Address PR comments: Adding build TLS_PASSTHROUGH listener logic in the model_build_listener

Author: Zijun Wang

pkg/deploy/lattice/listener_synthesizer.go

@@ -50,7 +50,7 @@ func (l *listenerSynthesizer) Synthesize(ctx context.Context) error {
 return err
 }
 
-defaultAction, err := l.getLatticeListenerDefaultAction(ctx, listener.Spec.Protocol)
+defaultAction, err := l.getLatticeListenerDefaultAction(ctx, listener)
 if err != nil {
 return err
 }
@@ -89,37 +89,37 @@ func (l *listenerSynthesizer) Synthesize(ctx context.Context) error {
 return nil
 }
 
-func (l *listenerSynthesizer) getLatticeListenerDefaultAction(ctx context.Context, modelListenerProtocol string) (
+func (l *listenerSynthesizer) getLatticeListenerDefaultAction(ctx context.Context, stackListener *model.Listener) (
 *vpclattice.RuleAction, error,
 ) {
-if modelListenerProtocol != vpclattice.ListenerProtocolTlsPassthrough {
+if stackListener.Spec.DefaultAction == nil ||
+(stackListener.Spec.DefaultAction.FixedResponseStatusCode == nil && stackListener.Spec.DefaultAction.Forward == nil) {
+return nil, fmt.Errorf("invalid listener default action, must be either fixed response or forward")
+}
+
+if stackListener.Spec.DefaultAction.FixedResponseStatusCode != nil {
 return &vpclattice.RuleAction{
 FixedResponse: &vpclattice.FixedResponseAction{
-StatusCode: aws.Int64(404),
+StatusCode: stackListener.Spec.DefaultAction.FixedResponseStatusCode,
 },
 }, nil
 }
 
-var stackRules []*model.Rule
-_ = l.stack.ListResources(&stackRules)
-if len(stackRules) != 1 {
-return nil, fmt.Errorf("TLS_PASSTHROUGH listener can only have one default action and without any other additional rule, but got %d rules", len(stackRules))
-}
-if err := l.tgManager.ResolveRuleTgIds(ctx, stackRules[0], l.stack); err != nil {
+// If the listener DefaultAction is not fixed response, for example for TLS_PASSTHROUGH listener, it must be a forward action, fill the forward action target group ids for it
+if err := l.tgManager.ResolveRuleTgIds(ctx, stackListener.Spec.DefaultAction.Forward, l.stack); err != nil {
 return nil, fmt.Errorf("failed to resolve rule tg ids, err = %v", err)
 }
 
-// For TLS_PASSTHROUGH listener, we need to fill the stackRules[0].Spec.Action.TargetGroups to the lattice listener's defaultAction ForwardAction TargetGroups
 var latticeTGs []*vpclattice.WeightedTargetGroup
-for _, modelTG := range stackRules[0].Spec.Action.TargetGroups {
+for _, modelTG := range stackListener.Spec.DefaultAction.Forward.TargetGroups {
 latticeTG := vpclattice.WeightedTargetGroup{
 TargetGroupIdentifier: aws.String(modelTG.LatticeTgId),
 Weight: aws.Int64(modelTG.Weight),
 }
 latticeTGs = append(latticeTGs, &latticeTG)
 }
 
-l.log.Debugf("For TLS_PASSTHROUGH listener, forward to default target groups %v", latticeTGs)
+l.log.Debugf("DefaultAction Forward target groups: %v", latticeTGs)
 return &vpclattice.RuleAction{
 Forward: &vpclattice.ForwardAction{
 TargetGroups: latticeTGs,

