OKE-33554 Rule Sets support

Allow user to specify Load Balancer Rule Sets (as specifified in documentation)
through a Kubernetes Load Balancer service annotation. The value is a JSON
object corresponding to a map of RuleSetDetails as specified by OCI API docs.

Author: pbenas

docs/load-balancer-annotations.md

@@ -57,6 +57,7 @@ spec:
 | `oci.oraclecloud.com/oci-load-balancer-listener-ssl-config`                  | Specifies the cipher suite on the listener of the LB managed by CCM.                                                                                                                                                                                                             | `N/A`                                            | `'{"CipherSuiteName":"oci-default-http2-ssl-cipher-suite-v1", "Protocols":["TLSv1.2"]}'` |
 | `oci.oraclecloud.com/oci-load-balancer-backendset-ssl-config"`               | Specifies the cipher suite on the backendsets of the LB managed by CCM.                                                                                                                                                                                                          | `N/A`                                            | `'{"CipherSuiteName":"oci-default-http2-ssl-cipher-suite-v1", "Protocols":["TLSv1.2"]}'` |
 | `oci.oraclecloud.com/ingress-ip-mode`                                        | Specifies ".status.loadBalancer.ingress.ipMode" for a Service with type set to LoadBalancer. Refer: [Specifying IPMode to adjust traffic routing][11]                                                                                                                            | `VIP`                                            |                                        `"proxy"`                                         |
+| `oci.oraclecloud.com/oci-load-balancer-rule-sets`                            | [Rule Sets][11] configuration. A JSON object mapping strings to RuleSetDetails objects as specified in [OCI API documentation][12]. All rule sets will be attached to all configured listeners.                                                                                  | `N/A`                                            |
 
 
 Note:
@@ -148,3 +149,5 @@ Note:
 [11]: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic_Specifying_IPMode
 [12]: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic_Skip_private_IP_addresses
 [13]: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancers-subtopic.htm#listenerprotocol
+[12]: https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingrulesets.htm
+[13]: https://docs.oracle.com/en-us/iaas/api/#/en/loadbalancer/20170115/datatypes/RuleSetDetails

pkg/cloudprovider/providers/oci/instances_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/oracle/oci-go-sdk/v65/filestorage"
 	"github.com/oracle/oci-go-sdk/v65/identity"
 
+	"github.com/oracle/oci-go-sdk/v65/loadbalancer"
 	"go.uber.org/zap"
 	authv1 "k8s.io/api/authentication/v1"
 	v1 "k8s.io/api/core/v1"
@@ -935,6 +936,17 @@ func (MockComputeClient) GetPrimaryVNICForInstance(ctx context.Context, compartm
 func (MockComputeClient) GetSecondaryVNICsForInstance(ctx context.Context, compartmentID, instanceID string) ([]*core.Vnic, error) {
 	return []*core.Vnic{instanceVnics[instanceID]}, nil
 }
+func (c *MockComputeClient) ListVnicAttachments(ctx context.Context, compartmentID, instanceID string) ([]core.VnicAttachment, error) {
+	return nil, nil
+}
+
+func (c *MockComputeClient) GetVnicAttachment(ctx context.Context, vnicAttachmentId *string) (response *core.VnicAttachment, err error) {
+	return nil, nil
+}
+
+func (c *MockComputeClient) AttachVnic(ctx context.Context, instanceID, subnetID *string, nsgIds []*string, skipSourceDestCheck *bool) (response core.VnicAttachment, err error) {
+	return core.VnicAttachment{}, nil
+}
 
 func (MockComputeClient) FindVolumeAttachment(ctx context.Context, compartmentID, volumeID string) (core.VolumeAttachment, error) {
 	return nil, nil
@@ -1121,6 +1133,18 @@ var updateLoadBalancerErrors = map[string]error{
 	"work request fail": errors.New("internal server error"),
 }
 
+func (c *MockLoadBalancerClient) CreateRuleSet(ctx context.Context, lbID string, name string, details *loadbalancer.RuleSetDetails) (string, error) {
+	return "", nil
+}
+
+func (c *MockLoadBalancerClient) UpdateRuleSet(ctx context.Context, lbID string, name string, details *loadbalancer.RuleSetDetails) (string, error) {
+	return "", nil
+}
+
+func (c *MockLoadBalancerClient) DeleteRuleSet(ctx context.Context, lbID string, name string) (string, error) {
+	return "", nil
+}
+
 func (c *MockLoadBalancerClient) UpdateLoadBalancer(ctx context.Context, lbID string, details *client.GenericUpdateLoadBalancerDetails) (string, error) {
 	if err, ok := updateLoadBalancerErrors[lbID]; ok {
 		return "", err
@@ -1223,6 +1247,18 @@ func (c *MockNetworkLoadBalancerClient) DeleteListener(ctx context.Context, lbID
 	return "", nil
 }
 
