fix: update ingress status only if the load balancer is active (#748)

As per the existing behavior, once the stack update completes, the
ingress controller immediately updates the status of all ingresses and
routegroups to reference the new load balancer. This update may
sometimes happens before the new load balancer has marked its targets
(for example skipper-ingress) as healthy, leading clients being routed to a load
balancer that is not ready to serve traffic yet.

To improve this behavior we retrieve the ELBs via AWS API and build the
models including the ELB states of the corresponding ELBs. Then before
updating the ingresses/routegroups (updateIngress func) we check whether
the ELB is in active state, if not we skip updating the
ingresses/routegroups status with the ELB hostname.

---------

Signed-off-by: Thilina Madumal <thilina.madumal@zalando.de>

Author: madumalt

.github/workflows/ci.yaml

@@ -13,6 +13,8 @@ jobs:
     - run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
     - run: make test
     - run: make lint
+    - run: grep -Ev "zalando-incubator/kube-ingress-aws-controller/(certs|aws)/fake/" profile.cov > tmp.profile.cov
+    - run: mv tmp.profile.cov profile.cov
     - run: goveralls -coverprofile=profile.cov -service=github
       env:
         COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -36,3 +36,4 @@ Dockerfile.upstream
 profile.cov
 
 .idea/
+.vscode/

aws/adapter.go

@@ -660,6 +660,42 @@ func (a *Adapter) FindManagedStacks(ctx context.Context) ([]*Stack, error) {
 	return stacks, nil
 }
 
+// GetStackLBStates returns the list of load balancers of the managed stacks.
+// While implementing this method it was taken that each stack has its own load
+// balancer and never refer to the same load balancer from multiple stacks.
+//
+// If a stack does not have a load balancer ARN it will be returned with a nil
+// LBState field.
+func (a *Adapter) GetStackLBStates(ctx context.Context, stacks []*Stack) ([]*StackLBState, error) {
+
+	lbARNs := make([]string, 0, len(stacks))
+	for _, stack := range stacks {
+		if stack.LoadBalancerARN == "" {
+			continue
+		}
+		lbARNs = append(lbARNs, stack.LoadBalancerARN)
+	}
+
+	lbsMap, err := getLoadBalancerStates(ctx, a.elbv2, lbARNs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get load balancer states: %w", err)
+	}
+
+	stackLBStates := make([]*StackLBState, 0, len(stacks))
+	for _, stack := range stacks {
+		lbstate, found := lbsMap[stack.LoadBalancerARN]
+		if !found {
+			log.Warnf("The load balancer (ARN: %q) of %q stack is not found", stack.LoadBalancerARN, stack.Name)
+		}
+		stackELB := &StackLBState{
+			Stack:   stack,
+			LBState: lbstate,
+		}
+		stackLBStates = append(stackLBStates, stackELB)
+	}
+	return stackLBStates, nil
+}
+
 // UpdateTargetGroupsAndAutoScalingGroups updates Auto Scaling Groups
 // config to have relevant Target Groups and registers/deregisters single
 // instances (that do not belong to ASG) in relevant Target Groups.

