GoogleCloudPlatform
diff --git a/‎config/rbac/role.yaml‎
Lines changed: 8 additions & 0 deletions b/‎config/rbac/role.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎controllers/autoneg.go‎
Lines changed: 63 additions & 1 deletion b/‎controllers/autoneg.go‎
Lines changed: 63 additions & 1 deletion
diff --git a/‎controllers/autoneg_test.go‎
Lines changed: 94 additions & 11 deletions b/‎controllers/autoneg_test.go‎
Lines changed: 94 additions & 11 deletions
diff --git a/‎controllers/service_controller.go‎
Lines changed: 10 additions & 1 deletion b/‎controllers/service_controller.go‎
Lines changed: 10 additions & 1 deletion
@@ -35,3 +35,11 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - networking.gke.io
+  resources:
+  - servicenetworkendpointgroups
+  verbs:
+  - list
+  - watch
+
@@ -21,12 +21,18 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"regexp"
+	"slices"
 	"sort"
 	"time"
 
 	backoff "github.com/cenkalti/backoff/v5"
 	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/googleapi"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/ingress-gce/pkg/apis/svcneg/v1beta1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -48,6 +54,7 @@ const (
 var (
 	errConfigInvalid = errors.New("autoneg configuration invalid")
 	errJSONInvalid   = errors.New("json malformed")
+	zoneRE           = regexp.MustCompile(`zones/([^/]+)`)
 )
 
 type errNotFound struct {
@@ -463,7 +470,8 @@ func validateNewConfig(config AutonegConfig) error {
 	return nil
 }
 
-func getStatuses(namespace string, name string, annotations map[string]string, r *ServiceReconciler) (s Statuses, valid bool, err error) {
+func getStatuses(ctx context.Context, namespace string, name string, annotations map[string]string, r *ServiceReconciler) (s Statuses, valid bool, err error) {
+	logger := log.FromContext(ctx)
 	// Read the current cloud.google.com/neg annotation
 	tmp, ok := annotations[negAnnotation]
 	if ok {
@@ -596,6 +604,60 @@ func getStatuses(namespace string, name string, annotations map[string]string, r
 		if err = json.Unmarshal([]byte(tmp), &s.negStatus); err != nil {
 			return
 		}
+		// Check if we should use ServiceNetworkEndpointGroup custom resource to get the NEG zones.
+		if r.UseSvcNeg {
+			logger.Info("Getting zones using svcneg custom resources")
+			var zones []string
+			zones, err = zonesFromSvcNeg(ctx, r, namespace, &s.negStatus)
+			if err != nil {
+				return
+			}
+			// Update the zones.
+			logger.Info("Got zones from svcnegs", "zones", zones)
+			s.negStatus.Zones = zones
+		}
 	}
+
 	return
 }
+
+func zonesFromSvcNeg(ctx context.Context, reader client.Reader, namespace string, negStatus *NEGStatus) ([]string, error) {
+	logger := log.FromContext(ctx)
+	zones := []string{}
+	negsProcessed := map[string]bool{}
+	for _, neg := range negStatus.NEGs {
+		if _, ok := negsProcessed[neg]; ok {
+			continue
+		}
+		negsProcessed[neg] = true
+		svcNeg := v1beta1.ServiceNetworkEndpointGroup{}
+		err := reader.Get(ctx, client.ObjectKey{
+			Namespace: namespace, Name: neg,
+		}, &svcNeg)
+		if apierrors.IsNotFound(err) {
+			logger.Info("SvcNeg not found", "neg", neg)
+			continue
+		}
+		if err != nil {
+			return nil, fmt.Errorf("failed to get svcneg %s: %w", neg, err)
+		}
+		for _, negRef := range svcNeg.Status.NetworkEndpointGroups {
+			negZone := zone(negRef)
+			if !slices.Contains(zones, negZone) {
+				zones = append(zones, negZone)
+			}
+		}
+	}
+	return zones, nil
+}
+
+func zone(ref v1beta1.NegObjectReference) string {
+	// Of the format: https://www.googleapis.com/compute/beta/projects/<project-id>/zones/<zone>/networkEndpointGroups/<neg>
+	matches := zoneRE.FindStringSubmatch(ref.SelfLink)
+	// The first submatch (index 0) is the entire matched string "zones/us-central1-c"
+	// The second submatch (index 1) is the content of the first capturing group "us-central1-c"
+	if len(matches) > 1 {
+		return matches[1]
+	}
+	return ""
+}
@@ -18,14 +18,19 @@ package controllers
 
 import (
 	"context"
-	"google.golang.org/api/option"
 	"math"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"testing"
 
