add flag to specify resource prefix for resource tags

Author: oliviassss

controllers/ingress/group_controller.go

@@ -34,8 +34,7 @@ import (
 )
 
 const (
-	ingressTagPrefix = "ingress.k8s.aws"
-	controllerName   = "ingress"
+	controllerName = "ingress"
 
 	// the groupVersion of used Ingress & IngressClass resource.
 	ingressResourcesGroupVersion = "networking.k8s.io/v1"
@@ -53,7 +52,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 	authConfigBuilder := ingress.NewDefaultAuthConfigBuilder(annotationParser)
 	enhancedBackendBuilder := ingress.NewDefaultEnhancedBackendBuilder(k8sClient, annotationParser, authConfigBuilder, controllerConfig.IngressConfig.TolerateNonExistentBackendService, controllerConfig.IngressConfig.TolerateNonExistentBackendAction)
 	referenceIndexer := ingress.NewDefaultReferenceIndexer(enhancedBackendBuilder, authConfigBuilder, logger)
-	trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, controllerConfig.ClusterName)
+	trackingProvider := tracking.NewDefaultProvider(controllerConfig.ResourcePrefix[config.ClusterTagPrefixKey], controllerConfig.ResourcePrefix[config.IngressTagPrefixKey], controllerConfig.ClusterName)
 	modelBuilder := ingress.NewDefaultModelBuilder(k8sClient, eventRecorder,
 		cloud.EC2(), cloud.ELBV2(), cloud.ACM(),
 		annotationParser, subnetsResolver,
@@ -63,7 +62,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager,
-		controllerConfig, ingressTagPrefix, logger)
+		controllerConfig, controllerConfig.ResourcePrefix[config.ClusterTagPrefixKey], controllerConfig.ResourcePrefix[config.IngressTagPrefixKey], logger)
 	classLoader := ingress.NewDefaultClassLoader(k8sClient, true)
 	classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
 	manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""

controllers/service/service_controller.go

@@ -29,7 +29,6 @@ import (
 
 const (
 	serviceFinalizer        = "service.k8s.aws/resources"
-	serviceTagPrefix        = "service.k8s.aws"
 	serviceAnnotationPrefix = "service.beta.kubernetes.io"
 	controllerName          = "service"
 )
@@ -41,14 +40,14 @@ func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorde
 	backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger) *serviceReconciler {
 
 	annotationParser := annotations.NewSuffixAnnotationParser(serviceAnnotationPrefix)
-	trackingProvider := tracking.NewDefaultProvider(serviceTagPrefix, controllerConfig.ClusterName)
+	trackingProvider := tracking.NewDefaultProvider(controllerConfig.ResourcePrefix[config.ClusterTagPrefixKey], controllerConfig.ResourcePrefix[config.ServiceTagPrefixKey], controllerConfig.ClusterName)
 	serviceUtils := service.NewServiceUtils(annotationParser, serviceFinalizer, controllerConfig.ServiceConfig.LoadBalancerClass, controllerConfig.FeatureGates)
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
 		elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
 		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
 		backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
-	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger)
+	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, controllerConfig.ResourcePrefix[config.ClusterTagPrefixKey], controllerConfig.ResourcePrefix[config.ServiceTagPrefixKey], logger)
 	return &serviceReconciler{
 		k8sClient:         k8sClient,
 		eventRecorder:     eventRecorder,

pkg/config/controller_config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"fmt"
 	"strings"
 	"time"
 