aws/adapter_test.go

@@ -1028,3 +1028,138 @@ func TestWithTargetAccessMode(t *testing.T) {
 		assert.False(t, a.TargetCNI.Enabled)
 	})
 }
+
+func TestGetStackLBStates(t *testing.T) {
+	tests := []struct {
+		name                  string
+		elbv2Outputs          fake.ELBv2Outputs
+		stacks                []*Stack
+		expectedStackLBStates []*StackLBState
+		expectError           bool
+	}{
+		{
+			name: "success - matching ELBs",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{
+						{
+							LoadBalancerArn: aws.String("arn1"),
+							State:           &elbv2Types.LoadBalancerState{Code: elbv2Types.LoadBalancerStateEnumActive},
+						},
+						{
+							LoadBalancerArn: aws.String("arn2"),
+							State:           &elbv2Types.LoadBalancerState{Code: elbv2Types.LoadBalancerStateEnumFailed},
+						},
+					},
+				}, nil),
+			},
+			stacks: []*Stack{
+				{Name: "stack1", LoadBalancerARN: "arn1"},
+				{Name: "stack2", LoadBalancerARN: "arn2"},
+			},
+			expectedStackLBStates: []*StackLBState{
+				{
+					Stack:   &Stack{Name: "stack1", LoadBalancerARN: "arn1"},
+					LBState: &LoadBalancerState{StateCode: elbv2Types.LoadBalancerStateEnumActive},
+				},
+				{
+					Stack:   &Stack{Name: "stack2", LoadBalancerARN: "arn2"},
+					LBState: &LoadBalancerState{StateCode: elbv2Types.LoadBalancerStateEnumFailed},
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "success - no matching ELB found for one of the stacks",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{
+						{
+							LoadBalancerArn: aws.String("arn1"),
+							State:           &elbv2Types.LoadBalancerState{Code: elbv2Types.LoadBalancerStateEnumActive},
+						},
+					},
+				}, nil),
+			},
+			stacks: []*Stack{
+				{Name: "stack1", LoadBalancerARN: "arn1"},
+				{Name: "stack2", LoadBalancerARN: "arn2"},
+			},
+			expectedStackLBStates: []*StackLBState{
+				{
+					Stack:   &Stack{Name: "stack1", LoadBalancerARN: "arn1"},
+					LBState: &LoadBalancerState{StateCode: elbv2Types.LoadBalancerStateEnumActive},
+				},
+				{
+					Stack:   &Stack{Name: "stack2", LoadBalancerARN: "arn2"},
+					LBState: nil, // No matching ELB found for stack2
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "error - DescribeLoadBalancers API failure",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(nil, fmt.Errorf("API error")),
+			},
+			stacks:                []*Stack{{Name: "stack1", LoadBalancerARN: "arn1"}},
+			expectedStackLBStates: nil,
+			expectError:           true,
+		},
+		{
+			name: "success - no LB arn in some stacks",
+			elbv2Outputs: fake.ELBv2Outputs{
+				DescribeLoadBalancers: fake.R(&elbv2.DescribeLoadBalancersOutput{
+					LoadBalancers: []elbv2Types.LoadBalancer{
+						{
+							LoadBalancerArn: aws.String("arn1"),
+							State:           &elbv2Types.LoadBalancerState{Code: elbv2Types.LoadBalancerStateEnumActive},
+						},
+					},
+				}, nil),
+			},
+			stacks: []*Stack{
+				{Name: "stack1", LoadBalancerARN: "arn1"},
+				{Name: "stack2"},
+			},
+			expectedStackLBStates: []*StackLBState{
+				{
+					Stack:   &Stack{Name: "stack1", LoadBalancerARN: "arn1"},
+					LBState: &LoadBalancerState{StateCode: elbv2Types.LoadBalancerStateEnumActive},
+				},
+				{
+					Stack:   &Stack{Name: "stack2"},
+					LBState: nil, // No LoadBalancerARN provided for stack2
+				},
+			},
+			expectError: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			a := &Adapter{
+				elbv2: &fake.ELBv2Client{
+					Outputs: test.elbv2Outputs,
+				},
+			}
+
+			stackLBStates, err := a.GetStackLBStates(context.Background(), test.stacks)
+
+			if test.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Len(t, stackLBStates, len(test.expectedStackLBStates))
+				for i, expected := range test.expectedStackLBStates {
+					require.Equal(t, expected.Stack, stackLBStates[i].Stack)
+					if expected.LBState == nil {
+						require.Nil(t, stackLBStates[i].LBState)
+					} else {
+						require.Equal(t, expected.LBState.StateCode, stackLBStates[i].LBState.StateCode)
+					}
+				}
+			}
+		})
+	}
+}

aws/cf.go

@@ -24,6 +24,7 @@ type Stack struct {
 	Name              string
 	status            types.StackStatus
 	statusReason      string
+	LoadBalancerARN   string
 	DNSName           string
 	Scheme            string
 	SecurityGroup     string
@@ -105,6 +106,10 @@ func newStackOutput(outputs []types.Output) stackOutput {
 	return result
 }
 
