[bug fix] handle ram shared VPCs for cross account tgb

Author: zac-nixon

pkg/targetgroupbinding/resource_manager.go

@@ -3,8 +3,10 @@ package targetgroupbinding
 import (
 	"context"
 	"fmt"
+	"k8s.io/apimachinery/pkg/util/cache"
 	"net/netip"
 	lbcmetrics "sigs.k8s.io/aws-load-balancer-controller/pkg/metrics/lbc"
+	"sync"
 	"time"
 
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
@@ -28,7 +30,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const defaultRequeueDuration = 15 * time.Second
+const (
+	defaultRequeueDuration = 15 * time.Second
+	invalidVPCTTL          = 60 * time.Minute
+)
 
 // ResourceManager manages the TargetGroupBinding resource.
 type ResourceManager interface {
@@ -64,6 +69,9 @@ func NewDefaultResourceManager(k8sClient client.Client, elbv2Client services.ELB
 		multiClusterManager: multiClusterManager,
 		metricsCollector:    metricsCollector,
 
+		invalidVpcCache:    cache.NewExpiring(),
+		invalidVpcCacheTTL: defaultTargetsCacheTTL,
+
 		requeueDuration: defaultRequeueDuration,
 	}
 }
@@ -84,6 +92,10 @@ type defaultResourceManager struct {
 	metricsCollector    lbcmetrics.MetricCollector
 	vpcID               string
 
+	invalidVpcCache      *cache.Expiring
+	invalidVpcCacheTTL   time.Duration
+	invalidVpcCacheMutex sync.RWMutex
+
 	requeueDuration time.Duration
 }
 
@@ -550,29 +562,10 @@ func (m *defaultResourceManager) registerPodEndpoints(ctx context.Context, tgb *
 			"registering endpoints using the targetGroup's vpcID %s which is different from the cluster's vpcID %s", tgb.Spec.VpcID, m.vpcID))
 	}
 
-	var overrideAzFn func(addr netip.Addr) bool
-	if tgb.Spec.IamRoleArnToAssume != "" {
-		// If we're interacting with another account, then we should always be setting "all" AZ to allow this
-		// target to get registered by the ELB API.
-		overrideAzFn = func(_ netip.Addr) bool {
-			return true
-		}
-	} else {
-		vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, vpcID)
-		if err != nil {
-			return err
-		}
-		var vpcRawCIDRs []string
-		vpcRawCIDRs = append(vpcRawCIDRs, vpcInfo.AssociatedIPv4CIDRs()...)
-		vpcRawCIDRs = append(vpcRawCIDRs, vpcInfo.AssociatedIPv6CIDRs()...)
-		vpcCIDRs, err := networking.ParseCIDRs(vpcRawCIDRs)
-		if err != nil {
-			return err
-		}
-		// If the pod ip resides out of all the VPC CIDRs, then the only way to force the ELB API is to use "all" AZ.
-		overrideAzFn = func(addr netip.Addr) bool {
-			return !networking.IsIPWithinCIDRs(addr, vpcCIDRs)
-		}
+	overrideAzFn, err := m.generateOverrideAzFn(ctx, vpcID, tgb.Spec.IamRoleArnToAssume)
+
+	if err != nil {
+		return err
 	}
 
 	sdkTargets, err := m.prepareRegistrationCall(endpoints, overrideAzFn)
@@ -626,6 +619,66 @@ func (m *defaultResourceManager) updateTGBCheckPoint(ctx context.Context, tgb *e
 	return nil
 }
 
