Fix ILB bugs in syncing firewall

Fixes a bug where ilb subnet is added multiple times to firewall and causes syncing failures
Fixes a bug where ilb is enabled + no ilb ingress leads to appending multiple empty strings to firewall and cases syncing failures
De-dupes firewall src ranges

pkg/firewalls/controller.go

@@ -17,9 +17,8 @@ limitations under the License.
 package firewalls
 
 import (
+	"errors"
 	"fmt"
-	"k8s.io/ingress-gce/pkg/flags"
-	"k8s.io/ingress-gce/pkg/loadbalancers/features"
 	"reflect"
 	"time"
 
@@ -32,6 +31,8 @@ import (
 	"k8s.io/ingress-gce/pkg/common/operator"
 	"k8s.io/ingress-gce/pkg/context"
 	"k8s.io/ingress-gce/pkg/controller/translator"
+	"k8s.io/ingress-gce/pkg/flags"
+	"k8s.io/ingress-gce/pkg/loadbalancers/features"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/klog"
 	"k8s.io/legacy-cloud-providers/gce"
@@ -42,6 +43,8 @@ var (
 	queueKey = &v1beta1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{Name: "queueKey"},
 	}
+
+	ErrNoILBIngress = errors.New("no ILB Ingress found")
 )
 
 // FirewallController synchronizes the firewall rule for all ingresses.
@@ -170,9 +173,12 @@ func (fwc *FirewallController) sync(key string) error {
 	if flags.F.EnableL7Ilb {
 		ilbRange, err := fwc.ilbFirewallSrcRange(gceIngresses)
 		if err != nil {
-			return err
+			if err != features.ErrSubnetNotFound && err != ErrNoILBIngress {
+				return err
+			}
+		} else {
+			additionalRanges = append(additionalRanges, ilbRange)
 		}
-		additionalRanges = append(additionalRanges, ilbRange)
 	}
 
 	// Ensure firewall rule for the cluster and pass any NEG endpoint ports.
@@ -204,10 +210,10 @@ func (fwc *FirewallController) ilbFirewallSrcRange(gceIngresses []*v1beta1.Ingre
 	if ilbEnabled {
 		L7ILBSrcRange, err := features.ILBSubnetSourceRange(fwc.ctx.Cloud, fwc.ctx.Cloud.Region())
 		if err != nil {
-			return "", fmt.Errorf("error unable to get ILB subnet source ranges: %v", err)
+			return "", err
 		}
 		return L7ILBSrcRange, nil
 	}
 
-	return "", nil
+	return "", ErrNoILBIngress
 }

pkg/firewalls/firewalls.go

@@ -77,13 +77,18 @@ func (fr *FirewallRules) Sync(nodeNames, additionalPorts, additionalRanges []str
 	}
 	sort.Strings(targetTags)
 
-	ports := sets.NewString(additionalPorts...)
-	fr.srcRanges = append(fr.srcRanges, additionalRanges...)
-	ports.Insert(fr.portRanges...)
+	// De-dupe ports
+	ports := sets.NewString(fr.portRanges...)
+	ports.Insert(additionalPorts...)
+
+	// De-dupe srcRanges
+	ranges := sets.NewString(fr.srcRanges...)
+	ranges.Insert(additionalRanges...)
+
 	expectedFirewall := &compute.Firewall{
 		Name:         name,
 		Description:  "GCE L7 firewall rule",
-		SourceRanges: fr.srcRanges,
+		SourceRanges: ranges.UnsortedList(),
 		Network:      fr.cloud.NetworkURL(),
 		Allowed: []*compute.FirewallAllowed{
 			{

pkg/firewalls/firewalls_test.go

@@ -141,6 +141,10 @@ func TestFirewallPoolSyncRanges(t *testing.T) {
 			desc:             "Multiple ranges",
 			additionalRanges: []string{"10.128.0.0/24", "10.132.0.0/24", "10.134.0.0/24"},
 		},
+		{
+			desc:             "Duplicate ranges",
+			additionalRanges: []string{"10.128.0.0/24", "10.132.0.0/24", "10.134.0.0/24", "10.132.0.0/24", "10.134.0.0/24"},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {