e2e/loadbalancer: implement hairpin connection cases

mtulio · kmala · commit deb9064fe235 · 2025-12-09T16:15:11.000-08:00
Implementing the hairpin connection test cases, and exposing an issue on NLB with internal scheme which fails when the client is trying to access a service loadbalancer which is hosted in the same node. The hairpin connection is caused by the client IP preservation attribute is set to true (default), and the service does not provide an interface to prevent the issue. The e2e is expecting to pass to prevent permanent failures in CI, but it is tracked by an issue #1160.
diff --git a/tests/e2e/loadbalancer.go b/tests/e2e/loadbalancer.go
@@ -38,9 +38,10 @@ import (
 )
 
 const (
-	annotationLBType             = "service.beta.kubernetes.io/aws-load-balancer-type"
-	annotationLBInternal         = "service.beta.kubernetes.io/aws-load-balancer-internal"
-	annotationLBTargetNodeLabels = "service.beta.kubernetes.io/aws-load-balancer-target-node-labels"
+	annotationLBType                  = "service.beta.kubernetes.io/aws-load-balancer-type"
+	annotationLBInternal              = "service.beta.kubernetes.io/aws-load-balancer-internal"
+	annotationLBTargetNodeLabels      = "service.beta.kubernetes.io/aws-load-balancer-target-node-labels"
+	annotationLBTargetGroupAttributes = "service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
 )
 
