Clean up ALBs using spec.ingressClassName and ALB security groups

[aaroniscode]

Description

ALBs created using ingressClassName in the Ingress spec are not cleaned up today. The code was only looking at the deprecated kubernetes.io/ingress.class annotation.

The code now checks if ingressClassName is set and if not, falls back to checking the annotation.

This is my first PR for eksctl so please guide me on required documentation. I didn't see any tests and wasn't sure if it was necessary. Let me know. Thanks.

Edit: added a second commit that fixes deletion of ALB security groups. It doesn't delete them, it just waits for the AWS LB Controller to delete them before deleting the node group.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[github-actions]

Hello aaroniscode 👋 Thank you for opening a Pull Request in eksctl project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[Himangini]

@aaroniscode Thanks for the contribution. Can you perhaps write up how you manually tested the changes?

[aaroniscode]

sure @Himangini

Testing was straightforward. Created a cluster using eksctl

eksctl create cluster -f alb.yaml

alb.yaml below:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: alb
  region: us-west-2
  version: "1.25"

addons:
- name: vpc-cni

cloudWatch:
  clusterLogging:
    enableTypes: ["*"]

iam:
  withOIDC: true

managedNodeGroups:
- name: main
  amiFamily: AmazonLinux2
  iam:
    attachPolicyARNs:
    - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
    - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
    - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  instanceType: t3.large
  minSize: 0
  desiredCapacity: 2
  maxSize: 10
  privateNetworking: true
  spot: false

Installed AWS LB Controller using instructions here: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html.

Deploy the example game 2048 application

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: game-2048
  name: deployment-2048
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: app-2048
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: app-2048
    spec:
      containers:
      - image: public.ecr.aws/l6m2t8p7/docker-2048:latest
        imagePullPolicy: Always
        name: app-2048
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  namespace: game-2048
  name: service-2048
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: ClusterIP
  selector:
    app.kubernetes.io/name: app-2048
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: game-2048
  name: ingress-2048
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: service-2048
              port:
                number: 80

Then delete the cluster eksctl delete cluster alb

[cPu1]

I have left some suggestions but otherwise it LGTM 🙂.

[cPu1]

Suggested change

	return nil, fmt.Errorf("cannot obtain security groups for ALB %s: %s", name, err)
	return nil, fmt.Errorf("cannot obtain security groups for ALB %s: %w", name, err)

[cPu1]

Alternatively:

Suggested change

	if aws.ToString(tag.Key) == k8sClusterTagKey || aws.ToString(tag.Key) == elbv2ClusterTagKey {
	switch aws.ToString(tag.Key) {
	case k8sClusterTagKey, elbv2ClusterTagKey:

[cPu1]

I know this is taken from getServiceLoadBalancer but a more idiomatic way is:

Suggested change

	ctx, cleanup := context.WithTimeout(ctx, 30*time.Second)
	securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application)
	cleanup()
	ctx, cleanup := context.WithTimeout(ctx, 30*time.Second)
	defer cleanup()
	securityGroupIDs, err := getSecurityGroupsOwnedByLoadBalancer(ctx, ec2API, elbAPI, elbv2API, clusterName, name, application)

[aaroniscode]

done

[cPu1]

Suggested change

	return fmt.Errorf("cannot obtain information for ALB from Ingress %s/%s: %s",
	return fmt.Errorf("cannot obtain information for ALB from Ingress %s/%s: %w",

[aaroniscode]

done

[cPu1]

Minor nit:

Suggested change

	groupIds := []string{}
	var groupIDs []string

[aaroniscode]

done ... I had to rename the variable in a few other places

[cPu1]

A not-found error returned from elbv2API.DescribeLoadBalancers will not pass isELBNotFoundErr. The error returned would be of type elasticloadbalancingv2types.LoadBalancerNotFoundException which is not handled by isELBNotFoundErr.

[aaroniscode]

thanks for catching this ... I added a new isELBv2NotFoundErr function that looks for the correct exception in the right package.

[aaroniscode]

@cPu1 thanks for the code review and the suggestions! I applied all of your suggestions in a new commit.

[cPu1]

LGTM. Thanks for the great contribution, Aaron! 🎉