Merge pull request #4273 from zac-nixon/znixon/refactor-missing-backends

k8s-ci-robot · web-flow · commit 2f5aed028432 · 2025-07-22T19:18:26.000-07:00
refactor how no backends are modeled in NLB / ALB Gateways
diff --git a/pkg/gateway/model/mock_tg_builder.go b/pkg/gateway/model/mock_tg_builder.go
@@ -0,0 +1,38 @@
+package model
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
+	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+type MockTargetGroupBuilder struct {
+	tgs      []*elbv2model.TargetGroup
+	buildErr error
+}
+
+func (m *MockTargetGroupBuilder) buildTargetGroup(stack core.Stack, gw *gwv1.Gateway, lbConfig elbv2gw.LoadBalancerConfiguration, lbIPType elbv2model.IPAddressType, routeDescriptor routeutils.RouteDescriptor, backend routeutils.Backend, backendSGIDToken core.StringToken) (*elbv2model.TargetGroup, error) {
+	var tg *elbv2model.TargetGroup
+
+	if len(m.tgs) > 0 {
+		tg = m.tgs[0]
+		m.tgs = m.tgs[1:]
+	}
+
+	return tg, m.buildErr
+}
+
+func (m *MockTargetGroupBuilder) buildTargetGroupSpec(gw *gwv1.Gateway, route routeutils.RouteDescriptor, lbConfig elbv2gw.LoadBalancerConfiguration, lbIPType elbv2model.IPAddressType, backend routeutils.Backend, targetGroupProps *elbv2gw.TargetGroupProps) (elbv2model.TargetGroupSpec, error) {
+	//TODO implement me
+	panic("implement me")
+}
+
+func (m *MockTargetGroupBuilder) buildTargetGroupBindingSpec(gw *gwv1.Gateway, tgProps *elbv2gw.TargetGroupProps, tgSpec elbv2model.TargetGroupSpec, nodeSelector *metav1.LabelSelector, backend routeutils.Backend, backendSGIDToken core.StringToken) elbv2model.TargetGroupBindingResourceSpec {
+	//TODO implement me
+	panic("implement me")
+}
+
+var _ targetGroupBuilder = &MockTargetGroupBuilder{}
diff --git a/pkg/gateway/model/model_build_listener.go b/pkg/gateway/model/model_build_listener.go
@@ -69,7 +69,7 @@ func (l listenerBuilderImpl) buildListeners(ctx context.Context, stack core.Stac
 
 			// build rules only for L7 gateways
 			if l.loadBalancerType == elbv2model.LoadBalancerTypeApplication {
-				if err := l.buildListenerRules(stack, ls, lb, securityGroups, gw, port, lbCfg, routes); err != nil {
+				if err := l.buildListenerRules(stack, ls, lb.Spec.IPAddressType, securityGroups, gw, port, lbCfg, routes); err != nil {
 					return err
 				}
 			}
@@ -167,6 +167,12 @@ func (l listenerBuilderImpl) buildL4ListenerSpec(ctx context.Context, stack core
 		return &elbv2model.ListenerSpec{}, errors.Errorf("multiple backend refs found for route %v for listener on port:protocol %v:%v for gateway %v , only one must be specified", routeDescriptor.GetRouteNamespacedName(), port, listenerSpec.Protocol, k8s.NamespacedName(gw))
 	}
 	backend := routeDescriptor.GetAttachedRules()[0].GetBackends()[0]
+
+	if backend.Weight == 0 {
+		l.logger.Info("Ignoring NLB backend with 0 weight.", "route", routeDescriptor.GetRouteNamespacedName())
+		return nil, nil
+	}
+
 	targetGroup, tgErr := l.tgBuilder.buildTargetGroup(stack, gw, lbCfg, lb.Spec.IPAddressType, routeDescriptor, backend, securityGroups.backendSecurityGroupToken)
 	if tgErr != nil {
 		return &elbv2model.ListenerSpec{}, tgErr
@@ -176,7 +182,7 @@ func (l listenerBuilderImpl) buildL4ListenerSpec(ctx context.Context, stack core
 }
 
 // this is only for L7 ALB
-func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model.Listener, lb *elbv2model.LoadBalancer, securityGroups securityGroupOutput, gw *gwv1.Gateway, port int32, lbCfg elbv2gw.LoadBalancerConfiguration, routes map[int32][]routeutils.RouteDescriptor) error {
+func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model.Listener, ipAddressType elbv2model.IPAddressType, securityGroups securityGroupOutput, gw *gwv1.Gateway, port int32, lbCfg elbv2gw.LoadBalancerConfiguration, routes map[int32][]routeutils.RouteDescriptor) error {
 	// sort all rules based on precedence
 	rulesWithPrecedenceOrder := routeutils.SortAllRulesByPrecedence(routes[port])
 