 var (
@@ -142,29 +143,106 @@ var _ = Describe("[cloud-provider-aws-e2e] loadbalancer", func() {
 			requireAffinity:                       true,
 		},
 		// Hairpining traffic test for NLB.
-		// Hairpin connection work with target type as instance only when preserve client IP is disabled.
-		// Currently CCM does not provide an interface to create a service with that setup, making an internal
-		// Service to fail.
-		// FIXME: https://github.com/kubernetes/cloud-provider-aws/issues/1160
-		// Once issue 1160 is fixed, the skipTestFailure must be unset/false.
+		// The target type instance (default) sets the preserve client IP attribute to true,
+		// the NLB target group attributes are set to preserve_client_ip.enabled=false to allow hairpining traffic.
+		// The test also validates the target group attributes are set correctly to AWS resource.
 		{
 			name:           "NLB internal should be reachable with hairpinning traffic",
 			resourceSuffix: "hp-nlb-int",
 			extraAnnotations: map[string]string{
-				annotationLBType:     "nlb",
-				annotationLBInternal: "true",
+				annotationLBType:                  "nlb",
+				annotationLBInternal:              "true",
+				annotationLBTargetGroupAttributes: "preserve_client_ip.enabled=false",
 			},
-			listenerCount: 1,
+			listenerCount:                         1,
+			overrideTestRunInClusterReachableHTTP: true,
+			requireAffinity:                       true,
 			hookPostServiceConfig: func(cfg *e2eTestConfig) {
 				framework.Logf("running hook post-service-config patching service annotations to enforce LB pins/selects target to a single node: kubernetes.io/hostname=%s", cfg.nodeSingleSample)
 				if cfg.svc.Annotations == nil {
 					cfg.svc.Annotations = map[string]string{}
 				}
 				cfg.svc.Annotations[annotationLBTargetNodeLabels] = fmt.Sprintf("kubernetes.io/hostname=%s", cfg.nodeSingleSample)
 			},
-			overrideTestRunInClusterReachableHTTP: true,
-			requireAffinity:                       true,
-			skipTestFailure:                       true,
+			hookPreTest: func(e2e *e2eTestConfig) {
+				framework.Logf("running hook pre-test: verify target group attributes are set correctly to AWS resource")
+
+				if e2e.svc.Status.LoadBalancer.Ingress[0].Hostname == "" && e2e.svc.Status.LoadBalancer.Ingress[0].IP == "" {
+					framework.Failf("LoadBalancer ingress is empty (no hostname or IP) for service %s/%s", e2e.svc.Namespace, e2e.svc.Name)
+				}
+
+				hostAddr := e2eservice.GetIngressPoint(&e2e.svc.Status.LoadBalancer.Ingress[0])
+				framework.Logf("Load balancer's ingress address: %s", hostAddr)
+
+				if hostAddr == "" {
+					framework.Failf("Unable to get LoadBalancer ingress address for service %s/%s", e2e.svc.Namespace, e2e.svc.Name)
+				}
+
+				elbClient, err := getAWSClientLoadBalancer(e2e.ctx)
+				framework.ExpectNoError(err, "failed to create AWS ELB client")
+
+				// DescribeLoadBalancers API doesn't support filtering by DNS name directly
+				// Use AWS SDK paginator to search through all load balancers
+				foundLB, err := getAWSLoadBalancerFromDNSName(e2e.ctx, elbClient, hostAddr)
+				framework.ExpectNoError(err, "failed to find load balancer with DNS name %s", hostAddr)
+				if foundLB == nil {
+					framework.Failf("Found load balancer is nil for DNS name %s", hostAddr)
+				}
+
+				lbARN := aws.ToString(foundLB.LoadBalancerArn)
+				if lbARN == "" {
+					framework.Failf("Load balancer ARN is empty for DNS name %s", hostAddr)
+				}
+				framework.Logf("Found load balancer: %s with ARN: %s", aws.ToString(foundLB.LoadBalancerName), lbARN)
+
+				// lookup target group ARN from load balancer ARN
+				targetGroups, err := elbClient.DescribeTargetGroups(e2e.ctx, &elbv2.DescribeTargetGroupsInput{
+					LoadBalancerArn: aws.String(lbARN),
+				})
+				framework.ExpectNoError(err, "failed to describe target groups")
+				framework.ExpectEqual(len(targetGroups.TargetGroups), 1)
+
+				targetGroupAttributes, err := elbClient.DescribeTargetGroupAttributes(e2e.ctx, &elbv2.DescribeTargetGroupAttributesInput{
+					TargetGroupArn: aws.String(aws.ToString(targetGroups.TargetGroups[0].TargetGroupArn)),
+				})
+				framework.ExpectNoError(err, "failed to describe target group attributes")
+
+				// verify if the target group attributes are set correctly
+
+				annotationToDict := map[string]string{}
+				for _, v := range strings.Split(e2e.svc.Annotations[annotationLBTargetGroupAttributes], ",") {
+					parts := strings.Split(v, "=")
+					annotationToDict[parts[0]] = parts[1]
+				}
+				framework.Logf("TG attribute Annotation to dict: %v", annotationToDict)
+
+				framework.Logf("=== All Target Group Attributes from AWS ===")
+				for _, attr := range targetGroupAttributes.Attributes {
+					framework.Logf("  %s=%s", aws.ToString(attr.Key), aws.ToString(attr.Value))
+				}
+
+				framework.Logf("=== Expected Target Group Attributes from Annotation ===")
+				for key, value := range annotationToDict {
+					framework.Logf("  %s=%s", key, value)
+				}
+
+				// Check if our expected attributes are present and match
+				framework.Logf("=== Verifying Target Group Attributes ===")
+				for _, attr := range targetGroupAttributes.Attributes {
+					if expectedValue, ok := annotationToDict[aws.ToString(attr.Key)]; ok {
+						actualValue := aws.ToString(attr.Value)
+						framework.Logf("Checking attribute: %s", aws.ToString(attr.Key))
+						framework.Logf("  Expected: %s", expectedValue)
+						framework.Logf("  Actual:   %s", actualValue)
+
+						if actualValue != expectedValue {
+							framework.Failf("Target group attribute mismatch for %s: expected %s, got %s", aws.ToString(attr.Key), expectedValue, actualValue)
+						} else {
+							framework.Logf("✓ Target group attribute %s matches expected value %s", aws.ToString(attr.Key), expectedValue)
+						}
+					}
+				}
+			},
 		},
 	}
 
@@ -208,7 +286,23 @@ var _ = Describe("[cloud-provider-aws-e2e] loadbalancer", func() {
 			By("waiting for AWS load balancer provisioning")
 			var err error
 			e2e.svc, err = e2e.LBJig.WaitForLoadBalancer(loadBalancerCreateTimeout)
-			framework.ExpectNoError(err)
+			// Collect comprehensive debugging information when LoadBalancer provisioning fails
+			if err != nil {
+				serviceName := e2e.LBJig.Name
+				if e2e.svc != nil {
+					serviceName = e2e.svc.Name
+				}
+				framework.Logf("ERROR: LoadBalancer provisioning failed for service %q: %v", serviceName, err)
+				framework.Logf("ERROR: LoadBalancer provisioning timeout reached after %v", loadBalancerCreateTimeout)
+
+				// Ensure we have detailed debugging information before failing
+				framework.Logf("=== LoadBalancer Provisioning Failure Debug Information ===")
+				gatherEventosOnFailure(e2e.ctx, e2e.kubeClient, e2e.LBJig.Namespace, e2e.LBJig.Name)
+				framework.Logf("=== End of LoadBalancer Provisioning Failure Debug Information ===")
+
+				// Fail the test immediately to prevent further execution
+				framework.ExpectNoError(err, "LoadBalancer provisioning failed - check debug information above")
+			}
 			framework.Logf("[AWS] Load balancer provisioned successfully")
 
