Cherry-pick necessary commits for v1.3.0 release.

cmd/glbc/main.go

@@ -40,6 +40,7 @@ import (
 	"k8s.io/ingress-gce/cmd/glbc/app"
 	"k8s.io/ingress-gce/pkg/backendconfig"
 	"k8s.io/ingress-gce/pkg/crd"
+	"k8s.io/ingress-gce/pkg/firewalls"
 	"k8s.io/ingress-gce/pkg/flags"
 	"k8s.io/ingress-gce/pkg/version"
 )
@@ -101,7 +102,15 @@ func main() {
 
 	cloud := app.NewGCEClient()
 	enableNEG := flags.F.Features.NEG
-	ctx := context.NewControllerContext(kubeClient, backendConfigClient, cloud, flags.F.WatchNamespace, flags.F.ResyncPeriod, enableNEG, flags.F.EnableBackendConfig)
+	defaultBackendServicePortID := app.DefaultBackendServicePortID(kubeClient)
+	ctxConfig := context.ControllerContextConfig{
+		NEGEnabled:              enableNEG,
+		BackendConfigEnabled:    flags.F.EnableBackendConfig,
+		Namespace:               flags.F.WatchNamespace,
+		ResyncPeriod:            flags.F.ResyncPeriod,
+		DefaultBackendSvcPortID: defaultBackendServicePortID,
+	}
+	ctx := context.NewControllerContext(kubeClient, backendConfigClient, cloud, ctxConfig)
 	go app.RunHTTPServer(ctx.HealthCheck)
 
 	if !flags.F.LeaderElection.LeaderElect {
@@ -158,23 +167,24 @@ func makeLeaderElectionConfig(client clientset.Interface, recorder record.EventR
 }
 
 func runControllers(ctx *context.ControllerContext) {
-	namer, err := app.NewNamer(ctx.KubeClient, flags.F.ClusterName, controller.DefaultFirewallName)
+	namer, err := app.NewNamer(ctx.KubeClient, flags.F.ClusterName, firewalls.DefaultFirewallName)
 	if err != nil {
-		glog.Fatalf("app.NewNamer(ctx.KubeClient, %q, %q) = %v", flags.F.ClusterName, controller.DefaultFirewallName, err)
+		glog.Fatalf("app.NewNamer(ctx.KubeClient, %q, %q) = %v", flags.F.ClusterName, firewalls.DefaultFirewallName, err)
 	}
 
-	defaultBackendServicePortID := app.DefaultBackendServicePortID(ctx.KubeClient)
-	clusterManager, err := controller.NewClusterManager(ctx, namer, defaultBackendServicePortID, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath)
+	clusterManager, err := controller.NewClusterManager(ctx, namer, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath)
 	if err != nil {
-		glog.Fatalf("controller.NewClusterManager(cloud, namer, %+v, %q, %q) = %v", defaultBackendServicePortID, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath, err)
+		glog.Fatalf("controller.NewClusterManager(cloud, namer, %q, %q) = %v", flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath, err)
 	}
 
 	stopCh := make(chan struct{})
-	lbc, err := controller.NewLoadBalancerController(ctx, clusterManager, stopCh)
+	lbc := controller.NewLoadBalancerController(ctx, clusterManager, stopCh)
 	if err != nil {
 		glog.Fatalf("controller.NewLoadBalancerController(ctx, clusterManager, stopCh) = %v", err)
 	}
 
+	fwc := firewalls.NewFirewallController(ctx, namer, flags.F.NodePortRanges.Values())
+
 	if clusterManager.ClusterNamer.UID() != "" {
 		glog.V(0).Infof("Cluster name: %+v", clusterManager.ClusterNamer.UID())
 	}
@@ -183,13 +193,16 @@ func runControllers(ctx *context.ControllerContext) {
 
 	if ctx.NEGEnabled {
 		// TODO: Refactor NEG to use cloud mocks so ctx.Cloud can be referenced within NewController.
-		negController, _ := neg.NewController(ctx.Cloud, ctx, lbc.Translator, namer, flags.F.ResyncPeriod)
+		negController := neg.NewController(ctx.Cloud, ctx, lbc.Translator, namer, flags.F.ResyncPeriod)
 		go negController.Run(stopCh)
 		glog.V(0).Infof("negController started")
 	}
 
 	go app.RunSIGTERMHandler(lbc, flags.F.DeleteAllOnQuit)
 