+func (m *defaultResourceManager) generateOverrideAzFn(ctx context.Context, vpcID string, assumeRole string) (func(addr netip.Addr) bool, error) {
+	// Cross-Account is configured by assuming a role.
+	usingCrossAccount := assumeRole != ""
+
+	// We need to cache the vpc response for the various assume roles.
+	// There are two cases to consider when using assuming a role:
+	// 1. Using a peered VPC connection to provide connectivity among accounts.
+	// 2. Using RAM shared subnet(s) to provide connectivity among accounts.
+	// We need to handle the case where the user is potentially using the same VPC in the peered context
+	// as well as the RAM shared context.
+	// Using peered VPC connection, we will always need to override the AZ.
+	// Using a RAM shared subnet / VPC means that we follow the standard logic of checking the pod ip against the VPC CIDRs.
+
+	invalidVPCCacheKey := fmt.Sprintf("%s-%s", assumeRole, vpcID)
+
+	if usingCrossAccount {
+		// Prevent spamming EC2 with requests.
+		// We can use the cached result for this VPC ID given for the current assume role ARN
+		m.invalidVpcCacheMutex.RLock()
+		_, invalidVPC := m.invalidVpcCache.Get(invalidVPCCacheKey)
+		m.invalidVpcCacheMutex.RUnlock()
+
+		// In this case, we already received that this VPC was invalid, we can shortcut the EC2 call and just override the AZ.
+		if invalidVPC {
+			return func(addr netip.Addr) bool {
+				return true
+			}, nil
+		}
+	}
+
+	vpcInfo, err := m.vpcInfoProvider.FetchVPCInfo(ctx, vpcID)
+	if err != nil {
+		// A VPC Not Found Error along with cross-account usage means that the VPC either, is not shared with the assume
+		// role account OR this falls into case (1) from above where the VPC is just peered but not shared with RAM.
+		// As we can't differentiate if RAM sharing wasn't set up correctly OR the VPC is set up via peering, we will
+		// just default to assume that the VPC is peered but not shared.
+		if isVPCNotFoundError(err) && usingCrossAccount {
+			m.invalidVpcCacheMutex.Lock()
+			m.invalidVpcCache.Set(invalidVPCCacheKey, true, m.invalidVpcCacheTTL)
+			m.invalidVpcCacheMutex.Unlock()
+			return func(addr netip.Addr) bool {
+				return true
+			}, nil
+		}
+		return nil, err
+	}
+	var vpcRawCIDRs []string
+	vpcRawCIDRs = append(vpcRawCIDRs, vpcInfo.AssociatedIPv4CIDRs()...)
+	vpcRawCIDRs = append(vpcRawCIDRs, vpcInfo.AssociatedIPv6CIDRs()...)
+	vpcCIDRs, err := networking.ParseCIDRs(vpcRawCIDRs)
+	if err != nil {
+		return nil, err
+	}
+	// By getting here, we have a valid VPC for whatever credential was used. We return "true" in the function below
+	// when the pod ip falls outside the VPCs configured CIDRs, other we return "false" to ensure that the "all" is NOT injected.
+	return func(addr netip.Addr) bool {
+		return !networking.IsIPWithinCIDRs(addr, vpcCIDRs)
+	}, nil
+}
+
 type podEndpointAndTargetPair struct {
 	endpoint backend.PodEndpoint
 	target   TargetInfo
@@ -747,3 +800,12 @@ func isELBV2TargetGroupARNInvalidError(err error) bool {
 	}
 	return false
 }
+
+func isVPCNotFoundError(err error) bool {
+	var apiErr smithy.APIError
+	if errors.As(err, &apiErr) {
+		code := apiErr.ErrorCode()
+		return code == "InvalidVpcID.NotFound"
+	}
+	return false
+}

pkg/targetgroupbinding/resource_manager_test.go

@@ -2,9 +2,16 @@ package targetgroupbinding
 
 import (
 	"context"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/smithy-go"
+	"github.com/golang/mock/gomock"
+	"k8s.io/apimachinery/pkg/util/cache"
+	"net/netip"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	lbcmetrics "sigs.k8s.io/aws-load-balancer-controller/pkg/metrics/lbc"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"testing"
 