@@ -16,6 +17,7 @@ const (
 	flagLogLevel                                     = "log-level"
 	flagK8sClusterName                               = "cluster-name"
 	flagDefaultTags                                  = "default-tags"
+	flagResourcePrefix                               = "resource-prefix"
 	flagDefaultTargetType                            = "default-target-type"
 	flagExternalManagedTags                          = "external-managed-tags"
 	flagServiceTargetENISGTags                       = "service-target-eni-security-group-tags"
@@ -27,24 +29,42 @@ const (
 	flagBackendSecurityGroup                         = "backend-security-group"
 	flagEnableEndpointSlices                         = "enable-endpoint-slices"
 	flagDisableRestrictedSGRules                     = "disable-restricted-sg-rules"
-	defaultLogLevel                                  = "info"
-	defaultMaxConcurrentReconciles                   = 3
-	defaultMaxExponentialBackoffDelay                = time.Second * 1000
-	defaultSSLPolicy                                 = "ELBSecurityPolicy-2016-08"
-	defaultEnableBackendSG                           = true
-	defaultEnableEndpointSlices                      = false
-	defaultDisableRestrictedSGRules                  = false
+
+	ClusterTagPrefixKey         = "clusterTagPrefix"
+	IngressTagPrefixKey         = "ingressTagPrefix"
+	ServiceTagPrefixKey         = "serviceTagPrefix"
+	BackendSGNamePrefixKey      = "backendSGNamePrefix"
+	ClusterSgRuleLabelPrefixKey = "clusterSgRuleLabelPrefix"
+
+	defaultClusterTagPrefix           = "elbv2.k8s.aws"
+	defaultIngressTagPrefix           = "ingress.k8s.aws"
+	defaultServiceTagPrefix           = "service.k8s.aws"
+	defaultBackendSGNamePrefix        = "k8s-traffic"
+	defaultClusterSgRuleLabelPrefix   = "elbv2.k8s.aws"
+	defaultLogLevel                   = "info"
+	defaultMaxConcurrentReconciles    = 3
+	defaultMaxExponentialBackoffDelay = time.Second * 1000
+	defaultSSLPolicy                  = "ELBSecurityPolicy-2016-08"
+	defaultEnableBackendSG            = true
+	defaultEnableEndpointSlices       = false
+	defaultDisableRestrictedSGRules   = false
 )
 
 var (
-	trackingTagKeys = sets.NewString(
-		"elbv2.k8s.aws/cluster",
-		"elbv2.k8s.aws/resource",
-		"ingress.k8s.aws/stack",
-		"ingress.k8s.aws/resource",
-		"service.k8s.aws/stack",
-		"service.k8s.aws/resource",
+	validPrefixKeys = sets.NewString(
+		ClusterTagPrefixKey,
+		IngressTagPrefixKey,
+		ServiceTagPrefixKey,
+		BackendSGNamePrefixKey,
+		ClusterSgRuleLabelPrefixKey,
 	)
+	defaultResourcePrefix = map[string]string{
+		ClusterTagPrefixKey:         defaultClusterTagPrefix,
+		IngressTagPrefixKey:         defaultIngressTagPrefix,
+		ServiceTagPrefixKey:         defaultServiceTagPrefix,
+		BackendSGNamePrefixKey:      defaultBackendSGNamePrefix,
+		ClusterSgRuleLabelPrefixKey: defaultClusterSgRuleLabelPrefix,
+	}
 )
 
 // ControllerConfig contains the controller configuration
@@ -69,6 +89,9 @@ type ControllerConfig struct {
 	// Default AWS Tags that will be applied to all AWS resources managed by this controller.
 	DefaultTags map[string]string
 
+	// ResourcePrefix provides prefix for resource tags, backend SG name and worker node SG rules label.
+	ResourcePrefix map[string]string
+
 	// Default target type for Ingress and Service objects
 	DefaultTargetType string
 
@@ -134,10 +157,13 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 		"Disable the usage of restricted security group rules")
 	fs.StringToStringVar(&cfg.ServiceTargetENISGTags, flagServiceTargetENISGTags, nil,
 		"AWS Tags, in addition to cluster tags, for finding the target ENI security group to which to add inbound rules from NLBs")
+	fs.StringToStringVar(&cfg.ResourcePrefix, flagResourcePrefix, defaultResourcePrefix,
+		"the prefixes for resource tags, backend SG name and worker node SG rules label.")
+
+	cfg.mergeDefaultResourcePrefixVal()
 	cfg.FeatureGates.BindFlags(fs)
 	cfg.AWSConfig.BindFlags(fs)
 	cfg.RuntimeConfig.BindFlags(fs)
-
 	cfg.PodWebhookConfig.BindFlags(fs)
 	cfg.IngressConfig.BindFlags(fs)
 	cfg.AddonsConfig.BindFlags(fs)
@@ -150,10 +176,23 @@ func (cfg *ControllerConfig) Validate() error {
 		return errors.New("kubernetes cluster name must be specified")
 	}
 
