added labels upon creation of alb and storing certificate

Author: Menekse Ceylan

pkg/alb/ingress/alb_spec.go

@@ -17,6 +17,15 @@ import (
 	certsdk "github.com/stackitcloud/stackit-sdk-go/services/certificates/v2api"
 )
 
+const (
+	// prefixCustomerLabel is the api prefix for all custom labels
+	prefixCustomerLabel = "lb.customer.label/"
+
+	// LabelIngressClassUID is the unique key that identifies resources
+	// owned by a specific IngressClass.
+	LabelIngressClassUID = prefixCustomerLabel + "ingress-class-uid"
+)
+
 func (r *IngressClassReconciler) getAlbSpecForIngressClass(ctx context.Context, class *networkingv1.IngressClass) (*albsdk.CreateLoadBalancerPayload, []errorEvents, error) {
 	ingresses, err := r.getIngressesForIngressClass(ctx, class)
 	if err != nil {
@@ -45,7 +54,7 @@ func (r *IngressClassReconciler) getAlbSpecForIngresses(ctx context.Context, cla
 		errorList = append(errorList, listenerMergeError...)
 	}
 
-	certNameToId, certificateErrorEvents := r.applyCertificates(ctx, certificates)
+	certNameToId, certificateErrorEvents := r.applyCertificates(ctx, class, certificates)
 	errorList = append(errorList, certificateErrorEvents...)
 
 	alb, albSpecErrorList, err := r.getAlbSpecForResources(ctx, class, listeners, targetPools, certNameToId)
@@ -60,83 +69,105 @@ func (r *IngressClassReconciler) getAlbSpecForResources(ctx context.Context, cla
 		Options: &albsdk.LoadBalancerOptions{},
 		Networks: []albsdk.Network{
 			{
-				NetworkId: new(r.ALBConfig.ApplicationLoadBalancer.NetworkID),
-				Role:      new("ROLE_LISTENERS_AND_TARGETS"),
+				NetworkId: ptr.To(r.ALBConfig.ApplicationLoadBalancer.NetworkID),
+				Role:      ptr.To("ROLE_LISTENERS_AND_TARGETS"),
 			},
 		},
-		Name:                                 new(string(class.UID)),
-		DisableTargetSecurityGroupAssignment: new(true),
+		Name:                                 ptr.To(string(class.UID)),
+		DisableTargetSecurityGroupAssignment: ptr.To(true),
 	}
 
 	externalAddress := getAnnotation(AnnotationExternalIP, "", class)
 	if externalAddress != "" {
 		alb.ExternalAddress = &externalAddress
 	} else {
-		alb.Options.EphemeralAddress = new(true)
+		alb.Options.EphemeralAddress = ptr.To(true)
 	}
 
 	if getAnnotation(AnnotationInternal, false, class) {
-		alb.Options.PrivateNetworkOnly = new(true)
+		alb.Options.PrivateNetworkOnly = ptr.To(true)
 	}
 
 	if plan := getAnnotation(AnnotationPlanID, "", class); plan != "" {
 		alb.PlanId = &plan
 	}
 
+	mergedLabels := make(map[string]string)
+
+	// Add user labels, mind the limit
+	for k, v := range class.Labels {
+		if len(mergedLabels) < 64 {
+			mergedLabels[k] = v
+		}
+	}
+
+	// Merge with existing global config labels
+	if r.ALBConfig.ApplicationLoadBalancer.ExtraLabels != nil {
+		for k, v := range r.ALBConfig.ApplicationLoadBalancer.ExtraLabels {
+			if len(mergedLabels) < 64 {
+				mergedLabels[k] = v
+			}
+		}
+	}
+
+	// Add ownership label
+	mergedLabels[LabelIngressClassUID] = string(class.UID)
+	alb.Labels = &mergedLabels
+
 	for port, listener := range listeners {
 		albsdkListener := albsdk.Listener{
 			Http:                 nil,
-			Name:                 new(listener.name),
-			Port:                 new(int32(port)),
-			Protocol:             new(listener.protocol),
+			Name:                 ptr.To(listener.name),
+			Port:                 ptr.To(int32(port)),
+			Protocol:             ptr.To(listener.protocol),
 			AdditionalProperties: nil,
 		}
 
 		if listener.wafConfigName != "" {
-			albsdkListener.WafConfigName = new(listener.wafConfigName)
+			albsdkListener.WafConfigName = ptr.To(listener.wafConfigName)
 		}
 