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
@@ -481,3 +488,217 @@ func Test_containsTargetsInInitialState(t *testing.T) {
 		})
 	}
 }
+
+func Test_defaultResourceManager_GenerateOverrideAzFn(t *testing.T) {
+
+	vpcId := "foo"
+
+	type ipTestCase struct {
+		ip     netip.Addr
+		result bool
+	}
+
+	testCases := []struct {
+		name         string
+		vpcInfoCalls int
+		assumeRole   string
+		vpcInfo      networking.VPCInfo
+		vpcInfoError error
+		ipTestCases  []ipTestCase
+		expectErr    bool
+	}{
+		{
+			name:         "standard case ipv4",
+			vpcInfoCalls: 1,
+			vpcInfo: networking.VPCInfo{
+				CidrBlockAssociationSet: []ec2types.VpcCidrBlockAssociation{
+					{
+						CidrBlock: aws.String("127.0.0.0/24"),
+						CidrBlockState: &ec2types.VpcCidrBlockState{
+							State: ec2types.VpcCidrBlockStateCodeAssociated,
+						},
+					},
+				},
+			},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("172.0.0.0"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.1"),
+					result: false,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.2"),
+					result: false,
+				},
+			},
+		},
+		{
+			name:         "standard case ipv6",
+			vpcInfoCalls: 1,
+			vpcInfo: networking.VPCInfo{
+				Ipv6CidrBlockAssociationSet: []ec2types.VpcIpv6CidrBlockAssociation{
+					{
+						Ipv6CidrBlock: aws.String("2001:db8::/32"),
+						Ipv6CidrBlockState: &ec2types.VpcCidrBlockState{
+							State: ec2types.VpcCidrBlockStateCodeAssociated,
+						},
+					},
+				},
+			},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("5001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:0:0:0:0:0:0"),
+					result: false,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: false,
+				},
+			},
+		},
+		{
+			name:         "assume role case ram shared vpc ipv4",
+			vpcInfoCalls: 1,
+			assumeRole:   "foo",
+			vpcInfo: networking.VPCInfo{
+				CidrBlockAssociationSet: []ec2types.VpcCidrBlockAssociation{
+					{
+						CidrBlock: aws.String("127.0.0.0/24"),
+						CidrBlockState: &ec2types.VpcCidrBlockState{
+							State: ec2types.VpcCidrBlockStateCodeAssociated,
+						},
+					},
+				},
+			},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("172.0.0.0"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.1"),
+					result: false,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.2"),
+					result: false,
+				},
+			},
+		},
+		{
+			name:         "assume role ram shared vpc case ipv6",
+			vpcInfoCalls: 1,
+			assumeRole:   "foo",
+			vpcInfo: networking.VPCInfo{
+				Ipv6CidrBlockAssociationSet: []ec2types.VpcIpv6CidrBlockAssociation{
+					{
+						Ipv6CidrBlock: aws.String("2001:db8::/32"),
+						Ipv6CidrBlockState: &ec2types.VpcCidrBlockState{
+							State: ec2types.VpcCidrBlockStateCodeAssociated,
+						},
+					},
+				},
+			},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("5001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:0:0:0:0:0:0"),
+					result: false,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: false,
+				},
+			},
+		},
+		{
+			name:         "assume role case peered vpc ipv4",
+			vpcInfoCalls: 1,
+			assumeRole:   "foo",
+			vpcInfoError: &smithy.GenericAPIError{Code: "InvalidVpcID.NotFound", Message: ""},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("172.0.0.0"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.1"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("127.0.0.2"),
+					result: true,
+				},
+			},
+		},
+		{
+			name:         "assume role peered vpc case ipv6",
+			vpcInfoCalls: 1,
+			assumeRole:   "foo",
+			vpcInfoError: &smithy.GenericAPIError{Code: "InvalidVpcID.NotFound", Message: ""},
+			ipTestCases: []ipTestCase{
+				{
+					ip:     netip.MustParseAddr("5001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:0:0:0:0:0:0"),
+					result: true,
+				},
+				{
+					ip:     netip.MustParseAddr("2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"),
+					result: true,
+				},
+			},
+		},
+		{
+			name:         "not found error from vpc info should be propagated when not using assume role",
+			vpcInfoCalls: 1,
+			vpcInfoError: &smithy.GenericAPIError{Code: "InvalidVpcID.NotFound", Message: ""},
+			expectErr:    true,
+		},
+		{
+			name:         "assume role case peered vpc other error should get propagated",
+			vpcInfoCalls: 1,
+			assumeRole:   "foo",
+			vpcInfoError: &smithy.GenericAPIError{Code: "other error", Message: ""},
+			expectErr:    true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			vpcInfoProvider := networking.NewMockVPCInfoProvider(ctrl)
+			vpcInfoProvider.EXPECT().FetchVPCInfo(gomock.Any(), gomock.Any(), gomock.Any()).Return(tc.vpcInfo, tc.vpcInfoError).Times(tc.vpcInfoCalls)
+			m := &defaultResourceManager{
+				logger:          logr.New(&log.NullLogSink{}),
+				invalidVpcCache: cache.NewExpiring(),
+				vpcInfoProvider: vpcInfoProvider,
+			}
+
+			returnedFn, err := m.generateOverrideAzFn(context.Background(), vpcId, tc.assumeRole)
+
+			if tc.expectErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+			for _, iptc := range tc.ipTestCases {
+				assert.Equal(t, iptc.result, returnedFn(iptc.ip), iptc.ip)
+			}
+		})
+	}
+}