Merge pull request #2127 from songrx1997/CheckL7ILBFrontendConfig

Add CheckL7ILBFrontendConfig to check-gke-ingress
kubernetes · May 19, 2023 · 0a822cc · 0a822cc
2 parents d089070 + 16d9611
commit 0a822cc
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 0 deletions.
diff --git a/cmd/check-gke-ingress/app/ingress/rule.go b/cmd/check-gke-ingress/app/ingress/rule.go
@@ -144,6 +144,18 @@ func CheckAppProtocolAnnotation(svc *corev1.Service) (string, string) {
 	return report.Passed, fmt.Sprintf("AppProtocol annotation is valid in service %s/%s", svc.Namespace, svc.Name)
 }
 
+// CheckL7ILBFrontendConfig checks whether an internal ingress has a
+// frontendConfig. It will fail if an internal ingress has a frontendConfig.
+func CheckL7ILBFrontendConfig(ing *networkingv1.Ingress) (string, string) {
+	if !isL7ILB(ing) {
+		return report.Skipped, fmt.Sprintf("Ingress %s/%s is not for L7 internal load balancing", ing.Namespace, ing.Name)
+	}
+	if _, ok := getFrontendConfigAnnotation(ing); ok {
+		return report.Failed, fmt.Sprintf("Ingress %s/%s for L7 internal load balancing has a frontendConfig annotation", ing.Namespace, ing.Name)
+	}
+	return report.Passed, fmt.Sprintf("Ingress %s/%s for L7 internal load balancing does not have a frontendConfig annotation", ing.Namespace, ing.Name)
+}
+
 // getBackendConfigAnnotation gets the BackendConfig annotation from a service.
 func getBackendConfigAnnotation(svc *corev1.Service) (string, bool) {
 	for _, bcKey := range []string{annotations.BackendConfigKey, annotations.BetaBackendConfigKey} {
@@ -165,3 +177,25 @@ func getAppProtocolsAnnotation(svc *corev1.Service) (string, bool) {
 	}
 	return "", false
 }
+
+// isL7ILB whether an ingress is for internal load balancing.
+func isL7ILB(ing *networkingv1.Ingress) bool {
+	val, ok := ing.Annotations[annotations.IngressClassKey]
+	if !ok {
+		return false
+	}
+	if val != annotations.GceL7ILBIngressClass {
+		return false
+	}
+	return true
+}
+
+// getFrontendConfigAnnotation gets the frontendConfig annotation from an
+// ingress object.
+func getFrontendConfigAnnotation(ing *networkingv1.Ingress) (string, bool) {
+	val, ok := ing.ObjectMeta.Annotations[annotations.FrontendConfigKey]
+	if !ok {
+		return "", false
+	}
+	return val, true
+}
diff --git a/cmd/check-gke-ingress/app/ingress/rule_test.go b/cmd/check-gke-ingress/app/ingress/rule_test.go
@@ -473,3 +473,57 @@ func TestCheckAppProtocolAnnotation(t *testing.T) {
 		}
 	}
 }
+
+func TestCheckL7ILBFrontendConfig(t *testing.T) {
+	for _, tc := range []struct {
+		desc    string
+		ingress networkingv1.Ingress
+		expect  string
+	}{
+		{
+			desc: "Not internal ingress",
+			ingress: networkingv1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "ingress-1",
+					Annotations: map[string]string{
+						annotations.FrontendConfigKey: "feconfig",
+					},
+				},
+			},
+			expect: report.Skipped,
+		},
+		{
+			desc: "Internal ingress with feconfig",
+			ingress: networkingv1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "ingress-1",
+					Annotations: map[string]string{
+						annotations.FrontendConfigKey: "feconfig",
+						annotations.IngressClassKey:   annotations.GceL7ILBIngressClass,
+					},
+				},
+			},
+			expect: report.Failed,
+		},
+		{
+			desc: "Internal ingress without feconfig",
+			ingress: networkingv1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "ingress-1",
+					Annotations: map[string]string{
+						annotations.IngressClassKey: annotations.GceL7ILBIngressClass,
+					},
+				},
+			},
+			expect: report.Passed,
+		},
+	} {
+		res, _ := CheckL7ILBFrontendConfig(&tc.ingress)
+		if res != tc.expect {
+			t.Errorf("For test case %q, expect check result = %s, but got %s", tc.desc, tc.expect, res)
+		}
+	}
+}