-	if err := cfg.validateDefaultTagsCollisionWithTrackingTags(); err != nil {
+	if err := cfg.validateResourcePrefixKeys(); err != nil {
+		return err
+	}
+
+	trackingTagKeys := sets.New[string](
+		cfg.ResourcePrefix[ClusterTagPrefixKey]+"/cluster",
+		cfg.ResourcePrefix[ClusterTagPrefixKey]+"/resource",
+		cfg.ResourcePrefix[IngressTagPrefixKey]+"/stack",
+		cfg.ResourcePrefix[IngressTagPrefixKey]+"/resource",
+		cfg.ResourcePrefix[ServiceTagPrefixKey]+"/stack",
+		cfg.ResourcePrefix[ServiceTagPrefixKey]+"/resource",
+	)
+
+	if err := cfg.validateDefaultTagsCollisionWithTrackingTags(trackingTagKeys); err != nil {
 		return err
 	}
-	if err := cfg.validateExternalManagedTagsCollisionWithTrackingTags(); err != nil {
+	if err := cfg.validateExternalManagedTagsCollisionWithTrackingTags(trackingTagKeys); err != nil {
 		return err
 	}
 	if err := cfg.validateExternalManagedTagsCollisionWithDefaultTags(); err != nil {
@@ -168,7 +207,7 @@ func (cfg *ControllerConfig) Validate() error {
 	return nil
 }
 
-func (cfg *ControllerConfig) validateDefaultTagsCollisionWithTrackingTags() error {
+func (cfg *ControllerConfig) validateDefaultTagsCollisionWithTrackingTags(trackingTagKeys sets.Set[string]) error {
 	for tagKey := range cfg.DefaultTags {
 		if trackingTagKeys.Has(tagKey) {
 			return errors.Errorf("tag key %v cannot be specified in %v flag", tagKey, flagDefaultTags)
@@ -177,7 +216,7 @@ func (cfg *ControllerConfig) validateDefaultTagsCollisionWithTrackingTags() erro
 	return nil
 }
 
-func (cfg *ControllerConfig) validateExternalManagedTagsCollisionWithTrackingTags() error {
+func (cfg *ControllerConfig) validateExternalManagedTagsCollisionWithTrackingTags(trackingTagKeys sets.Set[string]) error {
 	for _, tagKey := range cfg.ExternalManagedTags {
 		if trackingTagKeys.Has(tagKey) {
 			return errors.Errorf("tag key %v cannot be specified in %v flag", tagKey, flagExternalManagedTags)
@@ -214,3 +253,28 @@ func (cfg *ControllerConfig) validateBackendSecurityGroupConfiguration() error {
 	}
 	return nil
 }
+
+func (cfg *ControllerConfig) validateResourcePrefixKeys() error {
+	keys := make([]string, 0, len(cfg.ResourcePrefix))
+	for key := range cfg.ResourcePrefix {
+		if !validPrefixKeys.Has(key) {
+			return fmt.Errorf("invalid key: %s. Valid keys are: %v", key, validPrefixKeys.List())
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) != len(validPrefixKeys.List()) {
+		return fmt.Errorf("invalid number of keys. Expected %d keys, but got %d keys",
+			len(validPrefixKeys.List()), len(keys))
+	}
+	return nil
+}
+
+// mergeDefaultResourcePrefixVal make sure the ResourcePrefix map always has default val for unspecified key in user-passed flag
+func (cfg *ControllerConfig) mergeDefaultResourcePrefixVal() {
+	// Merge user-provided values with defaults
+	for key, defaultVal := range defaultResourcePrefix {
+		if _, exists := cfg.ResourcePrefix[key]; !exists {
+			cfg.ResourcePrefix[key] = defaultVal
+		}
+	}
+}

pkg/config/controller_config_test.go

@@ -3,6 +3,7 @@ package config
 import (
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"testing"
 )
 