+	go fwc.Run(stopCh)
+	glog.V(0).Infof("firewall controller started")
+
 	ctx.Start(stopCh)
 	lbc.Run()
 

pkg/annotations/service.go

@@ -26,11 +26,14 @@ import (
 )
 
 const (
-	// ServiceApplicationProtocolKey is a stringified JSON map of port names to
-	// protocol strings. Possible values are HTTP, HTTPS
+	// ServiceApplicationProtocolKey and GoogleServiceApplicationProtocolKey
+	// is a stringified JSON map of port names to protocol strings.
+	// Possible values are HTTP, HTTPS and HTTP2.
 	// Example:
 	// '{"my-https-port":"HTTPS","my-http-port":"HTTP"}'
-	ServiceApplicationProtocolKey = "service.alpha.kubernetes.io/app-protocols"
+	// Note: ServiceApplicationProtocolKey will be deprecated.
+	ServiceApplicationProtocolKey       = "service.alpha.kubernetes.io/app-protocols"
+	GoogleServiceApplicationProtocolKey = "cloud.google.com/app-protocols"
 
 	// NEGAnnotationKey is the annotation key to enable GCE NEG.
 	// The value of the annotation must be a valid JSON string in the format
@@ -105,9 +108,15 @@ func FromService(obj *v1.Service) *Service {
 // ApplicationProtocols returns a map of port (name or number) to the protocol
 // on the port.
 func (svc *Service) ApplicationProtocols() (map[string]AppProtocol, error) {
-	val, ok := svc.v[ServiceApplicationProtocolKey]
+	var val string
+	var ok bool
+	// First check the old annotation, then fall back to the new one.
+	val, ok = svc.v[ServiceApplicationProtocolKey]
 	if !ok {
-		return map[string]AppProtocol{}, nil
+		val, ok = svc.v[GoogleServiceApplicationProtocolKey]
+		if !ok {
+			return map[string]AppProtocol{}, nil
+		}
 	}
 
 	var portToProtos map[string]AppProtocol

pkg/annotations/service_test.go

@@ -101,6 +101,27 @@ func TestService(t *testing.T) {
 			svc:          &v1.Service{},
 			appProtocols: map[string]AppProtocol{},
 		},
+		{
+			svc: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						GoogleServiceApplicationProtocolKey: `{"80": "HTTP", "443": "HTTPS"}`,
+					},
+				},
+			},
+			appProtocols: map[string]AppProtocol{"80": "HTTP", "443": "HTTPS"},
+		},
+		{
+			svc: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						GoogleServiceApplicationProtocolKey: `{"80": "HTTP", "443": "HTTPS"}`,
+						ServiceApplicationProtocolKey:       `{"81": "HTTP", "444": "HTTPS"}`,
+					},
+				},
+			},
+			appProtocols: map[string]AppProtocol{"81": "HTTP", "444": "HTTPS"},
+		},
 		{
 			svc: &v1.Service{
 				ObjectMeta: metav1.ObjectMeta{

pkg/backends/backends_test.go

@@ -76,6 +76,7 @@ func newTestJig(gce *gce.GCECloud, fakeIGs instances.InstanceGroups, syncWithClo
 
 	// Add standard hooks for mocking update calls. Each test can set a different update hook if it chooses to.
 	(gce.Compute().(*cloud.MockGCE)).MockAlphaBackendServices.UpdateHook = mock.UpdateAlphaBackendServiceHook
+	(gce.Compute().(*cloud.MockGCE)).MockBetaBackendServices.UpdateHook = mock.UpdateBetaBackendServiceHook
 	(gce.Compute().(*cloud.MockGCE)).MockBackendServices.UpdateHook = mock.UpdateBackendServiceHook
 
 	return bp, healthCheckProvider
@@ -148,22 +149,6 @@ func TestBackendPoolAdd(t *testing.T) {
 	}
 }
 