@@ -201,7 +207,7 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 		}
 		targetGroupTuples := make([]elbv2model.TargetGroupTuple, 0, len(rule.GetBackends()))
 		for _, backend := range rule.GetBackends() {
-			targetGroup, tgErr := l.tgBuilder.buildTargetGroup(stack, gw, lbCfg, lb.Spec.IPAddressType, route, backend, securityGroups.backendSecurityGroupToken)
+			targetGroup, tgErr := l.tgBuilder.buildTargetGroup(stack, gw, lbCfg, ipAddressType, route, backend, securityGroups.backendSecurityGroupToken)
 			if tgErr != nil {
 				return tgErr
 			}
@@ -215,7 +221,7 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 
 		var actions []elbv2model.Action
 
-		if len(targetGroupTuples) > 0 {
+		if shouldProvisionActions(targetGroupTuples) {
 			actions = buildL7ListenerForwardActions(targetGroupTuples, nil)
 		}
 
@@ -545,3 +551,16 @@ func newListenerBuilder(ctx context.Context, loadBalancerType elbv2model.LoadBal
 		logger:           logger,
 	}
 }
+
+// shouldProvisionActions -- determine if the given target groups are acceptable for ELB Actions.
+// The criteria -
+// 1/ One or more target groups are present.
+// 2/ At least one target group has a weight greater than zero.
+func shouldProvisionActions(targetGroups []elbv2model.TargetGroupTuple) bool {
+	for _, tg := range targetGroups {
+		if tg.Weight == nil || *tg.Weight != 0 {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/gateway/model/model_build_listener_test.go b/pkg/gateway/model/model_build_listener_test.go
@@ -2,11 +2,17 @@ package model
 
