allow multiple targetgroupbindings to reference same tg arn if using multi cluster mode

zac-nixon · zac-nixon · commit 6d1a33cec4d4 · 2025-01-16T13:42:18.000-08:00
diff --git a/docs/guide/targetgroupbinding/targetgroupbinding.md b/docs/guide/targetgroupbinding/targetgroupbinding.md
@@ -160,7 +160,7 @@ spec:
     name: awesome-service # route traffic to the awesome-service
     port: 80
   targetGroupARN: <arn-to-targetGroup>
-  multiClusterTargetGroup: "true"
+  multiClusterTargetGroup: true
 ```
 
 
diff --git a/webhooks/elbv2/targetgroupbinding_validator.go b/webhooks/elbv2/targetgroupbinding_validator.go
@@ -3,20 +3,19 @@ package elbv2
 import (
 	"context"
 	"fmt"
+	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
+	"k8s.io/apimachinery/pkg/types"
 	"regexp"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"strings"
 
-	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
-
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/targetgroupbinding"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/webhook"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -56,7 +55,6 @@ func (v *targetGroupBindingValidator) Prototype(_ admission.Request) (runtime.Ob
 
 func (v *targetGroupBindingValidator) ValidateCreate(ctx context.Context, obj runtime.Object) error {
 	tgb := obj.(*elbv2api.TargetGroupBinding)
-	targetgroupbinding.AnnotationsToFields(tgb)
 	if err := v.checkRequiredFields(ctx, tgb); err != nil {
 		return err
 	}
@@ -78,7 +76,6 @@ func (v *targetGroupBindingValidator) ValidateCreate(ctx context.Context, obj ru
 func (v *targetGroupBindingValidator) ValidateUpdate(ctx context.Context, obj runtime.Object, oldObj runtime.Object) error {
 	tgb := obj.(*elbv2api.TargetGroupBinding)
 	oldTgb := oldObj.(*elbv2api.TargetGroupBinding)
-	targetgroupbinding.AnnotationsToFields(tgb)
 	if err := v.checkRequiredFields(ctx, tgb); err != nil {
 		return err
 	}
@@ -88,6 +85,9 @@ func (v *targetGroupBindingValidator) ValidateUpdate(ctx context.Context, obj ru
 	if err := v.checkNodeSelector(tgb); err != nil {
 		return err
 	}
+	if err := v.checkExistingTargetGroups(tgb); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -160,17 +160,29 @@ func (v *targetGroupBindingValidator) checkImmutableFields(tgb *elbv2api.TargetG
 }
 
 // checkExistingTargetGroups will check for unique TargetGroup per TargetGroupBinding
-func (v *targetGroupBindingValidator) checkExistingTargetGroups(tgb *elbv2api.TargetGroupBinding) error {
+func (v *targetGroupBindingValidator) checkExistingTargetGroups(updatedTgb *elbv2api.TargetGroupBinding) error {
 	ctx := context.Background()
 	tgbList := elbv2api.TargetGroupBindingList{}
+
+	duplicateTGBs := make([]types.NamespacedName, 0)
+	multiClusterSupported := updatedTgb.Spec.MultiClusterTargetGroup
+
 	if err := v.k8sClient.List(ctx, &tgbList); err != nil {
 		return errors.Wrap(err, "failed to list TargetGroupBindings in the cluster")
 	}
 	for _, tgbObj := range tgbList.Items {
-		if tgbObj.Spec.TargetGroupARN == tgb.Spec.TargetGroupARN {
-			return errors.Errorf("TargetGroup %v is already bound to TargetGroupBinding %v", tgb.Spec.TargetGroupARN, k8s.NamespacedName(&tgbObj).String())
+		if tgbObj.UID != updatedTgb.UID && tgbObj.Spec.TargetGroupARN == updatedTgb.Spec.TargetGroupARN {
+			if !tgbObj.Spec.MultiClusterTargetGroup {
+				multiClusterSupported = false
+			}
+			duplicateTGBs = append(duplicateTGBs, k8s.NamespacedName(&tgbObj))
 		}
 	}
+
+	if len(duplicateTGBs) != 0 && !multiClusterSupported {
