cilium · aanm · Mar 17, 2020 · Mar 16, 2020 · Mar 16, 2020 · Mar 16, 2020
diff --git a/Makefile b/Makefile
@@ -281,6 +281,7 @@ generate-health-api: api/v1/health/openapi.yaml
 generate-k8s-api:
 	$(call generate_k8s_api_all,github.com/cilium/cilium/pkg/k8s/apis,"cilium.io:v2")
 	$(call generate_k8s_api_deepcopy,github.com/cilium/cilium/pkg/aws,"eni:types")
+	$(call generate_k8s_api_deepcopy,github.com/cilium/cilium/pkg,"aws:types")
 	$(call generate_k8s_api_deepcopy,github.com/cilium/cilium/pkg,"azure:types")
 	$(call generate_k8s_api_deepcopy,github.com/cilium/cilium/pkg,"ipam:types")
 	$(call generate_k8s_api_deepcopy,github.com/cilium/cilium/pkg,"policy:api")

diff --git a/pkg/aws/ec2/mock/mock.go b/pkg/aws/ec2/mock/mock.go
@@ -95,25 +95,33 @@ func NewAPI(subnets []*ipamTypes.Subnet, vpcs []*ipamTypes.VirtualNetwork, secur
 // UpdateSubnets replaces the subents which the mock API will return
 func (e *API) UpdateSubnets(subnets []*ipamTypes.Subnet) {
 	e.mutex.Lock()
+	e.subnets = map[string]*ipamTypes.Subnet{}
 	for _, s := range subnets {
-		e.subnets[s.ID] = s
+		e.subnets[s.ID] = s.DeepCopy()
 	}
 	e.mutex.Unlock()
 }
 
 // UpdateSecurityGroups replaces the security groups which the mock API will return
 func (e *API) UpdateSecurityGroups(securityGroups []*types.SecurityGroup) {
 	e.mutex.Lock()
+	e.securityGroups = map[string]*types.SecurityGroup{}
 	for _, sg := range securityGroups {
-		e.securityGroups[sg.ID] = sg
+		e.securityGroups[sg.ID] = sg.DeepCopy()
 	}
 	e.mutex.Unlock()
 }
 
 // UpdateENIs replaces the ENIs which the mock API will return
 func (e *API) UpdateENIs(enis map[string]ENIMap) {
 	e.mutex.Lock()
-	e.enis = enis
+	e.enis = map[string]ENIMap{}
+	for instanceID, m := range enis {
+		e.enis[instanceID] = ENIMap{}
+		for eniID, eni := range m {
+			e.enis[instanceID][eniID] = eni.DeepCopy()
+		}
+	}
 	e.mutex.Unlock()
 }
 
@@ -199,7 +207,7 @@ func (e *API) CreateNetworkInterface(ctx context.Context, toAllocate int64, subn
 	subnet.AvailableAddresses -= int(toAllocate)
 
 	e.unattached[eniID] = eni
-	return eniID, eni, nil
+	return eniID, eni.DeepCopy(), nil
 }
 
 func (e *API) DeleteNetworkInterface(ctx context.Context, eniID string) error {
@@ -371,7 +379,7 @@ func (e *API) GetInstances(ctx context.Context, vpcs ipamTypes.VirtualNetworkMap
 				}
 			}
 
-			instances.Add(instanceID, eni)
+			instances.Add(instanceID, eni.DeepCopy())
 		}
 	}
 
@@ -385,7 +393,7 @@ func (e *API) GetVpcs(ctx context.Context) (ipamTypes.VirtualNetworkMap, error)
 	defer e.mutex.RUnlock()
 
 	for _, v := range e.vpcs {
-		vpcs[v.ID] = v
+		vpcs[v.ID] = v.DeepCopy()
 	}
 	return vpcs, nil
 }
@@ -397,7 +405,7 @@ func (e *API) GetSubnets(ctx context.Context) (ipamTypes.SubnetMap, error) {
 	defer e.mutex.RUnlock()
 
 	for _, s := range e.subnets {
-		subnets[s.ID] = s
+		subnets[s.ID] = s.DeepCopy()
 	}
 	return subnets, nil
 }
@@ -423,7 +431,7 @@ func (e *API) GetSecurityGroups(ctx context.Context) (types.SecurityGroupMap, er
 	defer e.mutex.RUnlock()
 
 	for _, sg := range e.securityGroups {
-		securityGroups[sg.ID] = sg
+		securityGroups[sg.ID] = sg.DeepCopy()
 	}
 	return securityGroups, nil
 }
diff --git a/pkg/aws/ec2/mock/mock_test.go b/pkg/aws/ec2/mock/mock_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	"github.com/cilium/cilium/pkg/aws/types"
+	"github.com/cilium/cilium/pkg/checker"
 	ipamTypes "github.com/cilium/cilium/pkg/ipam/types"
 