+	"google.golang.org/api/option"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	"google.golang.org/api/compute/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/ingress-gce/pkg/apis/svcneg/v1beta1"
 	"k8s.io/utils/pointer"
 )
 
@@ -285,7 +290,7 @@ func TestGetStatuses(t *testing.T) {
 		DeregisterNEGsOnAnnotationRemoval: true,
 	}
 	for _, st := range statusTests {
-		_, valid, err := getStatuses("ns", "test", st.annotations, &serviceReconciler)
+		_, valid, err := getStatuses(context.Background(), "ns", "test", st.annotations, &serviceReconciler)
 		if err != nil && !st.err {
 			t.Errorf("Set %q: expected no error, got one: %v", st.name, err)
 		}
@@ -308,7 +313,7 @@ func TestGetOldStatuses(t *testing.T) {
 		DeregisterNEGsOnAnnotationRemoval: true,
 	}
 	for _, st := range oldStatusTests {
-		_, valid, err := getStatuses("ns", "test", st.annotations, &serviceReconciler)
+		_, valid, err := getStatuses(context.Background(), "ns", "test", st.annotations, &serviceReconciler)
 		if err != nil && !st.err {
 			t.Errorf("Set %q: expected no error, got one: %v", st.name, err)
 		}
@@ -330,7 +335,7 @@ func TestGetStatusesServiceNameNotAllowed(t *testing.T) {
 		AllowServiceName:    false,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be","max_rate_per_endpoint":100}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -349,7 +354,7 @@ func TestGetStatusesServiceNameAllowed(t *testing.T) {
 		AllowServiceName:    true,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be","max_rate_per_endpoint":100}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -368,7 +373,7 @@ func TestGetStatusesOnlyAutonegStatusAnnotation(t *testing.T) {
 		AllowServiceName:                  true,
 		DeregisterNEGsOnAnnotationRemoval: true,
 	}
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegStatusAnnotation: validAutonegStatus}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegStatusAnnotation: validAutonegStatus}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -391,7 +396,7 @@ func TestGetStatusesOnlyOldAutonegStatusAnnotation(t *testing.T) {
 		AllowServiceName:                  true,
 		DeregisterNEGsOnAnnotationRemoval: true,
 	}
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{oldAutonegStatusAnnotation: validAutonegStatus}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{oldAutonegStatusAnnotation: validAutonegStatus}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -415,7 +420,7 @@ func TestDefaultMaxRatePerEndpointWhenOverrideIsSet(t *testing.T) {
 		MaxRatePerEndpointDefault: 1234,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be","max_rate_per_endpoint":100}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -438,7 +443,7 @@ func TestDefaultMaxRatePerEndpointWhenOverrideIsNotSet(t *testing.T) {
 		MaxRatePerEndpointDefault: 1234,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be"}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -461,7 +466,7 @@ func TestDefaultConnectionPerEndpointWhenOverrideIsSet(t *testing.T) {
 		MaxConnectionsPerEndpointDefault: 1234,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be","max_connections_per_endpoint":100}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -484,7 +489,7 @@ func TestDefaultMaxConnectionsEndpointWhenOverrideIsNotSet(t *testing.T) {
 		MaxConnectionsPerEndpointDefault: 1234,
 	}
 	validConf := `{"backend_services":{"80":[{"name":"http-be"}]}}`
-	statuses, valid, err := getStatuses("ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
+	statuses, valid, err := getStatuses(context.Background(), "ns", "test", map[string]string{autonegAnnotation: validConf}, &serviceReconciler)
 	if err != nil {
 		t.Errorf("Expected no error, got one: %v", err)
 	}
@@ -1006,3 +1011,81 @@ func TestReconcileBackendsDeletionWithMissingBackend(t *testing.T) {
 		t.Errorf("ReconcileBackends() got err: %v, want none", err)
 	}
 }
+
+type fakeReader struct {
+	client.Reader
+	svcNeg *v1beta1.ServiceNetworkEndpointGroup
+	getErr error
+}
+
+func (r *fakeReader) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+	if r.svcNeg != nil {
+		r.svcNeg.DeepCopyInto(obj.(*v1beta1.ServiceNetworkEndpointGroup))
+	}
+	return r.getErr
+}
+
+func TestZonesFromSvcNeg(t *testing.T) {
+	tests := []struct {
+		name         string
+		negStatus    *NEGStatus
+		svcNeg       *v1beta1.ServiceNetworkEndpointGroup
+		getSvcNegErr error
+		wantZones    []string
+		wantErr      bool
+	}{
+		{
+			name: "success",
+			svcNeg: &v1beta1.ServiceNetworkEndpointGroup{
+				Status: v1beta1.ServiceNetworkEndpointGroupStatus{
+					NetworkEndpointGroups: []v1beta1.NegObjectReference{
+						{
+							SelfLink: "https://www.googleapis.com/compute/beta/projects/test-project/zones/zone1/networkEndpointGroups/neg_name",
+						},
+						{
+							SelfLink: "https://www.googleapis.com/compute/beta/projects/test-project/zones/zone2/networkEndpointGroups/neg_name",
+						},
+					},
+				},
+			},
+			negStatus: &NEGStatus{
+				NEGs: map[string]string{"80": fakeNeg, "90": fakeNeg2},
+			},
+			wantZones: []string{"zone1", "zone2"},
+			wantErr:   false,
+		},
+		{
+			name:         "svcneg not found",
+			getSvcNegErr: apierrors.NewNotFound(schema.GroupResource{}, ""),
+			negStatus: &NEGStatus{
+				NEGs: map[string]string{"80": fakeNeg},
+			},
+			wantZones: []string{},
+			wantErr:   false,
+		},
+		{
+			name:         "get svcneg error",
+			getSvcNegErr: apierrors.NewForbidden(schema.GroupResource{}, "", nil),
+			negStatus: &NEGStatus{
+				NEGs: map[string]string{"80": fakeNeg},
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &fakeReader{
+				svcNeg: tt.svcNeg,
+				getErr: tt.getSvcNegErr,
+			}
+			zones, err := zonesFromSvcNeg(context.Background(), r, "test", tt.negStatus)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ZonesFromSvcNeg() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !reflect.DeepEqual(zones, tt.wantZones) {
+				t.Errorf("ZonesFromSvcNeg() zones = %v, want %v", zones, tt.wantZones)
+			}
+		})
+	}
+}
@@ -27,6 +27,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/ingress-gce/pkg/apis/svcneg/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -50,6 +51,7 @@ type ServiceReconciler struct {
 	AlwaysReconcile                   bool
 	ReconcileDuration                 *time.Duration
 	DeregisterNEGsOnAnnotationRemoval bool
+	UseSvcNeg                         bool
 }
 