+		return errors.Errorf("TargetGroup %v is already bound to following TargetGroupBindings %v. Please enable MultiCluster mode on all TargetGroupBindings referencing %v or choose a different Target Group ARN.", updatedTgb.Spec.TargetGroupARN, duplicateTGBs, updatedTgb.Spec.TargetGroupARN)
+	}
+
 	return nil
 }
 
@@ -184,7 +196,7 @@ func (v *targetGroupBindingValidator) checkNodeSelector(tgb *elbv2api.TargetGrou
 
 // checkTargetGroupIPAddressType ensures IP address type matches with that on the AWS target group
 func (v *targetGroupBindingValidator) checkTargetGroupIPAddressType(ctx context.Context, tgb *elbv2api.TargetGroupBinding) error {
-	targetGroupIPAddressType, err := v.getTargetGroupIPAddressTypeFromAWS(ctx, tgb)
+	targetGroupIPAddressType, err := v.getTargetGroupIPAddressTypeFromAWS(ctx, tgb.Spec.TargetGroupARN)
 	if err != nil {
 		return errors.Wrap(err, "unable to get target group IP address type")
 	}
@@ -203,7 +215,7 @@ func (v *targetGroupBindingValidator) checkTargetGroupVpcID(ctx context.Context,
 	if !vpcIDPatternRegex.MatchString(tgb.Spec.VpcID) {
 		return errors.Errorf(vpcIDValidationErr, tgb.Spec.VpcID)
 	}
-	vpcID, err := v.getVpcIDFromAWS(ctx, tgb)
+	vpcID, err := v.getVpcIDFromAWS(ctx, tgb.Spec.TargetGroupARN)
 	if err != nil {
 		return errors.Wrap(err, "unable to get target group VpcID")
 	}
@@ -214,8 +226,8 @@ func (v *targetGroupBindingValidator) checkTargetGroupVpcID(ctx context.Context,
 }
 
 // getTargetGroupIPAddressTypeFromAWS returns the target group IP address type of AWS target group
-func (v *targetGroupBindingValidator) getTargetGroupIPAddressTypeFromAWS(ctx context.Context, tgb *elbv2api.TargetGroupBinding) (elbv2api.TargetGroupIPAddressType, error) {
-	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgb)
+func (v *targetGroupBindingValidator) getTargetGroupIPAddressTypeFromAWS(ctx context.Context, tgARN string) (elbv2api.TargetGroupIPAddressType, error) {
+	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgARN)
 	if err != nil {
 		return "", err
 	}
@@ -232,12 +244,11 @@ func (v *targetGroupBindingValidator) getTargetGroupIPAddressTypeFromAWS(ctx con
 }
 
 // getTargetGroupFromAWS returns the AWS target group corresponding to the ARN
-func (v *targetGroupBindingValidator) getTargetGroupFromAWS(ctx context.Context, tgb *elbv2api.TargetGroupBinding) (*elbv2types.TargetGroup, error) {
-	tgARN := tgb.Spec.TargetGroupARN
+func (v *targetGroupBindingValidator) getTargetGroupFromAWS(ctx context.Context, tgARN string) (*elbv2types.TargetGroup, error) {
 	req := &elbv2sdk.DescribeTargetGroupsInput{
 		TargetGroupArns: []string{tgARN},
 	}
-	tgList, err := v.elbv2Client.AssumeRole(ctx, tgb.Spec.IamRoleArnToAssume, tgb.Spec.AssumeRoleExternalId).DescribeTargetGroupsAsList(ctx, req)
+	tgList, err := v.elbv2Client.DescribeTargetGroupsAsList(ctx, req)
 	if err != nil {
 		return nil, err
 	}
@@ -247,8 +258,8 @@ func (v *targetGroupBindingValidator) getTargetGroupFromAWS(ctx context.Context,
 	return &tgList[0], nil
 }
 
-func (v *targetGroupBindingValidator) getVpcIDFromAWS(ctx context.Context, tgb *elbv2api.TargetGroupBinding) (string, error) {
-	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgb)
+func (v *targetGroupBindingValidator) getVpcIDFromAWS(ctx context.Context, tgARN string) (string, error) {
+	targetGroup, err := v.getTargetGroupFromAWS(ctx, tgARN)
 	if err != nil {
 		return "", err
 	}
diff --git a/webhooks/elbv2/targetgroupbinding_validator_test.go b/webhooks/elbv2/targetgroupbinding_validator_test.go