+func (c *MockNetworkLoadBalancerClient) CreateRuleSet(ctx context.Context, lbID string, name string, details *loadbalancer.RuleSetDetails) (string, error) {
+	return "", nil
+}
+
+func (c *MockNetworkLoadBalancerClient) UpdateRuleSet(ctx context.Context, lbID string, name string, details *loadbalancer.RuleSetDetails) (string, error) {
+	return "", nil
+}
+
+func (c *MockNetworkLoadBalancerClient) DeleteRuleSet(ctx context.Context, lbID string, name string) (string, error) {
+	return "", nil
+}
+
 func (c *MockNetworkLoadBalancerClient) AwaitWorkRequest(ctx context.Context, id string) (*client.GenericWorkRequest, error) {
 	if err, ok := awaitLoadbalancerWorkrequestMap[id]; ok {
 		return nil, err

pkg/cloudprovider/providers/oci/load_balancer.go

@@ -413,6 +413,7 @@ func (clb *CloudLoadBalancerProvider) createLoadBalancer(ctx context.Context, sp
 		FreeformTags:            spec.FreeformTags,
 		DefinedTags:             spec.DefinedTags,
 		IpVersion:               spec.IpVersions.LbEndpointIpVersion,
+		RuleSets:                spec.RuleSets,
 	}
 	// do not block creation if the defined tag limit is reached. defer LB to tracked by backfilling
 	if len(details.DefinedTags) > MaxDefinedTagPerResource {
@@ -1046,13 +1047,18 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancer(ctx context.Context, lb
 		}
 	}
 
+	var ruleSetActions []Action
+	if spec.RuleSets != nil {
+		ruleSetActions = getRuleSetChanges(lb.RuleSets, spec.RuleSets)
+	}
+
 	actualBackendSets := lb.BackendSets
 	desiredBackendSets := spec.BackendSets
 	backendSetActions := getBackendSetChanges(logger, actualBackendSets, desiredBackendSets)
 
 	actualListeners := lb.Listeners
 	desiredListeners := spec.Listeners
-	listenerActions := getListenerChanges(logger, actualListeners, desiredListeners)
+	listenerActions := getListenerChanges(logger, actualListeners, desiredListeners, spec.RuleSets)
 
 	if len(backendSetActions) == 0 && len(listenerActions) == 0 {
 		// If there are no backendSetActions or Listener actions
@@ -1065,7 +1071,8 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancer(ctx context.Context, lb
 			return err
 		}
 	}
-	actions := sortAndCombineActions(logger, backendSetActions, listenerActions)
+	actions := sortAndCombineActions(logger, backendSetActions, listenerActions, ruleSetActions)
+
 	for _, action := range actions {
 		switch a := action.(type) {
 		case *BackendSetAction:
@@ -1090,6 +1097,11 @@ func (clb *CloudLoadBalancerProvider) updateLoadBalancer(ctx context.Context, lb
 			if err != nil {
 				return errors.Wrap(err, "updating listener")
 			}
+		case *RuleSetAction:
+			err := clb.updateRuleSet(ctx, lbID, a, spec)
+			if err != nil {
+				return errors.Wrap(err, "updating RuleSet")
+			}
 		}
 	}
 
@@ -1333,6 +1345,39 @@ func (clb *CloudLoadBalancerProvider) updateListener(ctx context.Context, lbID s
 	return nil
 }
 
+func (clb *CloudLoadBalancerProvider) updateRuleSet(ctx context.Context, lbID string, action *RuleSetAction, spec *LBSpec) (err error) {
+	var workRequestID string
+
+	logger := clb.logger.With(
+		"actionType", action.Type(),
+		"ruleSetName", action.Name(),
+		"loadBalancerID", lbID,
+		"loadBalancerType", getLoadBalancerType(spec.service))
+	logger.Info("Applying action on rule set")
+
+	switch action.Type() {
+	case Create:
+		workRequestID, err = clb.lbClient.CreateRuleSet(ctx, lbID, action.Name(), &action.RuleSetDetails)
+	case Update:
+		workRequestID, err = clb.lbClient.UpdateRuleSet(ctx, lbID, action.Name(), &action.RuleSetDetails)
+	case Delete:
+		workRequestID, err = clb.lbClient.DeleteRuleSet(ctx, lbID, action.Name())
+	}
+
+	if err != nil {
+		return err
+	}
+	logger = logger.With("workRequestID", workRequestID)
+	logger.Info("Await work request for loadbalancer rule set")
+	_, err = clb.lbClient.AwaitWorkRequest(ctx, workRequestID)
+	if err != nil {
+		return err
+	}
+	logger.Info("Work request for loadbalancer rule set completed successfully")
+
+	return nil
+}
+
 // UpdateLoadBalancer updates an existing loadbalancer
 func (cp *CloudProvider) UpdateLoadBalancer(ctx context.Context, clusterName string, service *v1.Service, nodes []*v1.Node) error {
 	startTime := time.Now()

pkg/cloudprovider/providers/oci/load_balancer_spec.go

@@ -19,10 +19,13 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"
 