pkg/deploy/lattice/listener_synthesizer_test.go

@@ -34,6 +34,9 @@ func Test_SynthesizeListenerCreate(t *testing.T) {
 ResourceMeta: core.NewResourceMeta(stack, "AWS:VPCServiceNetwork::Listener", "l-id"),
 Spec: model.ListenerSpec{
 StackServiceId: "stack-svc-id",
+DefaultAction: &model.DefaultAction{
+FixedResponseStatusCode: aws.Int64(404),
+},
 },
 }
 assert.NoError(t, stack.AddResource(l))
@@ -73,6 +76,9 @@ func Test_SynthesizeListener_CreatNewHTTPListener_DeleteStaleHTTPSListener(t *te
 StackServiceId: "stack-svc-id",
 Protocol: vpclattice.ListenerProtocolHttp,
 Port: 80,
+DefaultAction: &model.DefaultAction{
+FixedResponseStatusCode: aws.Int64(404),
+},
 },
 }
 assert.NoError(t, stack.AddResource(l))
@@ -135,9 +141,9 @@ func Test_SynthesizeListener_CreatNewTLSPassthroughListener_DeleteStaleHTTPSList
 }
 assert.NoError(t, stack.AddResource(rule))
 mockTargetGroupManager.EXPECT().ResolveRuleTgIds(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
-func(ctx context.Context, rule *model.Rule, stack core.Stack) error {
-rule.Spec.Action.TargetGroups[0].LatticeTgId = "lattice-tg-id-1"
-rule.Spec.Action.TargetGroups[1].LatticeTgId = "lattice-tg-id-2"
+func(ctx context.Context, ruleAction *model.RuleAction, stack core.Stack) error {
+ruleAction.TargetGroups[0].LatticeTgId = "lattice-tg-id-1"
+ruleAction.TargetGroups[1].LatticeTgId = "lattice-tg-id-2"
 return nil
 })
 l := &model.Listener{
@@ -146,6 +152,7 @@ func Test_SynthesizeListener_CreatNewTLSPassthroughListener_DeleteStaleHTTPSList
 StackServiceId: "stack-svc-id",
 Protocol: vpclattice.ListenerProtocolTlsPassthrough,
 Port: 80,
+DefaultAction: &model.DefaultAction{Forward: &model.RuleAction{TargetGroups: rule.Spec.Action.TargetGroups}},
 },
 }
 assert.NoError(t, stack.AddResource(l))
@@ -187,46 +194,60 @@ func Test_SynthesizeListener_CreatNewTLSPassthroughListener_DeleteStaleHTTPSList
 }
 
 func Test_listenerSynthesizer_getLatticeListenerDefaultAction_FixedResponse404(t *testing.T) {
-fixResponseAction404 := &vpclattice.RuleAction{
+latticeFixResponseAction404 := &vpclattice.RuleAction{
 FixedResponse: &vpclattice.FixedResponseAction{
 StatusCode: aws.Int64(404),
 },
 }
 tests := []struct {
-name string
-listenerProtocol string
-want *vpclattice.RuleAction
-wantErr error
+name string
+stackListenerDefaultAction *model.DefaultAction
+listenerProtocol string
+want *vpclattice.RuleAction
+wantErr error
 }{
 {
-name: "HTTP protocol Listener has the 404 fixed response default action",
-listenerProtocol: "HTTP",
-want: fixResponseAction404,
-wantErr: nil,
+name: "HTTP protocol Listener has the 404 fixed response modelListenerDefaultAction, return lattice fixed response 404 DefaultAction",
+stackListenerDefaultAction: &model.DefaultAction{FixedResponseStatusCode: aws.Int64(404)},
+listenerProtocol: vpclattice.ListenerProtocolHttp,
+want: latticeFixResponseAction404,
+wantErr: nil,
 },
 {
-name: "HTTPS protocol Listener has the 404 fixed response default action",
-listenerProtocol: "HTTPS",
-want: fixResponseAction404,
-wantErr: nil,
+name: "HTTPS protocol Listener has the 404 fixed response modelListenerDefaultAction, return lattice fixed response 404 DefaultAction",
+stackListenerDefaultAction: &model.DefaultAction{FixedResponseStatusCode: aws.Int64(404)},
+listenerProtocol: vpclattice.ListenerProtocolHttps,
+want: latticeFixResponseAction404,
+wantErr: nil,
 },
 }
 
 c := gomock.NewController(t)
 defer c.Finish()
 mockListenerMgr := NewMockListenerManager(c)
 mockTargetGroupManager := NewMockTargetGroupManager(c)
-stack := core.NewDefaultStack(core.StackID{Name: "foo", Namespace: "bar"})
 