@@ -462,8 +462,14 @@ func Test_targetGroupBindingValidator_ValidateUpdate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			k8sSchema := runtime.NewScheme()
+			clientgoscheme.AddToScheme(k8sSchema)
+			elbv2api.AddToScheme(k8sSchema)
+			k8sClient := testclient.NewClientBuilder().WithScheme(k8sSchema).Build()
+
 			v := &targetGroupBindingValidator{
-				logger: logr.New(&log.NullLogSink{}),
+				logger:    logr.New(&log.NullLogSink{}),
+				k8sClient: k8sClient,
 			}
 			err := v.ValidateUpdate(context.Background(), tt.args.obj, tt.args.oldObj)
 			if tt.wantErr != nil {
@@ -954,6 +960,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tgb1",
 						Namespace: "ns1",
+						UID:       "tgb1",
 					},
 					Spec: elbv2api.TargetGroupBindingSpec{
 						TargetGroupARN: "tg-1",
@@ -971,6 +978,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb1",
 							Namespace: "ns1",
+							UID:       "tgb1",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-1",
@@ -984,6 +992,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tgb2",
 						Namespace: "ns2",
+						UID:       "tgb2",
 					},
 					Spec: elbv2api.TargetGroupBindingSpec{
 						TargetGroupARN: "tg-2",
@@ -1001,6 +1010,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb1",
 							Namespace: "ns1",
+							UID:       "tgb1",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-1",
@@ -1011,6 +1021,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb2",
 							Namespace: "ns2",
+							UID:       "tgb2",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-2",
@@ -1021,19 +1032,32 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb3",
 							Namespace: "ns3",
+							UID:       "tgb3",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-3",
 							TargetType:     nil,
 						},
 					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "tgb22",
+							Namespace: "ns1",
+							UID:       "tgb22",
+						},
+						Spec: elbv2api.TargetGroupBindingSpec{
+							TargetGroupARN: "tg-22",
+							TargetType:     nil,
+						},
+					},
 				},
 			},
 			args: args{
 				tgb: &elbv2api.TargetGroupBinding{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tgb22",
 						Namespace: "ns1",
+						UID:       "tgb22",
 					},
 					Spec: elbv2api.TargetGroupBindingSpec{
 						TargetGroupARN: "tg-22",
@@ -1051,6 +1075,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb1",
 							Namespace: "ns1",
+							UID:       "tgb1",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-1",
@@ -1064,14 +1089,106 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tgb2",
 						Namespace: "ns1",
+						UID:       "tgb2",
+					},
+					Spec: elbv2api.TargetGroupBindingSpec{
+						TargetGroupARN: "tg-1",
+						TargetType:     nil,
+					},
+				},
+			},
+			wantErr: errors.New("TargetGroup tg-1 is already bound to following TargetGroupBindings [ns1/tgb1]. Please enable MultiCluster mode on all TargetGroupBindings referencing tg-1 or choose a different Target Group ARN."),
+		},
+		{
+			name: "[ok] duplicate target groups with multi cluster support",
+			env: env{
+				existingTGBs: []elbv2api.TargetGroupBinding{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "tgb1",
+							Namespace: "ns1",
+							UID:       "tgb1",
+						},
+						Spec: elbv2api.TargetGroupBindingSpec{
+							TargetGroupARN:          "tg-1",
+							TargetType:              nil,
+							MultiClusterTargetGroup: true,
+						},
+					},
+				},