 import (
 	"context"
+	"fmt"
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	corev1 "k8s.io/api/core/v1"
 	"reflect"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
+	coremodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"strings"
 	"testing"
@@ -16,7 +22,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
-	certs "sigs.k8s.io/aws-load-balancer-controller/pkg/certs"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/certs"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
@@ -1083,3 +1089,191 @@ func Test_buildMutualAuthenticationAttributes(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildListenerRules(t *testing.T) {
+	testCases := []struct {
+		name          string
+		sgOutput      securityGroupOutput
+		ipAddressType elbv2model.IPAddressType
+		port          int32
+		routes        map[int32][]routeutils.RouteDescriptor
+
+		expectedRules []*elbv2model.ListenerRuleSpec
+		expectedTags  map[string]string
+		tagErr        error
+	}{
+		{
+			name:          "no backends should result in 503 fixed response",
+			port:          80,
+			ipAddressType: elbv2model.IPAddressTypeIPV4,
+			sgOutput: securityGroupOutput{
+				backendSecurityGroupToken: coremodel.LiteralStringToken("sg-B"),
+			},
+			routes: map[int32][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind:      routeutils.HTTPRouteKind,
+						Name:      "my-route",
+						Namespace: "my-route-ns",
+						Rules: []routeutils.RouteRule{
+							&routeutils.MockRule{
+								RawRule: &gwv1.HTTPRouteRule{
+									Matches: []gwv1.HTTPRouteMatch{
+										{
+											Path: &gwv1.HTTPPathMatch{
+												Type:  (*gwv1.PathMatchType)(awssdk.String("PathPrefix")),
+												Value: awssdk.String("/"),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRules: []*elbv2model.ListenerRuleSpec{
+				{
+					Priority: 1,
+					Actions: []elbv2model.Action{
+						{
+							Type: "fixed-response",
+							FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
+								ContentType: awssdk.String("text/plain"),
+								StatusCode:  "503",
+							},
+						},
+					},
+					Conditions: []elbv2model.RuleCondition{
+						{
+							Field: "path-pattern",
+							PathPatternConfig: &elbv2model.PathPatternConditionConfig{
+								Values: []string{"/*"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:          "backends should result in forward action generated",
+			port:          80,
+			ipAddressType: elbv2model.IPAddressTypeIPV4,
+			sgOutput: securityGroupOutput{
+				backendSecurityGroupToken: coremodel.LiteralStringToken("sg-B"),
+			},
+			routes: map[int32][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind:      routeutils.HTTPRouteKind,
+						Name:      "my-route",
+						Namespace: "my-route-ns",
+						Rules: []routeutils.RouteRule{
+							&routeutils.MockRule{
+								RawRule: &gwv1.HTTPRouteRule{
+									Matches: []gwv1.HTTPRouteMatch{
+										{
+											Path: &gwv1.HTTPPathMatch{
+												Type:  (*gwv1.PathMatchType)(awssdk.String("PathPrefix")),
+												Value: awssdk.String("/"),
+											},
+										},
+									},
+								},
+								BackendRefs: []routeutils.Backend{
+									{
+										Service:     &corev1.Service{},
+										ServicePort: &corev1.ServicePort{Name: "svcport"},
+										Weight:      1,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRules: []*elbv2model.ListenerRuleSpec{
+				{
+					Priority: 1,
+					Actions: []elbv2model.Action{
+						{
+							Type: "forward",
+							ForwardConfig: &elbv2model.ForwardActionConfig{
+								// cmp can't compare the TG ARN, so don't inject it.
+								TargetGroups: []elbv2model.TargetGroupTuple{
+									{
+										Weight: awssdk.Int32(1),
+									},
+								},
+							},
+						},
+					},
+					Conditions: []elbv2model.RuleCondition{
+						{
+							Field: "path-pattern",
+							PathPatternConfig: &elbv2model.PathPatternConditionConfig{
+								Values: []string{"/*"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			stack := coremodel.NewDefaultStack(coremodel.StackID{Namespace: "namespace", Name: "name"})
+			mockTagger := &mockTagHelper{
+				tags: tc.expectedTags,
+				err:  tc.tagErr,
+			}
+
+			mockTgBuilder := &MockTargetGroupBuilder{
+				tgs: []*elbv2model.TargetGroup{
+					{
+						ResourceMeta: coremodel.NewResourceMeta(stack, "AWS::ElasticLoadBalancingV2::TargetGroup", "id-1"),
+					},
+				},
+			}
+
+			builder := &listenerBuilderImpl{
+				tagHelper: mockTagger,
+				tgBuilder: mockTgBuilder,
+			}
+
+			err := builder.buildListenerRules(stack, &elbv2model.Listener{}, tc.ipAddressType, tc.sgOutput, &gwv1.Gateway{}, tc.port, elbv2gw.LoadBalancerConfiguration{}, tc.routes)
+			assert.NoError(t, err)
+
+			var resLRs []*elbv2model.ListenerRule
+			assert.NoError(t, stack.ListResources(&resLRs))
+
+			assert.Equal(t, len(tc.expectedRules), len(resLRs))
+
+			// cmp absolutely barfs trying to validate the TargetGroupARN due to stack id semantics
+			opt := cmp.Options{
+				cmpopts.IgnoreFields(elbv2model.TargetGroupTuple{}, "TargetGroupARN"),
+			}
+
+			processedSet := make(map[*elbv2model.ListenerRule]bool)
+			for _, elr := range tc.expectedRules {
+				for _, alr := range resLRs {
+					conditionsEqual := cmp.Equal(elr.Conditions, alr.Spec.Conditions)
+					actionsEqual := cmp.Equal(elr.Actions, alr.Spec.Actions, opt)
+					priorityEqual := elr.Priority == alr.Spec.Priority
+					fmt.Printf("%+v,%+v,%+v\n", conditionsEqual, actionsEqual, priorityEqual)
+					if conditionsEqual && actionsEqual && priorityEqual {
+						processedSet[alr] = true
+						break
+					}
+				}
+			}
+
+			assert.Equal(t, len(tc.expectedRules), len(processedSet))
+
+			for _, lr := range resLRs {
+				assert.Equal(t, tc.expectedTags, lr.Spec.Tags)
+			}
+		})
+	}
+}
diff --git a/pkg/gateway/routeutils/backend.go b/pkg/gateway/routeutils/backend.go
@@ -18,6 +18,7 @@ import (
 const (
 	serviceKind             = "Service"
 	referenceGrantNotExists = "No explicit ReferenceGrant exists to allow the reference."
+	maxWeight               = 999
 )
 
 var (
@@ -91,10 +92,6 @@ func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpeci
 		return nil, wrapError(errors.Errorf("%s", initialErrorMessage), gwv1.GatewayReasonListenersNotValid, gwv1.RouteReasonInvalidKind, &wrappedGatewayErrorMessage, nil), nil
 	}
 
-	if backendRef.Weight != nil && *backendRef.Weight == 0 {
-		return nil, nil, nil
-	}
-
 	if backendRef.Port == nil {
 		initialErrorMessage := "Port is required"
 		wrappedGatewayErrorMessage := generateInvalidMessageWithRouteDetails(initialErrorMessage, routeKind, routeIdentifier)
@@ -217,6 +214,10 @@ func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpeci
 	if backendRef.Weight != nil {
 		weight = int(*backendRef.Weight)
 	}
+
+	if weight > maxWeight {
+		return nil, nil, errors.Errorf("Weight [%d] must be less than or equal to %d", weight, maxWeight)
+	}
 	return &Backend{
 		Service:               svc,
 		ServicePort:           servicePort,
diff --git a/pkg/gateway/routeutils/backend_test.go b/pkg/gateway/routeutils/backend_test.go
diff --git a/pkg/gateway/routeutils/mock_route.go b/pkg/gateway/routeutils/mock_route.go
