Merge branch 'kubernetes-sigs:main' into auto-discovery-cert-list

Author: abeowlu

controllers/gateway/gateway_controller.go

@@ -231,12 +231,16 @@ func (r *gatewayReconciler) reconcileHelper(ctx context.Context, req reconcile.R
 
 	loaderResults, err := r.gatewayLoader.LoadRoutesForGateway(ctx, *gw, r.routeFilter, r.controllerName, resolvedDefaultTGC)
 
-	if err != nil || loaderResults.ValidationResults.HasErrors {
+	validationHasErrors := false
+	if loaderResults != nil {
+		validationHasErrors = loaderResults.ValidationResults.HasErrors()
+	}
+	if err != nil || validationHasErrors {
 		var loaderErr routeutils.LoaderError
-		if errors.As(err, &loaderErr) || loaderResults.ValidationResults.HasErrors {
+		if errors.As(err, &loaderErr) || validationHasErrors {
 			var gatewayReason gwv1.GatewayConditionReason
 			var gatewayMessage string
-			if loaderErr == nil && loaderResults.ValidationResults.HasErrors {
+			if loaderErr == nil && validationHasErrors {
 				gatewayReason = gwv1.GatewayReasonAccepted
 				gatewayMessage = gateway_constants.GatewayAcceptedFalseMessage
 			} else {

controllers/gateway/listener_status_utils.go

@@ -11,8 +11,9 @@ import (
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
-func buildListenerStatus(gateway gwv1.Gateway, listeners []gwv1.Listener, attachedRoutesMap map[gwv1.SectionName]int32, validateListenerResults routeutils.ListenerValidationResults, isProgrammed bool) []gwv1.ListenerStatus {
+func buildListenerStatus(gateway gwv1.Gateway, listeners []gwv1.Listener, attachedRoutesMap map[gwv1.SectionName]int32, validatedListeners routeutils.ValidatedGatewayListeners, isProgrammed bool) []gwv1.ListenerStatus {
 	var listenerStatuses []gwv1.ListenerStatus
+	validateListenerResults := validatedListeners.GatewayListenerValidation
 
 	for _, listener := range listeners {
 		listenerValidationResult := validateListenerResults.Results[listener.Name]

controllers/gateway/listener_status_utils_test.go

@@ -16,7 +16,7 @@ func Test_buildListenerStatus(t *testing.T) {
 		name                    string
 		gateway                 gwv1.Gateway
 		attachedRoutesMap       map[gwv1.SectionName]int32
-		validateListenerResults routeutils.ListenerValidationResults
+		validateListenerResults routeutils.ValidatedGatewayListeners
 		supportedKinds          []gwv1.RouteGroupKind
 		isProgrammed            bool
 		expectedListenerCount   int
@@ -37,11 +37,13 @@ func Test_buildListenerStatus(t *testing.T) {
 				},
 			},
 			attachedRoutesMap: map[gwv1.SectionName]int32{"listener1": 1},
-			validateListenerResults: routeutils.ListenerValidationResults{
-				Results: map[gwv1.SectionName]routeutils.ListenerValidationResult{
-					"listener1": {Reason: gwv1.ListenerReasonAccepted, Message: "accepted", SupportedKinds: []gwv1.RouteGroupKind{{
-						Kind: "HTTPRoute",
-					}}},
+			validateListenerResults: routeutils.ValidatedGatewayListeners{
+				GatewayListenerValidation: routeutils.ListenerValidationResults{
+					Results: map[gwv1.SectionName]routeutils.ListenerValidationResult{
+						"listener1": {Reason: gwv1.ListenerReasonAccepted, Message: "accepted", SupportedKinds: []gwv1.RouteGroupKind{{
+							Kind: "HTTPRoute",
+						}}},
+					},
 				},
 			},
 			supportedKinds: []gwv1.RouteGroupKind{{
@@ -59,7 +61,7 @@ func Test_buildListenerStatus(t *testing.T) {
 				},
 			},
 			attachedRoutesMap:       map[gwv1.SectionName]int32{},
-			validateListenerResults: routeutils.ListenerValidationResults{},
+			validateListenerResults: routeutils.ValidatedGatewayListeners{},
 			isProgrammed:            true,
 			expectedListenerCount:   0,
 		},

pkg/algorithm/maps.go

@@ -1,10 +1,14 @@
 package algorithm
 
 import (
-	"k8s.io/apimachinery/pkg/util/sets"
 	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
+// awsSystemTagPrefix is the prefix for AWS-reserved system tags, which are immutable.
+const awsSystemTagPrefix = "aws:"
+
 // MapFindFirst get from list of maps until first found.
 func MapFindFirst(key string, maps ...map[string]string) (string, bool) {
 	for _, m := range maps {
@@ -53,6 +57,24 @@ func DiffStringMap(desired map[string]string, current map[string]string) (map[st
 	return modify, remove
 }
 