 		albsdkHosts := []albsdk.HostConfig{}
 		for host, hostPaths := range listener.hosts {
 			albsdkHost := albsdk.HostConfig{
-				Host: new(host),
+				Host: ptr.To(host),
 			}
 			for path, rule := range hostPaths.path {
 				albsdkRule := albsdk.Rule{
-					TargetPool: new(rule.targetPoolName),
-					WebSocket:  new(rule.websocket),
+					TargetPool: ptr.To(rule.targetPoolName),
+					WebSocket:  ptr.To(rule.websocket),
 				}
 
 				if rule.cookiePersistenceName != "" {
-					albsdkRule.CookiePersistence = new(albsdk.CookiePersistence{
-						Name: new(rule.cookiePersistenceName),
-						Ttl:  new(fmt.Sprintf("%ds", rule.cookiePersistenceTtlSeconds)),
+					albsdkRule.CookiePersistence = ptr.To(albsdk.CookiePersistence{
+						Name: ptr.To(rule.cookiePersistenceName),
+						Ttl:  ptr.To(fmt.Sprintf("%ds", rule.cookiePersistenceTtlSeconds)),
 					})
 				}
 
 				switch rule.pathTyp {
 				case networkingv1.PathTypeExact:
-					albsdkRule.Path = new(albsdk.Path{
-						ExactMatch: new(path),
+					albsdkRule.Path = ptr.To(albsdk.Path{
+						ExactMatch: ptr.To(path),
 					})
 				default:
-					albsdkRule.Path = new(albsdk.Path{
-						Prefix: new(path),
+					albsdkRule.Path = ptr.To(albsdk.Path{
+						Prefix: ptr.To(path),
 					})
 				}
 
 				albsdkHost.Rules = append(albsdkHost.Rules, albsdkRule)
 			}
 			albsdkHosts = append(albsdkHosts, albsdkHost)
 
-			albsdkListener.Http = new(albsdk.ProtocolOptionsHTTP{
+			albsdkListener.Http = ptr.To(albsdk.ProtocolOptionsHTTP{
 				Hosts: albsdkHosts,
 			})
 		}
 
 		if listener.protocol == "PROTOCOL_HTTPS" {
-			albsdkListener.Https = new(albsdk.ProtocolOptionsHTTPS{
-				CertificateConfig: new(albsdk.CertificateConfig{
+			albsdkListener.Https = ptr.To(albsdk.ProtocolOptionsHTTPS{
+				CertificateConfig: ptr.To(albsdk.CertificateConfig{
 					CertificateIds: []string{},
 				}),
 			})
@@ -167,8 +198,8 @@ func (r *IngressClassReconciler) getAlbSpecForResources(ctx context.Context, cla
 
 	for name, targetPool := range targetPools {
 		albsdkTargetPool := albsdk.TargetPool{
-			Name:              new(name),
-			TargetPort:        new(targetPool.port),
+			Name:              ptr.To(name),
+			TargetPort:        ptr.To(targetPool.port),
 			Targets:           targets,
 			ActiveHealthCheck: nil, // TODO
 		}
@@ -379,15 +410,18 @@ func (r *IngressClassReconciler) getCertificateForSecretName(ctx context.Context
 	}, nil
 }
 
-func (r *IngressClassReconciler) applyCertificates(ctx context.Context, certificates albCertificates) (map[string]string, []errorEvents) {
+func (r *IngressClassReconciler) applyCertificates(ctx context.Context, class *networkingv1.IngressClass, certificates albCertificates) (map[string]string, []errorEvents) {
 	errorList := []errorEvents{}
 	nameToID := map[string]string{}
 	for name, certificate := range certificates {
 		createCertificatePayload := &certsdk.CreateCertificatePayload{
-			Name:       new(name),
+			Name:       ptr.To(name),
 			ProjectId:  &r.ALBConfig.Global.ProjectID,
-			PrivateKey: new(string(certificate.privateKey)),
-			PublicKey:  new(string(certificate.publicKey)),
+			PrivateKey: ptr.To(string(certificate.privateKey)),
+			PublicKey:  ptr.To(string(certificate.publicKey)),
+			Labels: &map[string]string{
+				LabelIngressClassUID: string(class.UID),
+			},
 		}
 		response, err := r.CertificateClient.CreateCertificate(ctx, r.ALBConfig.Global.ProjectID, r.ALBConfig.Global.Region, createCertificatePayload)
 		if err != nil {