-func TestBackendPoolAddWithoutWhitelist(t *testing.T) {
-	fakeGCE := gce.FakeGCECloud(gce.DefaultTestClusterValues())
-	fakeIGs := instances.NewFakeInstanceGroups(sets.NewString(), defaultNamer)
-	pool, _ := newTestJig(fakeGCE, fakeIGs, false)
-
-	sp := utils.ServicePort{NodePort: 3000, Protocol: annotations.ProtocolHTTP2}
-
-	// Add hook to simulate the forbidden error (i.e no alpha whitelist).
-	(fakeGCE.Compute().(*cloud.MockGCE)).MockAlphaBackendServices.InsertHook = mock.InsertAlphaBackendServiceUnauthorizedErrHook
-
-	err := pool.Ensure([]utils.ServicePort{sp}, nil)
-	if !utils.IsHTTPErrorCode(err, http.StatusForbidden) {
-		t.Fatalf("Expected creating %+v through alpha API to be forbidden, got %v", sp, err)
-	}
-}
-
 func TestHealthCheckMigration(t *testing.T) {
 	fakeGCE := gce.FakeGCECloud(gce.DefaultTestClusterValues())
 	fakeIGs := instances.NewFakeInstanceGroups(sets.NewString(), defaultNamer)
@@ -289,14 +274,14 @@ func TestBackendPoolUpdateHTTP2(t *testing.T) {
 	p.Protocol = annotations.ProtocolHTTP2
 	pool.Ensure([]utils.ServicePort{p}, nil)
 
-	beAlpha, err := fakeGCE.GetAlphaGlobalBackendService(beName)
+	beBeta, err := fakeGCE.GetBetaGlobalBackendService(beName)
 	if err != nil {
 		t.Fatalf("Unexpected err retrieving backend service after update: %v", err)
 	}
 
 	// Assert the backend has the correct protocol
-	if annotations.AppProtocol(beAlpha.Protocol) != p.Protocol {
-		t.Fatalf("Expected scheme %v but got %v", p.Protocol, annotations.AppProtocol(beAlpha.Protocol))
+	if annotations.AppProtocol(beBeta.Protocol) != p.Protocol {
+		t.Fatalf("Expected scheme %v but got %v", p.Protocol, annotations.AppProtocol(beBeta.Protocol))
 	}
 
 	// Assert the proper health check was created
@@ -306,36 +291,6 @@ func TestBackendPoolUpdateHTTP2(t *testing.T) {
 	}
 }
 
-func TestBackendPoolUpdateHTTP2WithoutWhitelist(t *testing.T) {
-	fakeGCE := gce.FakeGCECloud(gce.DefaultTestClusterValues())
-	fakeIGs := instances.NewFakeInstanceGroups(sets.NewString(), defaultNamer)
-	pool, _ := newTestJig(fakeGCE, fakeIGs, false)
-
-	p := utils.ServicePort{NodePort: 3000, Protocol: annotations.ProtocolHTTP}
-	pool.Ensure([]utils.ServicePort{p}, nil)
-	beName := p.BackendName(defaultNamer)
-
-	be, err := fakeGCE.GetGlobalBackendService(beName)
-	if err != nil {
-		t.Fatalf("Unexpected err: %v", err)
-	}
-
-	if annotations.AppProtocol(be.Protocol) != p.Protocol {
-		t.Fatalf("Expected scheme %v but got %v", p.Protocol, be.Protocol)
-	}
-
-	// Add hook to simulate the forbidden error (i.e no alpha whitelist).
-	(fakeGCE.Compute().(*cloud.MockGCE)).MockAlphaBackendServices.UpdateHook = mock.UpdateAlphaBackendServiceUnauthorizedErrHook
-
-	// Update service port to HTTP2
-	p.Protocol = annotations.ProtocolHTTP2
-	err = pool.Ensure([]utils.ServicePort{p}, nil)
-
-	if !utils.IsHTTPErrorCode(err, http.StatusForbidden) {
-		t.Fatalf("Expected getting %+v through alpha API to be forbidden, got %v", p, err)
-	}
-}
-
 func TestBackendPoolChaosMonkey(t *testing.T) {
 	fakeGCE := gce.FakeGCECloud(gce.DefaultTestClusterValues())
 	fakeIGs := instances.NewFakeInstanceGroups(sets.NewString(), defaultNamer)

