Skip to content

Commit fe565f0

Browse files
committed
fix sg rule generation for TCP_QUIC and legacy SG path
1 parent 6b8e85b commit fe565f0

File tree

2 files changed

+47
-2
lines changed

2 files changed

+47
-2
lines changed

pkg/service/model_build_target_group.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -593,7 +593,14 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworkingLegacy(ctx cont
593593
trafficSource := loadBalancerSubnetCIDRs
594594
defaultRangeUsed := false
595595
var trafficPorts []elbv2api.NetworkingPort
596-
if tgProtocol == elbv2model.ProtocolUDP || t.preserveClientIP {
596+
597+
/*
598+
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/edit-target-group-attributes.html#client-ip-preservation
599+
By default, client IP preservation is enabled (and can't be disabled) for instance and IP type target groups with UDP and TCP_UDP protocols.
600+
However, you can enable or disable client IP preservation for TCP and TLS target groups using the preserve_client_ip.enabled target group attribute.
601+
*/
602+
603+
if tgProtocol == elbv2model.ProtocolUDP || tgProtocol == elbv2model.ProtocolTCP_UDP || t.preserveClientIP {
597604
trafficSource = t.getLoadBalancerSourceRanges(ctx)
598605
if len(trafficSource) == 0 {
599606
trafficSource, err = t.getDefaultIPSourceRanges(ctx, targetGroupIPAddressType, tgProtocol, scheme)

pkg/service/model_build_target_group_test.go

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1289,7 +1289,7 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworkingLegacy(t *tes
12891289
From: []elbv2modelk8s.NetworkingPeer{
12901290
{
12911291
IPBlock: &elbv2api.IPBlock{
1292-
CIDR: "172.16.0.0/19",
1292+
CIDR: "0.0.0.0/0",
12931293
},
12941294
},
12951295
},
@@ -1322,6 +1322,44 @@ func Test_defaultModelBuilderTask_buildTargetGroupBindingNetworkingLegacy(t *tes
13221322
},
13231323
},
13241324
},
1325+
{
1326+
name: "tcpudp-service with no source ranges configuration with same hc",
1327+
svc: &corev1.Service{},
1328+
tgPort: port80,
1329+
hcPort: port80,
1330+
scheme: elbv2.LoadBalancerSchemeInternetFacing,
1331+
subnets: []ec2types.Subnet{
1332+
{
1333+
CidrBlock: aws.String("172.16.0.0/19"),
1334+
SubnetId: aws.String("az-1"),
1335+
},
1336+
},
1337+
tgProtocol: elbv2.ProtocolTCP_UDP,
1338+
ipAddressType: elbv2.TargetGroupIPAddressTypeIPv4,
1339+
want: &elbv2modelk8s.TargetGroupBindingNetworking{
1340+
Ingress: []elbv2modelk8s.NetworkingIngressRule{
1341+
{
1342+
From: []elbv2modelk8s.NetworkingPeer{
1343+
{
1344+
IPBlock: &elbv2api.IPBlock{
1345+
CIDR: "0.0.0.0/0",
1346+
},
1347+
},
1348+
},
1349+
Ports: []elbv2api.NetworkingPort{
1350+
{
1351+
Protocol: &networkingProtocolTCP,
1352+
Port: &port80,
1353+
},
1354+
{
1355+
Protocol: &networkingProtocolUDP,
1356+
Port: &port80,
1357+
},
1358+
},
1359+
},
1360+
},
1361+
},
1362+
},
13251363
}
13261364
for _, tt := range tests {
13271365
t.Run(tt.name, func(t *testing.T) {

0 commit comments

Comments
 (0)