 for _, tt := range tests {
 t.Run(tt.name, func(t *testing.T) {
+stack := core.NewDefaultStack(core.StackID{Name: "foo", Namespace: "bar"})
+modelListener := &model.Listener{
+ResourceMeta: core.NewResourceMeta(stack, "AWS:VPCServiceNetwork::Listener", "modelListener-id"),
+Spec: model.ListenerSpec{
+StackServiceId: "stack-svc-id",
+Protocol: tt.listenerProtocol,
+Port: 80,
+DefaultAction: tt.stackListenerDefaultAction,
+},
+}
+assert.NoError(t, stack.AddResource(modelListener))
+
 l := &listenerSynthesizer{
 log: gwlog.FallbackLogger,
 listenerMgr: mockListenerMgr,
 tgManager: mockTargetGroupManager,
 stack: stack,
 }
-got, err := l.getLatticeListenerDefaultAction(context.TODO(), tt.listenerProtocol)
+got, err := l.getLatticeListenerDefaultAction(context.TODO(), modelListener)
 
 assert.Equalf(t, tt.want, got, "getLatticeListenerDefaultAction() listenerProtocol: %v", tt.listenerProtocol)
 assert.Equal(t, tt.wantErr, err)
@@ -245,49 +266,56 @@ func Test_listenerSynthesizer_getLatticeListenerDefaultAction_TLS_PASSTHROUGH_Li
 mockListenerMgr := NewMockListenerManager(c)
 mockTargetGroupManager := NewMockTargetGroupManager(c)
 mockTargetGroupManager.EXPECT().ResolveRuleTgIds(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
-func(ctx context.Context, rule *model.Rule, stack core.Stack) error {
-rule.Spec.Action.TargetGroups[0].LatticeTgId = "lattice-service-export-tg-id-1"
-rule.Spec.Action.TargetGroups[1].LatticeTgId = "lattice-tg-id-2"
-rule.Spec.Action.TargetGroups[2].LatticeTgId = model.InvalidBackendRefTgId
+func(ctx context.Context, ruleAction *model.RuleAction, stack core.Stack) error {
+ruleAction.TargetGroups[0].LatticeTgId = "lattice-service-export-tg-id-1"
+ruleAction.TargetGroups[1].LatticeTgId = "lattice-tg-id-2"
+ruleAction.TargetGroups[2].LatticeTgId = model.InvalidBackendRefTgId
 return nil
 
 })
 stack := core.NewDefaultStack(core.StackID{Name: "foo", Namespace: "bar"})
-stackRule := &model.Rule{
-ResourceMeta: core.NewResourceMeta(stack, "AWS:VPCServiceNetwork::Rule", "rule-id"),
-Spec: model.RuleSpec{
-Action: model.RuleAction{
-TargetGroups: []*model.RuleTargetGroup{
-{
-SvcImportTG: &model.SvcImportTargetGroup{
-K8SClusterName: "cluster-name",
-K8SServiceName: "svc-name",
-K8SServiceNamespace: "ns",
-VpcId: "vpc-id",
+
+modelListener := &model.Listener{
+ResourceMeta: core.NewResourceMeta(stack, "AWS:VPCServiceNetwork::Listener", "modelListener-id"),
+Spec: model.ListenerSpec{
+StackServiceId: "stack-svc-id",
+Protocol: vpclattice.ListenerProtocolTlsPassthrough,
+Port: 80,
+DefaultAction: &model.DefaultAction{
+Forward: &model.RuleAction{
+TargetGroups: []*model.RuleTargetGroup{
+{
+SvcImportTG: &model.SvcImportTargetGroup{
+K8SClusterName: "cluster-name",
+K8SServiceName: "svc-name",
+K8SServiceNamespace: "ns",
+VpcId: "vpc-id",
+},
+Weight: 10,
+},
+{
+StackTargetGroupId: "lattice-tg-id-2",
+Weight: 30,
+},
+{
+StackTargetGroupId: model.InvalidBackendRefTgId,
+Weight: 60,
 },
-Weight: 10,
-},
-{
-StackTargetGroupId: "stack-tg-id-2",
-Weight: 30,
-},
-{
-StackTargetGroupId: model.InvalidBackendRefTgId,
-Weight: 60,
 },
 },
 },
 },
 }
-assert.NoError(t, stack.AddResource(stackRule))
+assert.NoError(t, stack.AddResource(modelListener))
+
 l := &listenerSynthesizer{
 log: gwlog.FallbackLogger,
 listenerMgr: mockListenerMgr,
 tgManager: mockTargetGroupManager,
 stack: stack,
 }
-gotDefaultAction, err := l.getLatticeListenerDefaultAction(context.TODO(), tlspassthroughListenerProtocol)
-wantedListenerDefaultAction := &vpclattice.RuleAction{
+gotDefaultAction, err := l.getLatticeListenerDefaultAction(context.TODO(), modelListener)
+wantedLatticeListenerDefaultAction := &vpclattice.RuleAction{
 Forward: &vpclattice.ForwardAction{
 TargetGroups: []*vpclattice.WeightedTargetGroup{
 {
@@ -305,15 +333,15 @@ func Test_listenerSynthesizer_getLatticeListenerDefaultAction_TLS_PASSTHROUGH_Li
 },
 },
 }
-assert.Equalf(t, wantedListenerDefaultAction, gotDefaultAction, "getLatticeListenerDefaultAction() tlspassthroughListenerProtocol: %v", tlspassthroughListenerProtocol)
+assert.Equalf(t, wantedLatticeListenerDefaultAction, gotDefaultAction, "getLatticeListenerDefaultAction() tlspassthroughListenerProtocol: %v", tlspassthroughListenerProtocol)
 assert.Nil(t, err)
 })
 