 	"gopkg.in/check.v1"
@@ -72,6 +73,22 @@ func (e *MockSuite) TestMock(c *check.C) {
 	c.Assert(ok, check.Equals, false)
 	_, ok = api.enis["i-1"][eniID2]
 	c.Assert(ok, check.Equals, false)
+
+	sg1 := &types.SecurityGroup{
+		ID:    "sg1",
+		VpcID: "vpc-1",
+		Tags:  map[string]string{"k1": "v1"},
+	}
+	sg2 := &types.SecurityGroup{
+		ID:    "sg2",
+		VpcID: "vpc-1",
+		Tags:  map[string]string{"k1": "v1"},
+	}
+	api.UpdateSecurityGroups([]*types.SecurityGroup{sg1, sg2})
+
+	sgMap, err := api.GetSecurityGroups(context.TODO())
+	c.Assert(err, check.IsNil)
+	c.Assert(sgMap, checker.DeepEquals, types.SecurityGroupMap{"sg1": sg1, "sg2": sg2})
 }
 
 func (e *MockSuite) TestSetMockError(c *check.C) {

diff --git a/pkg/aws/eni/limits.go b/pkg/aws/eni/limits.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	ipamTypes "github.com/cilium/cilium/pkg/ipam/types"
+	"github.com/cilium/cilium/pkg/lock"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/external"
@@ -32,6 +33,7 @@ import (
 // The mappings will be updated from agent configuration at bootstrap time
 //
 // Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html?shortFooter=true#AvailableIpPerENI
+var limitsMutex lock.RWMutex
 var limits = map[string]ipamTypes.Limits{
 	"a1.medium":     {Adapters: 2, IPv4: 4, IPv6: 4},
 	"a1.large":      {Adapters: 3, IPv4: 10, IPv6: 10},
@@ -254,12 +256,17 @@ var limits = map[string]ipamTypes.Limits{
 
 // getLimits returns the instance limits of a particular instance type
 func getLimits(instanceType string) (limit ipamTypes.Limits, ok bool) {
+	limitsMutex.RLock()
 	limit, ok = limits[instanceType]
+	limitsMutex.RUnlock()
 	return
 }
 
 // UpdateLimitsFromUserDefinedMappings updates limits from the given map
 func UpdateLimitsFromUserDefinedMappings(m map[string]string) (err error) {
+	limitsMutex.Lock()
+	defer limitsMutex.Unlock()
+
 	for instanceType, limitString := range m {
 		limit, err := parseLimitString(limitString)
 		if err != nil {
@@ -304,6 +311,9 @@ func UpdateLimitsFromEC2API(ctx context.Context) error {
 		instanceTypeInfos = append(instanceTypeInfos, describeInstanceTypesResponse.InstanceTypes...)
 	}
 
+	limitsMutex.Lock()
+	defer limitsMutex.Unlock()
+
 	for _, instanceTypeInfo := range instanceTypeInfos {
 		instanceType := string(instanceTypeInfo.InstanceType)
 		adapterLimit := aws.Int64Value(instanceTypeInfo.NetworkInfo.MaximumNetworkInterfaces)

diff --git a/pkg/aws/types/types.go b/pkg/aws/types/types.go
@@ -1,4 +1,4 @@
-// Copyright 2019 Authors of Cilium
+// Copyright 2019-2020 Authors of Cilium
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,6 +20,8 @@ import (
 )
 
 // SecurityGroup is the representation of an AWS Security Group
+//
+// +k8s:deepcopy-gen=true
 type SecurityGroup struct {
 	// ID is the SecurityGroup ID
 	ID string

diff --git a/pkg/aws/types/zz_generated.deepcopy.go b/pkg/aws/types/zz_generated.deepcopy.go
diff --git a/pkg/ipam/node.go b/pkg/ipam/node.go
@@ -261,7 +261,9 @@ func (n *Node) recalculateLocked() {
 	}
 
 	n.available = a
-	n.stats.UsedIPs = len(n.resource.Status.IPAM.Used)
+	if n.resource != nil {
+		n.stats.UsedIPs = len(n.resource.Status.IPAM.Used)
+	}
 	n.stats.AvailableIPs = len(n.available)
 	n.stats.NeededIPs = calculateNeededIPs(n.stats.AvailableIPs, n.stats.UsedIPs, n.ops.GetPreAllocate(), n.ops.GetMinAllocate())
 	n.stats.ExcessIPs = calculateExcessIPs(n.stats.AvailableIPs, n.stats.UsedIPs, n.ops.GetPreAllocate(), n.ops.GetMinAllocate(), n.ops.GetMaxAboveWatermark())

diff --git a/pkg/ipam/types/zz_generated.deepcopy.go b/pkg/ipam/types/zz_generated.deepcopy.go