Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TargetGroupBindings can now manipulate target groups from different aws accounts #3691

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

TargetGroupBindings can now manipulate target groups from different aws accounts #3691

wants to merge 1 commit into from

Conversation

marcosdiez
Copy link
Contributor

@marcosdiez marcosdiez commented May 13, 2024
edited
Loading

Issue #3634

Description

Now, every time a TargetGroupBinding has the alb.ingress.kubernetes.io/IamRoleArnToAssume (and optionally alb.ingress.kubernetes.io/AssumeRoleExternalId) annotations, we assume it before interacting to it (actually, the assume role operation is cached).

In real life, I changed:

  • targetgroupbinding_validator
  • targetgroupbinding_mutator
  • target manager (which has RegisterTargets / DeregisterTargets / ListTargets

This way we can easily manipulate target groups from target group bindings for every single AWS account in the world, as long as there is a role we can assume. In order to prevent the confused deputy problem, external id is supported.

The way this was implemented was actually way simpler than initially imagined:

the service.elbv2Client object now supports a new method called AssumeRole which returns service.elbv2Client on the specified role. The catch is that if AssumeRole is called with a blank role, the object returns itself and life goes on.

In other words, every time we call some method from elbv2Client from something related to target groups, we also call AssumeRole and that's basically it.

Caching the assumed role was also trivial, a simple map that is stored on cloud.go

I decided to have cloud.go manage the caching becuase in the future it could assume role for other objects if needed and all the assume role logic would be in the same place.

The only unfortunate change that needed to be made is that aws.Cloud became services.Cloud else golang would complain about circular dependency :(

This is what the logs look like:


{"level":"info","ts":"2024-05-13T03:24:31Z","msg":"awsCloud","method":"GetAssumedRoleELBV2","AssumeRoleArn":"arn:aws:iam::7550XXXXXXXX:role/alb-controller-policy-to-impersonate","externalId":"XXXXXX"}
{"level":"info","ts":"2024-05-13T03:24:33Z","msg":"registering endpoints using the targetGroup's vpcID vpc-00XXXXXXXXXXXXXXX which is different from the cluster's vpcID vpc-04XXXXXXXXXXXXXXX"}
{"level":"info","ts":"2024-05-13T03:24:33Z","msg":"registering targets","arn":"arn:aws:elasticloadbalancing:us-east-1:7550XXXXXXXX:targetgroup/helloworld-8080-a8054/5741da332459b560","targets":[{"AvailabilityZone":"all","Id":"10.244.0.22","Port":8080}]}
{"level":"info","ts":"2024-05-13T03:24:34Z","msg":"registered targets","arn":"arn:aws:elasticloadbalancing:us-east-1:7550XXXXXXXX:targetgroup/helloworld-8080-a8054/5741da332459b560"}

Documentation and tests were properly updated in this PR

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the docs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

image

A working amd64 container with this code is available here: marcosdiez/aws-load-balancer-controller:v2.7.2-m2

update: on 2024-09-26 I rebased the code. The new container image is marcosdiez/aws-load-balancer-controller:v2.8.3-m2

update: on 2024-10-28 I rebased the code again :(. The new container image is marcosdiez/aws-load-balancer-controller:v2.9.0-m1

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 13, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @marcosdiez. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 13, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marcosdiez
Once this PR has been reviewed and has the lgtm label, please assign johngmyers for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@marcosdiez marcosdiez changed the title [WIP] TargetGroupBindings can now manipulate target groups from different aws accounts TargetGroupBindings can now manipulate target groups from different aws accounts May 13, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2024
@marcosdiez
Copy link
Contributor Author

marcosdiez commented May 13, 2024
edited
Loading

@shraddhabang I believe my code is ready. Feel free to review at will! Thank you.

Also, if you don't want the CRDs to be changed, here:
126c9c8

they are untouched.

@marcosdiez marcosdiez mentioned this pull request May 13, 2024
Open
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 13, 2024
@shraddhabang
Copy link
Collaborator

Thank you @marcosdiez for this PR. This looks excellent.
I will take a look and test it out. And would also ask our team to review it. Please note that we will have to go through our formal security process to review this. We will add this to our next minor release v2.9.0.
Please feel free to reach out to us.