 t.Run("ResolveRuleTgIds failed, return err", func(t *testing.T) {
 mockListenerMgr := NewMockListenerManager(c)
 mockTargetGroupManager := NewMockTargetGroupManager(c)
 mockTargetGroupManager.EXPECT().ResolveRuleTgIds(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
-func(ctx context.Context, rule *model.Rule, stack core.Stack) error {
+func(ctx context.Context, ruleAction *model.RuleAction, stack core.Stack) error {
 return fmt.Errorf("failed to resolve rule tg ids")
 })
 stack := core.NewDefaultStack(core.StackID{Name: "foo", Namespace: "bar"})
@@ -324,13 +352,31 @@ func Test_listenerSynthesizer_getLatticeListenerDefaultAction_TLS_PASSTHROUGH_Li
 },
 }
 assert.NoError(t, stack.AddResource(stackRule))
+modelListener := &model.Listener{
+ResourceMeta: core.NewResourceMeta(stack, "AWS:VPCServiceNetwork::Listener", "modelListener-id"),
+Spec: model.ListenerSpec{
+StackServiceId: "stack-svc-id",
+Protocol: vpclattice.ListenerProtocolTlsPassthrough,
+Port: 80,
+DefaultAction: &model.DefaultAction{
+Forward: &model.RuleAction{
+TargetGroups: []*model.RuleTargetGroup{
+{
+StackTargetGroupId: "lattice-tg-id-1",
+Weight: 100,
+},
+},
+},
+},
+},
+}
 l := &listenerSynthesizer{
 log: gwlog.FallbackLogger,
 listenerMgr: mockListenerMgr,
 tgManager: mockTargetGroupManager,
 stack: stack,
 }
-gotDefaultAction, err := l.getLatticeListenerDefaultAction(context.TODO(), tlspassthroughListenerProtocol)
+gotDefaultAction, err := l.getLatticeListenerDefaultAction(context.TODO(), modelListener)
 assert.Nil(t, gotDefaultAction)
 assert.NotNil(t, err)
 

pkg/deploy/lattice/rule_synthesizer.go

@@ -6,7 +6,6 @@ import (
 "fmt"
 
 "github.com/aws/aws-sdk-go/aws"
-"github.com/aws/aws-sdk-go/service/vpclattice"
 
 "github.com/aws/aws-application-networking-k8s/pkg/model/core"
 model "github.com/aws/aws-application-networking-k8s/pkg/model/lattice"
@@ -82,12 +81,7 @@ func (r *ruleSynthesizer) createOrUpdateRules(ctx context.Context, rule *model.R
 return err
 }
 