+	"github.com/oracle/oci-go-sdk/v65/loadbalancer"
 	"go.uber.org/zap"
+	"golang.org/x/exp/maps"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	apiservice "k8s.io/kubernetes/pkg/api/v1/service"
@@ -180,6 +183,12 @@ const (
 	// with type set to LoadBalancer.
 	// https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode:~:text=Specifying%20IPMode%20of%20load%20balancer%20status
 	ServiceAnnotationIngressIpMode = "oci.oraclecloud.com/ingress-ip-mode"
+
+	// ServiceAnnotationRuleSets allows the user to specify rule sets of actions applied to traffic at a load balancer listener
+	// https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingrulesets.htm
+	// Expected format is a JSON blob containing a JSON object literal with keys being rule names and values being a JSON
+	// representation of a valid Rule object. https://docs.oracle.com/en-us/iaas/api/#/en/loadbalancer/20170115/datatypes/Rule
+	ServiceAnnotationRuleSets = "oci.oraclecloud.com/oci-load-balancer-rule-sets"
 )
 
 // NLB specific annotations
@@ -294,7 +303,7 @@ type ManagedNetworkSecurityGroup struct {
 }
 
 func requiresCertificate(svc *v1.Service) bool {
-	if svc.Annotations[ServiceAnnotationLoadBalancerType] == NLB {
+	if getLoadBalancerType(svc) == NLB {
 		return false
 	}
 	_, ok := svc.Annotations[ServiceAnnotationLoadBalancerSSLPorts]
@@ -354,6 +363,7 @@ type LBSpec struct {
 	SystemTags                  map[string]map[string]interface{}
 	ingressIpMode               *v1.LoadBalancerIPMode
 	Compartment                 string
+	RuleSets                    map[string]loadbalancer.RuleSetDetails
 
 	service *v1.Service
 	nodes   []*v1.Node
@@ -390,6 +400,11 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, provisionedNodes []*v
 		return nil, err
 	}
 
+	ruleSets, err := getRuleSets(svc)
+	if err != nil {
+		return nil, err
+	}
+
 	listeners, err := getListeners(svc, sslConfig, convertOciIpVersionsToOciIpFamilies(versions.ListenerBackendIpVersion))
 	if err != nil {
 		return nil, err
@@ -476,14 +491,14 @@ func NewLBSpec(logger *zap.SugaredLogger, svc *v1.Service, provisionedNodes []*v
 		SystemTags:                  getResourceTrackingSystemTagsFromConfig(logger, initialLBTags),
 		ingressIpMode:               ingressIpMode,
 		Compartment:                 compartment,
+		RuleSets:                    ruleSets,
 	}, nil
 }
 
 func getLoadBalancerCompartment(svc *v1.Service, clusterCompartment string) (compartment string) {
+	compartment = clusterCompartment
 	if value, exist := svc.Annotations[util.CompartmentIDAnnotation]; exist {
 		compartment = value
-	} else {
-		compartment = clusterCompartment
 	}
 	return
 }
@@ -1044,6 +1059,13 @@ func getListenersOciLoadBalancer(svc *v1.Service, sslCfg *SSLConfig) (map[string
 		proxyProtocolVersion = common.Int(version)
 	}
 
+	ruleSets, _ := getRuleSets(svc)
+	var rs []string
+	if ruleSets != nil {
+		rs = maps.Keys(ruleSets)
+		slices.Sort(rs)
+	}
+
 	listeners := make(map[string]client.GenericListener)
 	for _, servicePort := range svc.Spec.Ports {
 		protocol := string(servicePort.Protocol)
@@ -1088,6 +1110,7 @@ func getListenersOciLoadBalancer(svc *v1.Service, sslCfg *SSLConfig) (map[string
 			DefaultBackendSetName: common.String(getBackendSetName(string(servicePort.Protocol), int(servicePort.Port))),
 			Protocol:              &protocol,
 			Port:                  &port,
+			RuleSetNames:          rs,
 			SslConfiguration:      sslConfiguration,
 		}
 
@@ -1648,3 +1671,20 @@ func isSkipPrivateIP(svc *v1.Service) (bool, error) {
 	}
 	return skipPrivateIp, nil
 }
+
+func getRuleSets(svc *v1.Service) (rs map[string]loadbalancer.RuleSetDetails, err error) {
+	annotation, exists := svc.Annotations[ServiceAnnotationRuleSets]
+	if !exists {
+		return nil, nil
+	}
+
+	if getLoadBalancerType(svc) == NLB {
+		return rs, fmt.Errorf("invalid annotation %s. Rule Sets are not supported by Network Load Balancer", ServiceAnnotationRuleSets)
+	}
+
+	if annotation == "" {
+		annotation = "{}"
+	}
+	err = json.NewDecoder(strings.NewReader(annotation)).Decode(&rs)
+	return rs, err
+}