gardener · kevin-lacoo · Nov 28, 2023 · Sep 11, 2023 · Sep 12, 2023 · Sep 14, 2023
@@ -5,7 +5,7 @@ go 1.21
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.0
-	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1492
+	github.com/aliyun/alibaba-cloud-sdk-go v1.62.561
 	github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/gardener/etcd-druid v0.19.2
@@ -16,6 +16,7 @@ require (
 	github.com/onsi/gomega v1.27.10
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
+	go.uber.org/atomic v1.10.0
 	go.uber.org/mock v0.2.0
 	golang.org/x/time v0.3.0
 	golang.org/x/tools v0.13.0
@@ -96,6 +97,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nwaples/rardecode v1.1.2 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect

@@ -72,8 +72,8 @@ github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 h1:+XfOU14S4bGuwyvCijJwhhBIj
 github.com/ahmetb/gen-crd-api-reference-docs v0.3.0/go.mod h1:TdjdkYhlOifCQWPs1UdTma97kQQMozf5h26hTuG70u8=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/aliyun/alibaba-cloud-sdk-go v1.61.1492 h1:dTL6Z4fLVRknYZg12JhjjuAPnqt6W9PM7jQMWup5Iv0=
-github.com/aliyun/alibaba-cloud-sdk-go v1.61.1492/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU=
+github.com/aliyun/alibaba-cloud-sdk-go v1.62.561 h1:emlrsu5p+sQGa3XVnYckpsSZy9lNgI2u4V8SnhMGOto=
+github.com/aliyun/alibaba-cloud-sdk-go v1.62.561/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs=
 github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible h1:hLUNPbx10wawWW7DeNExvTrlb90db3UnnNTFKHZEFhE=
 github.com/aliyun/aliyun-oss-go-sdk v2.1.8+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -394,6 +394,8 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
+github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
 github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
 github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -469,6 +471,10 @@ github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gt
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
+github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
+github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
+github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
+github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
 github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
 github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
@@ -486,6 +492,9 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
+go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=

@@ -78,6 +78,17 @@ type ECS interface {
 	CreateEgressRule(request *ecs.AuthorizeSecurityGroupEgressRequest) error
 	RevokeIngressRule(request *ecs.RevokeSecurityGroupRequest) error
 	RevokeEgressRule(request *ecs.RevokeSecurityGroupEgressRequest) error
+
+	CreateSecurityGroup(request *ecs.CreateSecurityGroupRequest) (response *ecs.CreateSecurityGroupResponse, err error)
+	DeleteSecurityGroup(request *ecs.DeleteSecurityGroupRequest) (response *ecs.DeleteSecurityGroupResponse, err error)
+	AuthorizeSecurityGroup(request *ecs.AuthorizeSecurityGroupRequest) (response *ecs.AuthorizeSecurityGroupResponse, err error)
+	RevokeSecurityGroup(request *ecs.RevokeSecurityGroupRequest) (response *ecs.RevokeSecurityGroupResponse, err error)
+	AuthorizeSecurityGroupEgress(request *ecs.AuthorizeSecurityGroupEgressRequest) (response *ecs.AuthorizeSecurityGroupEgressResponse, err error)
+	RevokeSecurityGroupEgress(request *ecs.RevokeSecurityGroupEgressRequest) (response *ecs.RevokeSecurityGroupEgressResponse, err error)
+
+	ListTagResources(request *ecs.ListTagResourcesRequest) (response *ecs.ListTagResourcesResponse, err error)
+	TagResources(request *ecs.TagResourcesRequest) (response *ecs.TagResourcesResponse, err error)
+	UntagResources(request *ecs.UntagResourcesRequest) (response *ecs.UntagResourcesResponse, err error)
 }
 
 // stsClient implements the STS interface.
@@ -120,6 +131,9 @@ type VPC interface {
 
 	CreateVpc(request *vpc.CreateVpcRequest) (response *vpc.CreateVpcResponse, err error)
 	DescribeVpcs(request *vpc.DescribeVpcsRequest) (response *vpc.DescribeVpcsResponse, err error)
+	TagResources(request *vpc.TagResourcesRequest) (response *vpc.TagResourcesResponse, err error)
+	UnTagResources(request *vpc.UnTagResourcesRequest) (response *vpc.UnTagResourcesResponse, err error)
+	ListTagResources(request *vpc.ListTagResourcesRequest) (response *vpc.ListTagResourcesResponse, err error)
 	DeleteVpc(request *vpc.DeleteVpcRequest) (response *vpc.DeleteVpcResponse, err error)
 	CreateVSwitch(request *vpc.CreateVSwitchRequest) (response *vpc.CreateVSwitchResponse, err error)
 	DescribeVSwitches(request *vpc.DescribeVSwitchesRequest) (response *vpc.DescribeVSwitchesResponse, err error)
@@ -130,6 +144,14 @@ type VPC interface {
 	DeleteNatGateway(request *vpc.DeleteNatGatewayRequest) (response *vpc.DeleteNatGatewayResponse, err error)
 	DescribeSnatTableEntries(request *vpc.DescribeSnatTableEntriesRequest) (response *vpc.DescribeSnatTableEntriesResponse, err error)
 	DescribeEipAddresses(request *vpc.DescribeEipAddressesRequest) (response *vpc.DescribeEipAddressesResponse, err error)
+
+	AllocateEipAddress(request *vpc.AllocateEipAddressRequest) (response *vpc.AllocateEipAddressResponse, err error)
+	ReleaseEipAddress(request *vpc.ReleaseEipAddressRequest) (response *vpc.ReleaseEipAddressResponse, err error)
+	ModifyEipAddressAttribute(request *vpc.ModifyEipAddressAttributeRequest) (response *vpc.ModifyEipAddressAttributeResponse, err error)
+	AssociateEipAddress(request *vpc.AssociateEipAddressRequest) (response *vpc.AssociateEipAddressResponse, err error)
+	UnassociateEipAddress(request *vpc.UnassociateEipAddressRequest) (response *vpc.UnassociateEipAddressResponse, err error)
+	CreateSnatEntry(request *vpc.CreateSnatEntryRequest) (response *vpc.CreateSnatEntryResponse, err error)
+	DeleteSnatEntry(request *vpc.DeleteSnatEntryRequest) (response *vpc.DeleteSnatEntryResponse, err error)
 }
 