-if stackListener.Spec.Protocol == vpclattice.ListenerProtocolTlsPassthrough {
-r.log.Debugf("Skip updating rule=%v, since TLS_PASSTHROUGH listener can only have one default action and without any other additional rule", *rule)
-return nil
-}
-
-err = r.tgManager.ResolveRuleTgIds(ctx, rule, r.stack)
+err = r.tgManager.ResolveRuleTgIds(ctx, &rule.Spec.Action, r.stack)
 if err != nil {
 return err
 }

pkg/deploy/lattice/rule_synthesizer_test.go

@@ -49,6 +49,7 @@ func Test_SynthesizeRule(t *testing.T) {
 StackListenerId: l.ID(),
 Priority: 1,
 CreateTime: time.Time{},
+Action: model.RuleAction{},
 },
 Status: nil,
 }
@@ -72,7 +73,7 @@ func Test_SynthesizeRule(t *testing.T) {
 Id: aws.String("rule-id"),
 },
 }, nil)
-mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, r, stack).Return(nil)
+mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, &r.Spec.Action, stack).Return(nil)
 rs := NewRuleSynthesizer(gwlog.FallbackLogger, mockRuleMgr, mockTgMgr, stack)
 rs.Synthesize(ctx)
 })
@@ -99,7 +100,7 @@ func Test_SynthesizeRule(t *testing.T) {
 }, nil)
 
 mockRuleMgr.EXPECT().Delete(ctx, "delete-rule-id", "svc-id", "listener-id").Return(nil)
-mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, r, stack).Return(nil)
+mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, &r.Spec.Action, stack).Return(nil)
 
 rs := NewRuleSynthesizer(gwlog.FallbackLogger, mockRuleMgr, mockTgMgr, stack)
 rs.Synthesize(ctx)
@@ -128,7 +129,7 @@ func Test_SynthesizeRule(t *testing.T) {
 assert.Equal(t, 1, len(rules))
 return nil
 })
-mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, r, stack).Return(nil)
+mockTgMgr.EXPECT().ResolveRuleTgIds(ctx, &r.Spec.Action, stack).Return(nil)
 
 rs := NewRuleSynthesizer(gwlog.FallbackLogger, mockRuleMgr, mockTgMgr, stack)
 rs.Synthesize(ctx)

pkg/deploy/lattice/target_group_manager.go

@@ -27,7 +27,7 @@ type TargetGroupManager interface {
 List(ctx context.Context) ([]tgListOutput, error)
 IsTargetGroupMatch(ctx context.Context, modelTg *model.TargetGroup, latticeTg *vpclattice.TargetGroupSummary,
 latticeTags *model.TargetGroupTagFields) (bool, error)
-ResolveRuleTgIds(ctx context.Context, modelRule *model.Rule, stack core.Stack) error
+ResolveRuleTgIds(ctx context.Context, modelRuleAction *model.RuleAction, stack core.Stack) error
 }
 
 type defaultTargetGroupManager struct {
@@ -456,12 +456,12 @@ func (s *defaultTargetGroupManager) findSvcExportTG(ctx context.Context, svcImpo
 }
 
 // ResolveRuleTgIds populates all target group ids in the rule's actions
-func (s *defaultTargetGroupManager) ResolveRuleTgIds(ctx context.Context, modelRule *model.Rule, stack core.Stack) error {
-if len(modelRule.Spec.Action.TargetGroups) == 0 {
-s.log.Debugf("no target groups to resolve for rule %d", modelRule.Spec.Priority)
+func (s *defaultTargetGroupManager) ResolveRuleTgIds(ctx context.Context, ruleAction *model.RuleAction, stack core.Stack) error {
+if len(ruleAction.TargetGroups) == 0 {
+s.log.Debugf("no target groups to resolve for rule")
 return nil
 }
-for i, ruleActionTg := range modelRule.Spec.Action.TargetGroups {
+for i, ruleActionTg := range ruleAction.TargetGroups {
 if ruleActionTg.StackTargetGroupId == "" && ruleActionTg.SvcImportTG == nil && ruleActionTg.LatticeTgId == "" {
 return errors.New("rule TG is missing a required target group identifier")
 }