 			By("creating backend server pods")
@@ -244,7 +338,6 @@ var _ = Describe("[cloud-provider-aws-e2e] loadbalancer", func() {
 				framework.Logf("=== End of Service Validation Error Debug Information ===")
 				framework.Failf("Service is nil after LoadBalancer provisioning for service %s", e2e.LBJig.Name)
 			}
-
 			if len(e2e.svc.Spec.Ports) == 0 {
 				framework.Logf("=== Service Ports Error Debug Information ===")
 				framework.Logf("Service spec: %+v", e2e.svc.Spec)
@@ -259,6 +352,7 @@ var _ = Describe("[cloud-provider-aws-e2e] loadbalancer", func() {
 				framework.Logf("=== End of LoadBalancer Ingress Error Debug Information ===")
 				framework.Failf("No ingress found in LoadBalancer status for service %s/%s", e2e.svc.Namespace, e2e.svc.Name)
 			}
+
 			svcPort := int(e2e.svc.Spec.Ports[0].Port)
 			ingressAddress := e2eservice.GetIngressPoint(&e2e.svc.Status.LoadBalancer.Ingress[0])
 			framework.Logf("[LB-INFO] Ingress address: %s, port: %d", ingressAddress, svcPort)
@@ -278,15 +372,15 @@ var _ = Describe("[cloud-provider-aws-e2e] loadbalancer", func() {
 
 			// overrideTestRunInClusterReachableHTTP changes the default test function to run the client in the cluster.
 			if tc.overrideTestRunInClusterReachableHTTP {
-				By("testing HTTP connectivity from internal network")
+				By("testing HTTP connectivity for internal load balancer")
 				framework.Logf("[TEST] Running internal connectivity test from node: %s", e2e.nodeSingleSample)
 				err := inClusterTestReachableHTTP(cs, ns.Name, e2e.nodeSingleSample, ingressAddress, svcPort)
 				if err != nil && tc.skipTestFailure {
 					Skip(err.Error())
 				}
 				framework.ExpectNoError(err)
 			} else {
-				By("testing HTTP connectivity from external client")
+				By("testing HTTP connectivity for external/internet-facing load balancer")
 				framework.Logf("[TEST] Running external connectivity test to %s:%d", ingressAddress, svcPort)
 				e2eservice.TestReachableHTTP(ingressAddress, svcPort, e2eservice.LoadBalancerLagTimeoutAWS)
 			}
@@ -570,9 +664,11 @@ func getAWSLoadBalancerFromDNSName(ctx context.Context, elbClient *elbv2.Client,
 	paginator := elbv2.NewDescribeLoadBalancersPaginator(elbClient, &elbv2.DescribeLoadBalancersInput{})
 	for paginator.HasMorePages() {
 		page, err := paginator.NextPage(ctx)
-		framework.ExpectNoError(err)
+		if err != nil {
+			return nil, fmt.Errorf("failed to describe load balancers: %v", err)
+		}
 
-		framework.Logf("found %d load balancers", len(page.LoadBalancers))
+		framework.Logf("found %d load balancers in page", len(page.LoadBalancers))
 		// Search for the load balancer with matching DNS name in this page
 		for i := range page.LoadBalancers {
 			if aws.ToString(page.LoadBalancers[i].DNSName) == lbDNSName {
@@ -587,7 +683,7 @@ func getAWSLoadBalancerFromDNSName(ctx context.Context, elbClient *elbv2.Client,
 	}
 
 	if foundLB == nil {
-		framework.Failf("No load balancer found with DNS name: %s", lbDNSName)
+		return nil, fmt.Errorf("no load balancer found with DNS name: %s", lbDNSName)
 	}
 
 	return foundLB, nil