+			},
+			args: args{
+				tgb: &elbv2api.TargetGroupBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tgb2",
+						Namespace: "ns1",
+						UID:       "tgb2",
+					},
+					Spec: elbv2api.TargetGroupBindingSpec{
+						TargetGroupARN:          "tg-1",
+						TargetType:              nil,
+						MultiClusterTargetGroup: true,
+					},
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "[err] try to add binding without multicluster support while multiple bindings are using the same tg arn",
+			env: env{
+				existingTGBs: []elbv2api.TargetGroupBinding{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "tgb1",
+							Namespace: "ns1",
+							UID:       "tgb1",
+						},
+						Spec: elbv2api.TargetGroupBindingSpec{
+							TargetGroupARN:          "tg-1",
+							TargetType:              nil,
+							MultiClusterTargetGroup: true,
+						},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "tgb3",
+							Namespace: "ns1",
+							UID:       "tgb3",
+						},
+						Spec: elbv2api.TargetGroupBindingSpec{
+							TargetGroupARN:          "tg-1",
+							TargetType:              nil,
+							MultiClusterTargetGroup: true,
+						},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "tgb4",
+							Namespace: "ns1",
+							UID:       "tgb4",
+						},
+						Spec: elbv2api.TargetGroupBindingSpec{
+							TargetGroupARN:          "tg-1",
+							TargetType:              nil,
+							MultiClusterTargetGroup: true,
+						},
+					},
+				},
+			},
+			args: args{
+				tgb: &elbv2api.TargetGroupBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tgb2",
+						Namespace: "ns1",
+						UID:       "tgb2",
 					},
 					Spec: elbv2api.TargetGroupBindingSpec{
 						TargetGroupARN: "tg-1",
 						TargetType:     nil,
 					},
 				},
 			},
-			wantErr: errors.New("TargetGroup tg-1 is already bound to TargetGroupBinding ns1/tgb1"),
+			wantErr: errors.New("TargetGroup tg-1 is already bound to following TargetGroupBindings [ns1/tgb1 ns1/tgb3 ns1/tgb4]. Please enable MultiCluster mode on all TargetGroupBindings referencing tg-1 or choose a different Target Group ARN."),
 		},
 		{
 			name: "[err] duplicate target groups - one target group binding",
@@ -1081,6 +1198,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb1",
 							Namespace: "ns1",
+							UID:       "tgb1",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-1",
@@ -1091,6 +1209,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb2",
 							Namespace: "ns2",
+							UID:       "tgb2",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-111",
@@ -1101,6 +1220,7 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "tgb3",
 							Namespace: "ns3",
+							UID:       "tgb3",
 						},
 						Spec: elbv2api.TargetGroupBindingSpec{
 							TargetGroupARN: "tg-3",
@@ -1114,14 +1234,15 @@ func Test_targetGroupBindingValidator_checkExistingTargetGroups(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "tgb111",
 						Namespace: "ns1",
+						UID:       "tgb111",
 					},
 					Spec: elbv2api.TargetGroupBindingSpec{
 						TargetGroupARN: "tg-111",
 						TargetType:     nil,
 					},
 				},
 			},
-			wantErr: errors.New("TargetGroup tg-111 is already bound to TargetGroupBinding ns2/tgb2"),
+			wantErr: errors.New("TargetGroup tg-111 is already bound to following TargetGroupBindings [ns2/tgb2]. Please enable MultiCluster mode on all TargetGroupBindings referencing tg-111 or choose a different Target Group ARN."),
 		},
 	}
 	for _, tt := range tests {