+func (o stackOutput) loadBalancerARN() string {
+	return o[outputLoadBalancerARN]
+}
+
 func (o stackOutput) dnsName() string {
 	return o[outputLoadBalancerDNSName]
 }
@@ -131,6 +136,7 @@ func convertStackParameters(parameters []types.Parameter) map[string]string {
 
 const (
 	// The following constants should be part of the Output section of the CloudFormation template
+	outputLoadBalancerARN     = "LoadBalancerARN"
 	outputLoadBalancerDNSName = "LoadBalancerDNSName"
 	outputTargetGroupARN      = "TargetGroupARN"
 	outputHTTPTargetGroupARN  = "HTTPTargetGroupARN"
@@ -486,6 +492,7 @@ func mapToManagedStack(stack *types.Stack) *Stack {
 
 	return &Stack{
 		Name:              aws.ToString(stack.StackName),
+		LoadBalancerARN:   outputs.loadBalancerARN(),
 		DNSName:           outputs.dnsName(),
 		TargetGroupARNs:   outputs.targetGroupARNs(),
 		Scheme:            parameters[parameterLoadBalancerSchemeParameter],

aws/cf_template.go

@@ -24,6 +24,10 @@ const (
 	//
 	// [0]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenerrule.html#cfn-elasticloadbalancingv2-listenerrule-priority
 	internalTrafficDenyRulePriority int64 = 1
+
+	// LoadBalancerResourceLogicalID is the logical ID of the LoadBalancer resource in the CloudFormation template.
+	// Changing this value will recreate the LoadBalancer resource.
+	LoadBalancerResourceLogicalID = "LB"
 )
 
 func hashARNs(certARNs []string) []byte {
@@ -115,9 +119,13 @@ func generateTemplate(spec *stackSpec) (string, error) {
 	const httpsTargetGroupName = "TG"
 
 	template.Outputs = map[string]*cloudformation.Output{
+		outputLoadBalancerARN: {
+			Description: "The ARN of the LoadBalancer",
+			Value:       cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
+		},
 		outputLoadBalancerDNSName: {
 			Description: "DNS name for the LoadBalancer",
-			Value:       cloudformation.GetAtt("LB", "DNSName").String(),
+			Value:       cloudformation.GetAtt(LoadBalancerResourceLogicalID, "DNSName").String(),
 		},
 		outputTargetGroupARN: {
 			Description: "The ARN of the TargetGroup",
@@ -160,7 +168,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							},
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -172,7 +180,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 							TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 						},
 					},
-					LoadBalancerArn: cloudformation.Ref("LB").String(),
+					LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 					Port:            cloudformation.Integer(80),
 					Protocol:        cloudformation.String("HTTP"),
 				})
@@ -196,7 +204,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						TargetGroupArn: cloudformation.Ref(httpTargetGroupName).String(),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(80),
 				Protocol:        cloudformation.String("TCP"),
 			})
@@ -227,7 +235,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("HTTPS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -256,7 +264,7 @@ func generateTemplate(spec *stackSpec) (string, error) {
 						CertificateArn: cloudformation.String(certificateARNs[0]),
 					},
 				},
-				LoadBalancerArn: cloudformation.Ref("LB").String(),
+				LoadBalancerArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				Port:            cloudformation.Integer(443),
 				Protocol:        cloudformation.String("TLS"),
 				SslPolicy:       cloudformation.Ref(parameterListenerSslPolicyParameter).String(),
@@ -379,17 +387,17 @@ func generateTemplate(spec *stackSpec) (string, error) {
 		lb.Type = cloudformation.Ref(parameterLoadBalancerTypeParameter).String()
 	}
 
-	template.AddResource("LB", lb)
+	template.AddResource(LoadBalancerResourceLogicalID, lb)
 
 	if spec.loadbalancerType == LoadBalancerTypeApplication && spec.wafWebAclId != "" {
 		if strings.HasPrefix(spec.wafWebAclId, "arn:aws:wafv2:") {
 			template.AddResource("WAFAssociation", &cloudformation.WAFv2WebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLArn:   cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		} else {
 			template.AddResource("WAFAssociation", &cloudformation.WAFRegionalWebACLAssociation{
-				ResourceArn: cloudformation.Ref("LB").String(),
+				ResourceArn: cloudformation.Ref(LoadBalancerResourceLogicalID).String(),
 				WebACLID:    cloudformation.Ref(parameterLoadBalancerWAFWebACLIDParameter).String(),
 			})
 		}