 // ramClient implements the RAM interface.

@@ -0,0 +1,25 @@
+// Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package alicloud
+
+const (
+	// AnnotationKeyUseFlow is the annotation key used to enable reconciliation with flow instead of terraformer.
+	AnnotationKeyUseFlow = "alicloud.provider.extensions.gardener.cloud/use-flow"
+	// SeedLabelKeyUseFlow is the label for seeds to enable flow reconciliation for all of its shoots if value is `true`
+	// or for new shoots only with value `new`
+	SeedLabelKeyUseFlow = AnnotationKeyUseFlow
+	// SeedLabelUseFlowValueNew is the value to restrict flow reconciliation to new shoot clusters
+	SeedLabelUseFlowValueNew = "new"
+)
@@ -526,11 +526,43 @@ func (a *actuator) makeImageVisibleForShoot(ctx context.Context, log logr.Logger
 
 // Reconcile implements infrastructure.Actuator.
 func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, infra *extensionsv1alpha1.Infrastructure, cluster *extensioncontroller.Cluster) error {
+	flowState, err := a.getFlowStateFromInfraStatus(infra)
+	if err != nil {
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+	if flowState == nil {
+		if a.shouldUseFlow(infra, cluster) {
+			flowState, err = a.migrateFlowStateFromTerraformerState(ctx, log, infra)
+			if err != nil {
+				return util.DetermineError(err, helper.KnownCodes)
+			}
+		}
+	}
+	if flowState != nil {
+		err = a.reconcileWithFlow(ctx, log, infra, cluster, flowState)
+		return util.DetermineError(err, helper.KnownCodes)
+	}
 	return a.reconcile(ctx, log, infra, cluster, terraformer.StateConfigMapInitializerFunc(terraformer.CreateState))
 }
 
 // Restore implements infrastructure.Actuator.
 func (a *actuator) Restore(ctx context.Context, log logr.Logger, infra *extensionsv1alpha1.Infrastructure, cluster *extensioncontroller.Cluster) error {
+	flowState, err := a.getFlowStateFromInfraStatus(infra)
+	if err != nil {
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+	if flowState == nil {
+		if a.shouldUseFlow(infra, cluster) {
+			flowState, err = a.migrateFlowStateFromTerraformerState(ctx, log, infra)
+			if err != nil {
+				return util.DetermineError(err, helper.KnownCodes)
+			}
+		}
+	}
+	if flowState != nil {
+		err = a.reconcileWithFlow(ctx, log, infra, cluster, flowState)
+		return util.DetermineError(err, helper.KnownCodes)
+	}
 	terraformState, err := terraformer.UnmarshalRawState(infra.Status.State)
 	if err != nil {
 		return err
@@ -644,6 +676,19 @@ func (a *actuator) cleanupServiceLoadBalancers(ctx context.Context, infra *exten
 
 // Delete implements infrastructure.Actuator.
 func (a *actuator) Delete(ctx context.Context, log logr.Logger, infra *extensionsv1alpha1.Infrastructure, _ *extensioncontroller.Cluster) error {
+	flowState, err := a.getFlowStateFromInfraStatus(infra)
+	if err != nil {
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+	if flowState != nil {
+		err = a.deleteWithFlow(ctx, log, infra, flowState)
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+
+	return a.delete(ctx, log, infra)
+}
+
+func (a *actuator) delete(ctx context.Context, log logr.Logger, infra *extensionsv1alpha1.Infrastructure) error {
 	tf, err := common.NewTerraformer(log, a.terraformerFactory, a.restConfig, TerraformerPurpose, infra, a.disableProjectedTokenMount)
 	if err != nil {
 		return util.DetermineError(err, helper.KnownCodes)
@@ -705,6 +750,13 @@ func (a *actuator) ForceDelete(_ context.Context, _ logr.Logger, _ *extensionsv1
 
 // Migrate implements infrastructure.Actuator.
 func (a *actuator) Migrate(ctx context.Context, log logr.Logger, infra *extensionsv1alpha1.Infrastructure, _ *extensioncontroller.Cluster) error {
+	flowState, err := a.getFlowStateFromInfraStatus(infra)
+	if err != nil {
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+	if flowState != nil {
+		return nil // nothing to do if already using new flow without Terraformer
+	}
 	tf, err := common.NewTerraformer(log, a.terraformerFactory, a.restConfig, TerraformerPurpose, infra, a.disableProjectedTokenMount)
 	if err != nil {
 		return util.DetermineError(err, helper.KnownCodes)