName", lbName, "serviceName", service.Name, "loadBalancerType", loadBalancerType)
+
+	nodes, err := filterNodes(service, nodes)
+	if err != nil {
+		logger.With(zap.Error(err)).Error("Failed to filter nodes with label selector")
+		return nil, err
+	}
+
 	logger.With("nodes", len(nodes)).Info("Ensuring load balancer")
 
 	dimensionsMap := make(map[string]string)

pkg/cloudprovider/providers/oci/load_balancer_spec.go

@@ -34,10 +34,10 @@ import (
 )
 
 const (
-	LB  = "lb"
-	NLB = "nlb"
-	LBHealthCheckIntervalMin = 1000
-	LBHealthCheckIntervalMax = 1800000
+	LB                        = "lb"
+	NLB                       = "nlb"
+	LBHealthCheckIntervalMin  = 1000
+	LBHealthCheckIntervalMax  = 1800000
 	NLBHealthCheckIntervalMin = 10000
 	NLBHealthCheckIntervalMax = 1800000
 )
@@ -138,6 +138,10 @@ const (
 
 	// ServiceAnnotationLoadBalancerType is a service annotation for specifying lb type
 	ServiceAnnotationLoadBalancerType = "oci.oraclecloud.com/load-balancer-type"
+
+	// ServiceAnnotationLoadBalancerNodeFilter is a service annotation to select specific nodes as your backend in the LB
+	// based on label selector.
+	ServiceAnnotationLoadBalancerNodeFilter = "oci.oraclecloud.com/node-label-selector"
 )
 
 // NLB specific annotations
@@ -181,6 +185,10 @@ const (
 	// ServiceAnnotationNetworkLoadBalancerInitialFreeformTagsOverride is a service annotation for specifying
 	// freeform tags on the nlb
 	ServiceAnnotationNetworkLoadBalancerInitialFreeformTagsOverride = "oci-network-load-balancer.oraclecloud.com/freeform-tags"
+
+	// ServiceAnnotationNetworkLoadBalancerNodeFilter is a service annotation to select specific nodes as your backend in the NLB
+	// based on label selector.
+	ServiceAnnotationNetworkLoadBalancerNodeFilter = "oci-network-load-balancer.oraclecloud.com/node-label-selector"
 )
 
 // certificateData is a structure containing the data about a K8S secret required

pkg/cloudprovider/providers/oci/load_balancer_test.go

@@ -30,6 +30,268 @@ import (
 	"github.com/oracle/oci-go-sdk/v50/core"
 )
 
+func newNodeObj(name string, labels map[string]string) *v1.Node {
+	return &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: labels,
+		},
+	}
+}
+
+func Test_filterNodes(t *testing.T) {
+	testCases := map[string]struct {
+		nodes    []*v1.Node
+		service  *v1.Service
+		expected []*v1.Node
+	}{
+		"lb - no annotation": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:   "kube-system",
+					Name:        "testservice",
+					Annotations: map[string]string{},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+		},
+		"nlb - no annotation": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType: "nlb",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+		},
+		"lb - empty annotation": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerNodeFilter: "",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+		},
+		"nlb - empty annotation": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:              "nlb",
+						ServiceAnnotationNetworkLoadBalancerNodeFilter: "",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", nil),
+				newNodeObj("node2", nil),
+			},
+		},
+		"lb - single selector select all": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "bar"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerNodeFilter: "foo=bar",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "bar"}),
+			},
+		},
+		"nlb - single selector select all": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "bar"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:              "nlb",
+						ServiceAnnotationNetworkLoadBalancerNodeFilter: "foo=bar",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "bar"}),
+			},
+		},
+		"lb - single selector select some": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerNodeFilter: "foo=bar",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+			},
+		},
+		"nlb - single selector select some": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:              "nlb",
+						ServiceAnnotationNetworkLoadBalancerNodeFilter: "foo=bar",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+			},
+		},
+		"lb - multi selector select all": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerNodeFilter: "foo",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+		},
+		"nlb - multi selector select all": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:              "nlb",
+						ServiceAnnotationNetworkLoadBalancerNodeFilter: "foo",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+		},
+		"lb - multi selector select some": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "joe"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerNodeFilter: "foo in (bar, baz)",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+		},
+		"nlb - multi selector select some": {
+			nodes: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "joe"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-system",
+					Name:      "testservice",
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:              "nlb",
+						ServiceAnnotationNetworkLoadBalancerNodeFilter: "foo in (bar, baz)",
+					},
+				},
+			},
+			expected: []*v1.Node{
+				newNodeObj("node1", map[string]string{"foo": "bar"}),
+				newNodeObj("node2", map[string]string{"foo": "baz"}),
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			nodes, err := filterNodes(tc.service, tc.nodes)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if !reflect.DeepEqual(nodes, tc.expected) {
+				t.Errorf("expected: %+v got %+v", tc.expected, nodes)
+			}
+		})
+	}
+}
+
 func Test_getDefaultLBSubnets(t *testing.T) {
 	type args struct {
 		subnet1 string