svc/nlb/sg/validations: ensure annotations matches NLB SG

mtulio · mtulio · commit 2f6df288461d · 2025-09-08T16:22:22.000-03:00
Ensure annotation matches feature NLB with Security Groups by preventing
standard controller BYO SG annotations due existing controller
limitations.
diff --git a/pkg/providers/v1/aws_validations.go b/pkg/providers/v1/aws_validations.go
@@ -53,10 +53,26 @@ func ensureLoadBalancerValidation(v *awsValidationInput) error {
 func validateServiceAnnotations(v *awsValidationInput) error {
 	isNLB := isNLB(v.annotations)
 
+	// ServiceAnnotationLoadBalancerSecurityGroups
+	// NLB only: ensure the BYO annotations are not supported and return an error.
+	// FIXME: the BYO SG for NLB implementation is blocked by https://github.com/kubernetes/cloud-provider-aws/pull/1209
+	if _, hasBYOAnnotation := v.annotations[ServiceAnnotationLoadBalancerSecurityGroups]; hasBYOAnnotation {
+		if isNLB {
+			return fmt.Errorf("BYO security group annotation %q is not supported by NLB", ServiceAnnotationLoadBalancerSecurityGroups)
+		}
+	}
+
+	// ServiceAnnotationLoadBalancerExtraSecurityGroups
+	if _, hasExtraBYOAnnotation := v.annotations[ServiceAnnotationLoadBalancerExtraSecurityGroups]; hasExtraBYOAnnotation {
+		if isNLB {
+			return fmt.Errorf("BYO extra security group annotation %q is not supported by NLB", ServiceAnnotationLoadBalancerExtraSecurityGroups)
+		}
+	}
+
 	// ServiceAnnotationLoadBalancerTargetGroupAttributes
 	if _, present := v.annotations[ServiceAnnotationLoadBalancerTargetGroupAttributes]; present {
 		if !isNLB {
-			return fmt.Errorf("target group annotations attribute is only supported for NLB")
+			return fmt.Errorf("target group attributes annotation is only supported for NLB")
 		}
 		if err := validateServiceAnnotationTargetGroupAttributes(v); err != nil {
 			return err
diff --git a/pkg/providers/v1/aws_validations_test.go b/pkg/providers/v1/aws_validations_test.go
@@ -266,3 +266,193 @@ func TestValidateServiceAnnotationTargetGroupAttributes(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateServiceAnnotations(t *testing.T) {
+	const byoSecurityGroupID = "sg-123456789"
+
+	tests := []struct {
+		name          string
+		annotations   map[string]string
+		servicePorts  []v1.ServicePort
+		expectedError string
+	}{
+		// Valid cases - CLB (Classic Load Balancer) should allow BYO security groups
+		{
+			name: "CLB with BYO SG annotation - success",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerSecurityGroups: byoSecurityGroupID,
+			},
+			expectedError: "",
+		},
+		{
+			name: "CLB with BYO extra SG annotation - success",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerExtraSecurityGroups: byoSecurityGroupID,
+			},
+			expectedError: "",
+		},
+		{
+			name: "CLB with both BYO SG annotations - success",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerSecurityGroups:      byoSecurityGroupID,
+				ServiceAnnotationLoadBalancerExtraSecurityGroups: "sg-extra123",
+			},
+			expectedError: "",
+		},
+
+		// Error cases - NLB should reject BYO security group annotations
+		{
+			name: "NLB with BYO SG annotation - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: byoSecurityGroupID,
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with BYO extra SG annotation - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                "nlb",
+				ServiceAnnotationLoadBalancerExtraSecurityGroups: byoSecurityGroupID,
+			},
+			expectedError: "BYO extra security group annotation \"service.beta.kubernetes.io/aws-load-balancer-extra-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with both BYO SG annotations - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups:      byoSecurityGroupID,
+				ServiceAnnotationLoadBalancerExtraSecurityGroups: "sg-extra123",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with BYO SG with empty value - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with BYO SG with multiple values - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "sg-123,sg-456",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with single BYO SG - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "sg-123456789",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with multiple BYO SGs - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "sg-123456789,sg-987654321",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB with invalid BYO SG format - error (not supported)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "invalid-sg-format",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB case sensitivity - BYO SG annotation with different casing should still be rejected",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: "SG-123ABC",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB mixed annotations - BYO and other annotations",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerSecurityGroups: "sg-123456",
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerInternal:       "true",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+		{
+			name: "NLB whitespace in BYO SG values - should still be rejected",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:           "nlb",
+				ServiceAnnotationLoadBalancerSecurityGroups: " sg-123456 ",
+			},
+			expectedError: "BYO security group annotation \"service.beta.kubernetes.io/aws-load-balancer-security-groups\" is not supported by NLB",
+		},
+
+		// Target group attributes validation for NLB (should succeed)
+		{
+			name: "NLB with target group attributes - success",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerType:                  "nlb",
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true",
+			},
+			servicePorts: []v1.ServicePort{
+				{Port: 80, Protocol: v1.ProtocolTCP},
+			},
+			expectedError: "",
+		},
+
+		// Target group attributes validation for CLB (should fail)
+		{
+			name: "CLB with target group attributes - error (only supported for NLB)",
+			annotations: map[string]string{
+				ServiceAnnotationLoadBalancerTargetGroupAttributes: "preserve_client_ip.enabled=true",
+			},
+			expectedError: "target group attributes annotation is only supported for NLB",
+		},
+
+		// No annotations (should succeed)
+		{
+			name:          "no annotations - success",
+			annotations:   map[string]string{},
+			expectedError: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a test service with the specified ports and annotations
+			service := &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-service",
+					Namespace:   "test-namespace",
+					Annotations: tt.annotations,
+				},
+				Spec: v1.ServiceSpec{
+					Type:  v1.ServiceTypeLoadBalancer,
+					Ports: tt.servicePorts,
+				},
+			}
+
+			// Create validation input
+			input := &awsValidationInput{
+				apiService:  service,
+				annotations: tt.annotations,
+			}
+
+			// Execute the validation
+			err := validateServiceAnnotations(input)
+
+			// Verify the result
+			if tt.expectedError == "" {
+				assert.NoError(t, err, "Expected no error for test case: %s", tt.name)
+			} else {
+				assert.Error(t, err, "Expected error for test case: %s", tt.name)
+				assert.Contains(t, err.Error(), tt.expectedError, "Error message should contain expected text for test case: %s", tt.name)
+			}
+		})
+	}
+}