 //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;update;patch
@@ -80,7 +82,7 @@ func (r *ServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		return r.reconcileResult(err)
 	}
 
-	status, ok, err := getStatuses(svc.Namespace, svc.Name, svc.ObjectMeta.Annotations, r)
+	status, ok, err := getStatuses(ctx, svc.Namespace, svc.Name, svc.ObjectMeta.Annotations, r)
 	// Is this service using autoneg?
 	if !ok {
 		return r.reconcileResult(nil)
@@ -137,6 +139,7 @@ func (r *ServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	// Write changes to the service object.
 	if deleting {
 		// Remove finalizer and clear status
+		logger.Info("Removing finalizer")
 		svc.ObjectMeta.Finalizers = removeString(svc.ObjectMeta.Finalizers, oldAutonegFinalizer)
 		svc.ObjectMeta.Finalizers = removeString(svc.ObjectMeta.Finalizers, autonegFinalizer)
 		delete(svc.ObjectMeta.Annotations, autonegStatusAnnotation)
@@ -207,6 +210,12 @@ func (r *ServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *ServiceReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	if r.UseSvcNeg {
+		return ctrl.NewControllerManagedBy(mgr).
+			For(&corev1.Service{}).
+			Owns(&v1beta1.ServiceNetworkEndpointGroup{}).
+			Complete(r)
+	}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Service{}).
 		Complete(r)