@@ -46,7 +47,15 @@ func TestControllerConfig_validateDefaultTagsCollisionWithTrackingTags(t *testin
 			cfg := &ControllerConfig{
 				DefaultTags: tt.fields.DefaultTags,
 			}
-			err := cfg.validateDefaultTagsCollisionWithTrackingTags()
+			trackingTagKeys := sets.New[string](
+				"elbv2.k8s.aws/cluster",
+				"elbv2.k8s.aws/resource",
+				"ingress.k8s.aws/stack",
+				"ingress.k8s.aws/resource",
+				"service.k8s.aws/stack",
+				"service.k8s.aws/resource",
+			)
+			err := cfg.validateDefaultTagsCollisionWithTrackingTags(trackingTagKeys)
 			if tt.wantErr != nil {
 				assert.EqualError(t, err, tt.wantErr.Error())
 			} else {
@@ -92,7 +101,15 @@ func TestControllerConfig_validateExternalManagedTagsCollisionWithTrackingTags(t
 			cfg := &ControllerConfig{
 				ExternalManagedTags: tt.fields.ExternalManagedTags,
 			}
-			err := cfg.validateExternalManagedTagsCollisionWithTrackingTags()
+			trackingTagKeys := sets.New[string](
+				"elbv2.k8s.aws/cluster",
+				"elbv2.k8s.aws/resource",
+				"ingress.k8s.aws/stack",
+				"ingress.k8s.aws/resource",
+				"service.k8s.aws/stack",
+				"service.k8s.aws/resource",
+			)
+			err := cfg.validateExternalManagedTagsCollisionWithTrackingTags(trackingTagKeys)
 			if tt.wantErr != nil {
 				assert.EqualError(t, err, tt.wantErr.Error())
 			} else {
@@ -164,3 +181,66 @@ func TestControllerConfig_validateExternalManagedTagsCollisionWithDefaultTags(t
 		})
 	}
 }
+
+func TestControllerConfig_validateResourcePrefixKeys(t *testing.T) {
+	type fields struct {
+		ResourcePrefix map[string]string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		wantErr error
+	}{
+		{
+			name: "resource prefix has all keys",
+			fields: fields{
+				ResourcePrefix: map[string]string{
+					"clusterTagPrefix":         "elbv2.k8s.aws",
+					"ingressTagPrefix":         "ingress.k8s.aws",
+					"serviceTagPrefix":         "service.k8s.aws",
+					"backendSGNamePrefix":      "k8s-traffic",
+					"clusterSgRuleLabelPrefix": "elbv2.k8s.aws",
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "resource prefix has some invalid keys",
+			fields: fields{
+				ResourcePrefix: map[string]string{
+					"clusterTagPrefix":    "elbv2.k8s.aws",
+					"ingressTagPrefix":    "ingress.k8s.aws",
+					"serviceTagPrefix":    "service.k8s.aws",
+					"backendSGNamePrefix": "k8s-traffic",
+					"myKey":               "myVal",
+				},
+			},
+			wantErr: errors.New("invalid key: myKey. Valid keys are: [backendSGNamePrefix clusterSgRuleLabelPrefix clusterTagPrefix ingressTagPrefix serviceTagPrefix]"),
+		},
+		{
+			name: "resource prefix is missing some valid keys",
+			fields: fields{
+				ResourcePrefix: map[string]string{
+					"clusterTagPrefix":    "elbv2.k8s.aws",
+					"ingressTagPrefix":    "ingress.k8s.aws",
+					"serviceTagPrefix":    "service.k8s.aws",
+					"backendSGNamePrefix": "k8s-traffic",
+				},
+			},
+			wantErr: errors.New("invalid number of keys. Expected 5 keys, but got 4 keys"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &ControllerConfig{
+				ResourcePrefix: tt.fields.ResourcePrefix,
+			}
+			err := cfg.validateResourcePrefixKeys()
+			if tt.wantErr != nil {
+				assert.EqualError(t, err, tt.wantErr.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

pkg/deploy/stack_deployer.go

@@ -26,9 +26,9 @@ type StackDeployer interface {
 func NewDefaultStackDeployer(cloud aws.Cloud, k8sClient client.Client,
 	networkingSGManager networking.SecurityGroupManager, networkingSGReconciler networking.SecurityGroupReconciler,
 	elbv2TaggingManager elbv2.TaggingManager,
-	config config.ControllerConfig, tagPrefix string, logger logr.Logger) *defaultStackDeployer {
+	config config.ControllerConfig, clusterTagPrefix string, resourceTagPrefix string, logger logr.Logger) *defaultStackDeployer {
 
-	trackingProvider := tracking.NewDefaultProvider(tagPrefix, config.ClusterName)
+	trackingProvider := tracking.NewDefaultProvider(clusterTagPrefix, resourceTagPrefix, config.ClusterName)
 	ec2TaggingManager := ec2.NewDefaultTaggingManager(cloud.EC2(), networkingSGManager, cloud.VpcID(), logger)
 
 	return &defaultStackDeployer{