+// DiffStringMapIgnoreAWSTags is like DiffStringMap but filters out AWS-reserved system tags
+// (prefixed with "aws:") from both results. These tags are immutable.
+func DiffStringMapIgnoreAWSTags(desired map[string]string, current map[string]string) (map[string]string, map[string]string) {
+	modify, remove := DiffStringMap(desired, current)
+	RemoveKeysByPrefix(modify, awsSystemTagPrefix)
+	RemoveKeysByPrefix(remove, awsSystemTagPrefix)
+	return modify, remove
+}
+
+// RemoveKeysByPrefix removes all entries from the map whose key starts with the given prefix.
+func RemoveKeysByPrefix(m map[string]string, prefix string) {
+	for key := range m {
+		if strings.HasPrefix(key, prefix) {
+			delete(m, key)
+		}
+	}
+}
+
 func CSVToStringSet(csv string) sets.Set[string] {
 	s := sets.Set[string]{}
 

pkg/algorithm/maps_test.go

@@ -1,9 +1,10 @@
 package algorithm
 
 import (
+	"testing"
+
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"testing"
 )
 
 func TestMapFindFirst(t *testing.T) {
@@ -358,3 +359,114 @@ func TestStringSetToCSV(t *testing.T) {
 		})
 	}
 }
+
+func TestRemoveKeysByPrefix(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  map[string]string
+		prefix string
+		want   map[string]string
+	}{
+		{
+			name:   "removes aws: prefixed keys",
+			input:  map[string]string{"aws:cloudformation:stack-name": "my-stack", "elbv2.k8s.aws/cluster": "my-cluster", "aws:cloudformation:logical-id": "NLB"},
+			prefix: "aws:",
+			want:   map[string]string{"elbv2.k8s.aws/cluster": "my-cluster"},
+		},
+		{
+			name:   "no matching prefix",
+			input:  map[string]string{"elbv2.k8s.aws/cluster": "my-cluster", "service.k8s.aws/stack": "default/svc"},
+			prefix: "aws:",
+			want:   map[string]string{"elbv2.k8s.aws/cluster": "my-cluster", "service.k8s.aws/stack": "default/svc"},
+		},
+		{
+			name:   "all keys match prefix",
+			input:  map[string]string{"aws:cloudformation:stack-name": "s", "aws:cloudformation:stack-id": "id"},
+			prefix: "aws:",
+			want:   map[string]string{},
+		},
+		{
+			name:   "empty map",
+			input:  map[string]string{},
+			prefix: "aws:",
+			want:   map[string]string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			RemoveKeysByPrefix(tt.input, tt.prefix)
+			assert.Equal(t, tt.want, tt.input)
+		})
+	}
+}
+
+func TestDiffStringMapIgnoreAWSTags(t *testing.T) {
+	tests := []struct {
+		name       string
+		desired    map[string]string
+		current    map[string]string
+		wantUpdate map[string]string
+		wantRemove map[string]string
+	}{
+		{
+			name: "aws: tags in current are not removed",
+			desired: map[string]string{
+				"elbv2.k8s.aws/cluster": "my-cluster",
+				"service.k8s.aws/stack": "default/svc",
+			},
+			current: map[string]string{
+				"elbv2.k8s.aws/cluster":         "my-cluster",
+				"aws:cloudformation:stack-name": "my-stack",
+				"aws:cloudformation:stack-id":   "arn:aws:cloudformation:us-east-1:123:stack/my-stack/abc",
+				"aws:cloudformation:logical-id": "NLB",
+			},
+			wantUpdate: map[string]string{
+				"service.k8s.aws/stack": "default/svc",
+			},
+			wantRemove: map[string]string{},
+		},
+		{
+			name: "aws: tags in desired are not added",
+			desired: map[string]string{
+				"elbv2.k8s.aws/cluster": "my-cluster",
+				"aws:createdBy":         "should-be-ignored",
+			},
+			current: map[string]string{
+				"elbv2.k8s.aws/cluster": "my-cluster",
+			},
+			wantUpdate: map[string]string{},
+			wantRemove: map[string]string{},
+		},
+		{
+			name: "no aws: tags behaves like DiffStringMap",
+			desired: map[string]string{
+				"a": "1",
+				"b": "2",
+			},
+			current: map[string]string{
+				"a": "1",
+				"c": "3",
+			},
+			wantUpdate: map[string]string{
+				"b": "2",
+			},
+			wantRemove: map[string]string{
+				"c": "3",
+			},
+		},
+		{
+			name:       "both empty",
+			desired:    map[string]string{},
+			current:    map[string]string{},
+			wantUpdate: map[string]string{},
+			wantRemove: map[string]string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotUpdate, gotRemove := DiffStringMapIgnoreAWSTags(tt.desired, tt.current)
+			assert.Equal(t, tt.wantUpdate, gotUpdate)
+			assert.Equal(t, tt.wantRemove, gotRemove)
+		})
+	}
+}

pkg/deploy/aga/tagging_manager.go

@@ -103,7 +103,7 @@ func (m *defaultTaggingManager) ReconcileTags(ctx context.Context, arn string, d
 		}
 	}
 