pkg/backends/features/features.go

@@ -39,8 +39,8 @@ var (
 	// versionToFeatures stores the mapping from the required API
 	// version to feature names.
 	versionToFeatures = map[meta.Version][]string{
-		meta.VersionAlpha: []string{FeatureHTTP2},
-		meta.VersionBeta:  []string{FeatureSecurityPolicy, FeatureNEG},
+		meta.VersionAlpha: []string{},
+		meta.VersionBeta:  []string{FeatureSecurityPolicy, FeatureNEG, FeatureHTTP2},
 	}
 )
 

pkg/backends/features/features_test.go

@@ -131,7 +131,7 @@ func TestVersionFromFeatures(t *testing.T) {
 		{
 			desc:            "HTTP2",
 			features:        []string{FeatureHTTP2},
-			expectedVersion: meta.VersionAlpha,
+			expectedVersion: meta.VersionBeta,
 		},
 		{
 			desc:            "SecurityPolicy",
@@ -146,7 +146,7 @@ func TestVersionFromFeatures(t *testing.T) {
 		{
 			desc:            "HTTP2 + SecurityPolicy",
 			features:        []string{FeatureHTTP2, FeatureSecurityPolicy},
-			expectedVersion: meta.VersionAlpha,
+			expectedVersion: meta.VersionBeta,
 		},
 		{
 			desc:            "unknown feature",
@@ -181,7 +181,7 @@ func TestVersionFromDescription(t *testing.T) {
 		{
 			desc:               "HTTP2",
 			backendServiceDesc: `{"kubernetes.io/service-name":"my-service","kubernetes.io/service-port":"my-port","x-features":["HTTP2"]}`,
-			expectedVersion:    meta.VersionAlpha,
+			expectedVersion:    meta.VersionBeta,
 		},
 		{
 			desc:               "SecurityPolicy",
@@ -191,12 +191,12 @@ func TestVersionFromDescription(t *testing.T) {
 		{
 			desc:               "HTTP2 + SecurityPolicy",
 			backendServiceDesc: `{"kubernetes.io/service-name":"my-service","kubernetes.io/service-port":"my-port","x-features":["HTTP2","SecurityPolicy"]}`,
-			expectedVersion:    meta.VersionAlpha,
+			expectedVersion:    meta.VersionBeta,
 		},
 		{
 			desc:               "HTTP2 + unknown",
 			backendServiceDesc: `{"kubernetes.io/service-name":"my-service","kubernetes.io/service-port":"my-port","x-features":["HTTP2","whatisthis"]}`,
-			expectedVersion:    meta.VersionAlpha,
+			expectedVersion:    meta.VersionBeta,
 		},
 	}
 
@@ -221,7 +221,7 @@ func TestVersionFromServicePort(t *testing.T) {
 		{
 			desc:            "enabled http2",
 			svcPort:         svcPortWithHTTP2,
-			expectedVersion: meta.VersionAlpha,
+			expectedVersion: meta.VersionBeta,
 		},
 		{
 			desc:            "enabled security policy",
@@ -231,7 +231,7 @@ func TestVersionFromServicePort(t *testing.T) {
 		{
 			desc:            "enabled http2 + security policy",
 			svcPort:         svcPortWithHTTP2SecurityPolicy,
-			expectedVersion: meta.VersionAlpha,
+			expectedVersion: meta.VersionBeta,
 		},
 	}