pkg/alb/ingress/alb_spec_test.go

@@ -3,6 +3,7 @@ package ingress
 import (
 	"context"
 	"fmt"
+	"k8s.io/utils/ptr"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -81,49 +82,49 @@ var _ = Describe("Node Controller", func() {
 		}
 
 		albSpec = albsdk.CreateLoadBalancerPayload{
-			DisableTargetSecurityGroupAssignment: new(true),
+			DisableTargetSecurityGroupAssignment: ptr.To(true),
 			Listeners: []albsdk.Listener{
 				{
-					Http: new(albsdk.ProtocolOptionsHTTP{
+					Http: ptr.To(albsdk.ProtocolOptionsHTTP{
 						Hosts: []albsdk.HostConfig{
 							{
-								Host: new("example.com"),
+								Host: ptr.To("example.com"),
 								Rules: []albsdk.Rule{
 									{
-										Path: new(albsdk.Path{
-											Prefix: new("/"),
+										Path: ptr.To(albsdk.Path{
+											Prefix: ptr.To("/"),
 										}),
-										TargetPool: new(fmt.Sprintf("port-%d", service.Spec.Ports[0].NodePort)),
-										WebSocket:  new(false),
+										TargetPool: ptr.To(fmt.Sprintf("port-%d", service.Spec.Ports[0].NodePort)),
+										WebSocket:  ptr.To(false),
 									},
 								},
 							},
 						},
 					}),
-					Name:     new("80-http"),
-					Port:     new(int32(80)),
-					Protocol: new("PROTOCOL_HTTP"),
+					Name:     ptr.To("80-http"),
+					Port:     ptr.To(int32(80)),
+					Protocol: ptr.To("PROTOCOL_HTTP"),
 				},
 			},
-			Name: new(string(ingressClass.UID)), //todo
+			Name: ptr.To(string(ingressClass.UID)), //todo
 			Networks: []albsdk.Network{
 				{
-					NetworkId: new(reconciler.ALBConfig.ApplicationLoadBalancer.NetworkID),
-					Role:      new("ROLE_LISTENERS_AND_TARGETS"),
+					NetworkId: ptr.To(reconciler.ALBConfig.ApplicationLoadBalancer.NetworkID),
+					Role:      ptr.To("ROLE_LISTENERS_AND_TARGETS"),
 				},
 			},
-			Options: new(albsdk.LoadBalancerOptions{
-				EphemeralAddress: new(true),
+			Options: ptr.To(albsdk.LoadBalancerOptions{
+				EphemeralAddress: ptr.To(true),
 			}),
-			// Region:         new(reconciler.ALBConfig.Global.Region), why is there a region in spec? TODO
+			// Region:         ptr.To(reconciler.ALBConfig.Global.Region), why is there a region in spec? TODO
 			TargetPools: []albsdk.TargetPool{
 				{
-					Name:       new(fmt.Sprintf("port-%d", service.Spec.Ports[0].NodePort)),
-					TargetPort: new(service.Spec.Ports[0].NodePort),
+					Name:       ptr.To(fmt.Sprintf("port-%d", service.Spec.Ports[0].NodePort)),
+					TargetPort: ptr.To(service.Spec.Ports[0].NodePort),
 					Targets: []albsdk.Target{
 						{
-							DisplayName: new(node.Name),
-							Ip:          new(node.Status.Addresses[0].Address),
+							DisplayName: ptr.To(node.Name),
+							Ip:          ptr.To(node.Status.Addresses[0].Address),
 						},
 					},
 				},
@@ -142,6 +143,19 @@ var _ = Describe("Node Controller", func() {
 			Expect(*spec).To(BeEquivalentTo(albSpec))
 		})
 
