Add subnets field to IngressClassParams (kubernetes-sigs#2945)

* Add subnets field to IngressClassParams * Add validating webhook for SubnetSpecs * Update documentation * make crds * Update Helm chart
adammw · Nov 9, 2023 · 3842977 · 3842977
1 parent 81afb9c
commit 3842977
Show file tree

Hide file tree

Showing 17 changed files with 1,272 additions and 250 deletions.
diff --git a/apis/elbv2/v1beta1/ingressclassparams_types.go b/apis/elbv2/v1beta1/ingressclassparams_types.go
@@ -41,6 +41,25 @@ const (
 	LoadBalancerSchemeInternetFacing LoadBalancerScheme = "internet-facing"
 )
 
+// SubnetID specifies a subnet ID.
+// +kubebuilder:validation:Pattern=subnet-[0-9a-f]+
+type SubnetID string
+
+// SubnetSelector selects one or more existing subnets.
+type SubnetSelector struct {
+	// IDs specify the resource IDs of subnets. Exactly one of this or `tags` must be specified.
+	// +kubebuilder:validation:MinItems=1
+	// +optional
+	IDs []SubnetID `json:"ids,omitempty"`
+
+	// Tags specifies subnets in the load balancer's VPC where each
+	// tag specified in the map key contains one of the values in the corresponding
+	// value list.
+	// Exactly one of this or `ids` must be specified.
+	// +optional
+	Tags map[string][]string `json:"tags,omitempty"`
+}
+
 // IngressGroup defines IngressGroup configuration.
 type IngressGroup struct {
 	// Name is the name of IngressGroup.
@@ -80,6 +99,10 @@ type IngressClassParamsSpec struct {
 	// +optional
 	Scheme *LoadBalancerScheme `json:"scheme,omitempty"`
 
+	// Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	Subnets *SubnetSelector `json:"subnets,omitempty"`
+
 	// IPAddressType defines the ip address type for all Ingresses that belong to IngressClass with this IngressClassParams.
 	// +optional
 	IPAddressType *IPAddressType `json:"ipAddressType,omitempty"`

diff --git a/apis/elbv2/v1beta1/zz_generated.deepcopy.go b/apis/elbv2/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml b/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
@@ -140,6 +140,30 @@ spec:
                 - internal
                 - internet-facing
                 type: string
+              subnets:
+                description: Subnets defines the subnets for all Ingresses that belong
+                  to IngressClass with this IngressClassParams.
+                properties:
+                  ids:
+                    description: IDs specify the resource IDs of subnets. Exactly
+                      one of this or `tags` must be specified.
+                    items:
+                      description: SubnetID specifies a subnet ID.
+                      pattern: subnet-[0-9a-f]+
+                      type: string
+                    minItems: 1
+                    type: array
+                  tags:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: Tags specifies subnets in the load balancer's VPC
+                      where each tag specified in the map key contains one of the
+                      values in the corresponding value list. Exactly one of this
+                      or `ids` must be specified.
+                    type: object
+                type: object
               tags:
                 description: Tags defines list of Tags on AWS resources provisioned
                   for Ingresses that belong to IngressClass with this IngressClassParams.

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -50,6 +51,26 @@ metadata:
   creationTimestamp: null
   name: webhook
 webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: system
+        path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams
+    failurePolicy: Fail
+    name: vingressclassparams.elbv2.k8s.aws
+    rules:
+      - apiGroups:
+          - elbv2.k8s.aws
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - ingressclassparams
+    sideEffects: None
   - admissionReviewVersions:
       - v1beta1
     clientConfig:

diff --git a/docs/guide/ingress/ingress_class.md b/docs/guide/ingress/ingress_class.md
@@ -135,6 +135,24 @@ Cluster administrators can use the `scheme` field to restrict the scheme for all
 1. If `scheme` specified, all Ingresses with this IngressClass will have the specified scheme.
 2. If `scheme` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/scheme annotation` to specify scheme.
 
+#### spec.subnets
+
+Cluster administrators can use the optional `subnets` field to specify the subnets for the load balancers that belong to this IngressClass.
+They may specify either `ids` or `tags`. If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/subnets annotation` annotation.
+
+##### spec.subnets.ids
+
+If `ids` is specified, it must be a set of at least one resource ID of a subnet in the VPC. No two subnets may be in the same availability zone.
+
+##### spec.subnets.tags
+
+If `tags` is specified, it is a map of tag filters. The filters will match subnets in the VPC for which
+each listed tag key is present and has one of the corresponding tag values.
+
+Unless the `SubnetsClusterTagCheck` feature gate is disabled, subnets without a cluster tag and with the cluster tag for another cluster will be excluded.
+
+Within any given availability zone, subnets with a cluster tag will be chosen over subnets without, then the subnet with the lowest-sorting resource ID will be chosen.
+
 #### spec.ipAddressType
 
 `ipAddressType` is an optional setting. The available options are `ipv4` or `dualstack`.