@shraddhabang
Copy link
Collaborator

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 13, 2024
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 70267e1 to bb3c617 Compare May 14, 2024 20:38
@oliviassss oliviassss added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 17, 2024
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 21, 2024
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 7b5b35f to 85bbf7f Compare May 21, 2024 17:03
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 22, 2024
@yu-croco
Copy link

Hi @shraddhabang ,

We will add this to our next minor release v2.9.0

Could you please share us when the v2.9.0 would release? We are looking forward to this feature.

@yu-croco
Copy link

yu-croco commented Sep 6, 2024

Hi, @johngmyers @M00nF1sh @shraddhabang

We will add this to our next minor release v2.9.0.

Does anyone know the release schedule for v2.9.0 ?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 24, 2024
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 85bbf7f to 6025b73 Compare September 26, 2024 12:25
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 26, 2024
@marcosdiez
Copy link
Contributor Author

I just rebased and merged my code. There is also a container available here: marcosdiez/aws-load-balancer-controller:v2.8.3-m1

marcosdiez added a commit to marcosdiez/aws-alb-ingress-controller that referenced this pull request Sep 30, 2024
@marcosdiez
TargetGroupBindings can now manipulate target groups from different …
76593a9 
…aws accounts kubernetes-sigs#3691
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 6025b73 to 76593a9 Compare September 30, 2024 07:59
@marcosdiez
Copy link
Contributor Author

marcosdiez commented Sep 30, 2024
edited
Loading

Small update: the old docker container was broken. Please use marcosdiez/aws-load-balancer-controller:v2.8.3-m2 instead (it was not taking ExternalID into consideration). The code has been rebased and updated again.

marcosdiez added a commit to marcosdiez/aws-alb-ingress-controller that referenced this pull request Oct 1, 2024
@marcosdiez
TargetGroupBindings can now manipulate target groups from different …
5011686 
…aws accounts kubernetes-sigs#3691
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 76593a9 to 5011686 Compare October 1, 2024 09:41
@marcosdiez
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 12, 2024
@chkp-benzy
Copy link

Hey @marcosdiez, 10x for the great work

i tried your image (marcosdiez/aws-load-balancer-controller:v2.8.3-m2) and it works great :)
the targets were synced to the remote account ALB targetgroup :)

FYI, at first i didn't provided the necessary permissions and the pod crashed, with a good error message :)
i think that the error message is enough, it will be great if the pod wont crash :)

waiting for a Merge to main :)

marcosdiez added a commit to marcosdiez/aws-alb-ingress-controller that referenced this pull request Oct 28, 2024
@marcosdiez
TargetGroupBindings can now manipulate target groups from different a…
7add3d2 
…ws accounts kubernetes-sigs#3691
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from 5011686 to 7add3d2 Compare October 28, 2024 10:00
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 28, 2024
@marcosdiez
Copy link
Contributor Author

@shraddhabang any plans on merging this ? It took me 8 hours for this last rebase....

@roliverio
Copy link

@shraddhabang appreciate if you can speed up this merge/release. There's significant work done on it now.

@yardenws
Copy link

Awesome!
Waited for this for a very long time!

Please merge it ASAP🙏🏻

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 30, 2024
@marcosdiez marcosdiez force-pushed the CI-14222_manipulate_target_groups_from_different_aws_accounts_v3 branch from d88997a to c27a354 Compare November 1, 2024 12:15
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 1, 2024
@abiloski
Copy link

abiloski commented Nov 4, 2024

This is great!!
Can you please approve and merge it 🙏🏻

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 22, 2024
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johngmyers johngmyers Awaiting requested review from johngmyers

@M00nF1sh M00nF1sh Awaiting requested review from M00nF1sh

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@marcosdiez @k8s-ci-robot @shraddhabang @yu-croco @chkp-benzy @roliverio @yardenws @abiloski @oliviassss