+		It("should work with labels", func() {
+
+			reconciler.ALBConfig.ApplicationLoadBalancer.ExtraLabels = map[string]string{"managed-by": "alb-ingressClass"}
+			spec, errorEventList, err := reconciler.getAlbSpecForIngressClass(context.Background(), &ingressClass)
+			Expect(err).To(Succeed())
+			Expect(errorEventList).To(BeEmpty())
+
+			albSpec.Labels = ptr.To(map[string]string{"managed-by": "alb-ingressClass"})
+
+			Expect(spec).ToNot(BeNil())
+			Expect(*spec).To(BeEquivalentTo(albSpec))
+		})
+
 		It("should work with 2 ingresses different path", func() {
 			ingress2 := testIngress(&ingressClass, &service)
 			ingress2.Name = "ingress2"
@@ -152,9 +166,9 @@ var _ = Describe("Node Controller", func() {
 			albSpec.Listeners[0].Http.Hosts[0].Rules = append(
 				albSpec.Listeners[0].Http.Hosts[0].Rules,
 				albsdk.Rule{
-					Path:       new(albsdk.Path{Prefix: new("/foobar")}),
+					Path:       ptr.To(albsdk.Path{Prefix: ptr.To("/foobar")}),
 					TargetPool: albSpec.Listeners[0].Http.Hosts[0].Rules[0].TargetPool,
-					WebSocket:  new(false),
+					WebSocket:  ptr.To(false),
 				})
 
 			spec, errorEventList, err := reconciler.getAlbSpecForIngressClass(context.Background(), &ingressClass)
@@ -171,7 +185,7 @@ func testIngress(class *networkingv1.IngressClass, service *corev1.Service) netw
 	return networkingv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{Name: "test-ingress"},
 		Spec: networkingv1.IngressSpec{
-			IngressClassName: new(class.Name),
+			IngressClassName: ptr.To(class.Name),
 			Rules: []networkingv1.IngressRule{
 				{
 					Host: "example.com",
@@ -180,7 +194,7 @@ func testIngress(class *networkingv1.IngressClass, service *corev1.Service) netw
 							Paths: []networkingv1.HTTPIngressPath{
 								{
 									Path:     "/",
-									PathType: new(networkingv1.PathTypePrefix),
+									PathType: ptr.To(networkingv1.PathTypePrefix),
 									Backend: networkingv1.IngressBackend{
 										Service: &networkingv1.IngressServiceBackend{
 											Name: service.Name,

pkg/alb/ingress/certificate.go

@@ -19,8 +19,21 @@ func (r *IngressClassReconciler) deleteAllCertsForClass(ctx context.Context, cla
 		return nil // No certificates to clean up
 	}
 
+	// using labels for certificates
+	targetUID := string(class.UID)
+
 	for _, cert := range certificatesList.Items {
-		if strings.HasPrefix(*cert.Name, shortUUID(string(class.UID))) {
+		if cert.Labels == nil {
+			// This part will go away when Labels are supported by Cert API
+			if strings.HasPrefix(*cert.Name, shortUUID(string(class.UID))) {
+				err := r.CertificateClient.DeleteCertificate(ctx, r.ALBConfig.Global.ProjectID, r.ALBConfig.Global.Region, *cert.Id)
+				if err != nil {
+					return fmt.Errorf("failed to delete orphaned certificate %s: %v", *cert.Name, err)
+				}
+			}
+		}
+
+		if val, ok := (*cert.Labels)[LabelIngressClassUID]; ok && val == targetUID {
 			err := r.CertificateClient.DeleteCertificate(ctx, r.ALBConfig.Global.ProjectID, r.ALBConfig.Global.Region, *cert.Id)
 			if err != nil {
 				return fmt.Errorf("failed to delete orphaned certificate %s: %v", *cert.Name, err)

pkg/alb/ingress/update.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"reflect"
 
 	"github.com/stackitcloud/cloud-provider-stackit/pkg/stackit"
 	albsdk "github.com/stackitcloud/stackit-sdk-go/services/alb/v2api"
@@ -161,5 +162,14 @@ func updateNeeded(alb *albsdk.LoadBalancer, albPayload *albsdk.CreateLoadBalance
 		}
 	}
 
+	// Label comparison
+	// normalize pointers to prevent nil vs empty map issue
+	currentLabels := ptr.Deref(alb.Labels, map[string]string{})
+	desiredLabels := ptr.Deref(albPayload.Labels, map[string]string{})
+
+	if !reflect.DeepEqual(currentLabels, desiredLabels) {
+		return true
+	}
+
 	return false
 }

pkg/stackit/config/config.go

@@ -49,7 +49,8 @@ type ALBConfig struct {
 	ApplicationLoadBalancer ApplicationLoadBalancerOpts `yaml:"applicationLoadBalancer"`
 }
 type ApplicationLoadBalancerOpts struct {
-	NetworkID string `yaml:"networkId"`
+	NetworkID   string            `yaml:"networkId"`
+	ExtraLabels map[string]string `yaml:"extraLabels,omitempty"`
 }
 
 func readFile(path string) ([]byte, error) {