-	tagsToUpdate, tagsToRemove := algorithm.DiffStringMap(desiredTags, currentTags)
+	tagsToUpdate, tagsToRemove := algorithm.DiffStringMapIgnoreAWSTags(desiredTags, currentTags)
 	for _, ignoredTagKey := range reconcileOpts.IgnoredTagKeys {
 		delete(tagsToUpdate, ignoredTagKey)
 		delete(tagsToRemove, ignoredTagKey)

pkg/deploy/aga/tagging_manager_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/globalaccelerator"
+	agatypes "github.com/aws/aws-sdk-go-v2/service/globalaccelerator/types"
 	rgtsdk "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
 	rgttypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types"
 	"github.com/golang/mock/gomock"
@@ -15,6 +17,139 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
+func Test_defaultTaggingManager_ReconcileTags(t *testing.T) {
+	type tagResourceCall struct {
+		req  *globalaccelerator.TagResourceInput
+		resp *globalaccelerator.TagResourceOutput
+		err  error
+	}
+	type untagResourceCall struct {
+		req  *globalaccelerator.UntagResourceInput
+		resp *globalaccelerator.UntagResourceOutput
+		err  error
+	}
+	type fields struct {
+		tagResourceCalls   []tagResourceCall
+		untagResourceCalls []untagResourceCall
+	}
+	type args struct {
+		arn         string
+		desiredTags map[string]string
+		opts        []ReconcileTagsOption
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr error
+	}{
+		{
+			name: "standard case - add and remove tags",
+			fields: fields{
+				tagResourceCalls: []tagResourceCall{
+					{
+						req: &globalaccelerator.TagResourceInput{
+							ResourceArn: awssdk.String("my-arn"),
+							Tags: []agatypes.Tag{
+								{
+									Key:   awssdk.String("keyB"),
+									Value: awssdk.String("valueB2"),
+								},
+								{
+									Key:   awssdk.String("keyD"),
+									Value: awssdk.String("valueD"),
+								},
+							},
+						},
+					},
+				},
+				untagResourceCalls: []untagResourceCall{
+					{
+						req: &globalaccelerator.UntagResourceInput{
+							ResourceArn: awssdk.String("my-arn"),
+							TagKeys:     []string{"keyC"},
+						},
+					},
+				},
+			},
+			args: args{
+				arn: "my-arn",
+				desiredTags: map[string]string{
+					"keyA": "valueA",
+					"keyB": "valueB2",
+					"keyD": "valueD",
+				},
+				opts: []ReconcileTagsOption{
+					WithCurrentTags(map[string]string{
+						"keyA": "valueA",
+						"keyB": "valueB",
+						"keyC": "valueC",
+					}),
+				},
+			},
+		},
+		{
+			name: "aws: prefixed tags on current resource are not removed",
+			fields: fields{
+				tagResourceCalls: []tagResourceCall{
+					{
+						req: &globalaccelerator.TagResourceInput{
+							ResourceArn: awssdk.String("my-arn"),
+							Tags: []agatypes.Tag{
+								{
+									Key:   awssdk.String("aga.k8s.aws/stack"),
+									Value: awssdk.String("default/my-accelerator"),
+								},
+							},
+						},
+					},
+				},
+				untagResourceCalls: nil,
+			},
+			args: args{
+				arn: "my-arn",
+				desiredTags: map[string]string{
+					"elbv2.k8s.aws/cluster": "my-cluster",
+					"aga.k8s.aws/stack":     "default/my-accelerator",
+				},
+				opts: []ReconcileTagsOption{
+					WithCurrentTags(map[string]string{
+						"elbv2.k8s.aws/cluster":         "my-cluster",
+						"aws:cloudformation:stack-name": "my-stack",
+						"aws:cloudformation:stack-id":   "arn:aws:cloudformation:us-east-1:123:stack/my-stack/abc",
+						"aws:cloudformation:logical-id": "Accelerator",
+					}),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			gaService := services.NewMockGlobalAccelerator(ctrl)
+			for _, call := range tt.fields.tagResourceCalls {
+				gaService.EXPECT().TagResourceWithContext(gomock.Any(), call.req).Return(call.resp, call.err)
+			}
+			for _, call := range tt.fields.untagResourceCalls {
+				gaService.EXPECT().UntagResourceWithContext(gomock.Any(), call.req).Return(call.resp, call.err)
+			}
+
+			m := &defaultTaggingManager{
+				gaService:         gaService,
+				logger:            zap.New(),
+				resourceTagsCache: cache.NewExpiring(),
+			}
+			err := m.ReconcileTags(context.Background(), tt.args.arn, tt.args.desiredTags, tt.args.opts...)
+			if tt.wantErr != nil {
+				assert.EqualError(t, err, tt.wantErr.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
 func Test_defaultTaggingManager_describeResourceTagsFromRGT(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()