utils: ECS SDK v2: use VPC endpoints for cn-hangzhou, etc.

huww98 · huww98 · commit e57880a637c3 · 2026-01-09T19:48:48.000+08:00
diff --git a/pkg/utils/openapi.go b/pkg/utils/openapi.go
@@ -4,6 +4,7 @@ import (
 	"os"
 
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"k8s.io/utils/ptr"
 )
 
 func getOpenAPIConfig(regionID string) *openapi.Config {
@@ -29,6 +30,20 @@ func GetEcsConfig(regionID string) *openapi.Config {
 	config := getOpenAPIConfig(regionID)
 	if e := os.Getenv("ECS_ENDPOINT"); e != "" {
 		config.Endpoint = &e
+	} else {
+		// ECS default endpoint logic maps cn-hangzhou, etc to public network,
+		// but we may want to use VPC.
+		// This aligns with GO SDK v1
+		// cn-hangzhou-finance is the only region in public cloud that don't have VPC endpoint
+		// see https://api.aliyun.com/api/Ecs/2014-05-26 (Regions at top-left)
+		if network := ptr.Deref(config.Network, ""); network != "" && regionID != "cn-hangzhou-finance" {
+			if network == "public" {
+				network = ""
+			} else {
+				network = "-" + network
+			}
+			config.Endpoint = ptr.To("ecs" + network + "." + regionID + ".aliyuncs.com")
+		}
 	}
 	return config
 }
diff --git a/pkg/utils/openapi_test.go b/pkg/utils/openapi_test.go
@@ -0,0 +1,83 @@
+package utils
+
+import (
+	"testing"
+
+	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v7/client"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/ptr"
+)
+
+func TestEcsEndpoint(t *testing.T) {
+	// All regions that has VPC endpoint from https://api.aliyun.com/api/Ecs/2014-05-26 (Regions at top-left)
+	vpcRegions := []string{
+		"cn-qingdao",
+		"cn-beijing-finance-1",
+		"cn-beijing",
+		"cn-zhangjiakou",
+		"cn-huhehaote",
+		"cn-wulanchabu",
+		"cn-hangzhou",
+		"cn-shanghai-finance-1",
+		"cn-shanghai",
+		"cn-nanjing",
+		"cn-fuzhou",
+		"cn-shenzhen-finance-1",
+		"cn-shenzhen",
+		"cn-heyuan",
+		"cn-guangzhou",
+		"cn-wuhan-lr",
+		"me-east-1",
+		"ap-southeast-2",
+		"eu-central-1",
+		"ap-southeast-6",
+		"ap-northeast-2",
+		"cn-heyuan-acdr-1",
+		"ap-southeast-3",
+		"us-east-1",
+		"us-west-1",
+		"us-southeast-1",
+		"na-south-1",
+		"ap-northeast-1",
+		"me-central-1",
+		"ap-southeast-7",
+		"cn-zhongwei",
+		"cn-chengdu",
+		"ap-southeast-1",
+		"ap-south-1",
+		"ap-southeast-5",
+		"eu-west-1",
+		"cn-zhengzhou-jva",
+		"cn-hongkong",
+	}
+	testEp := func(t *testing.T, region, ep string) {
+		t.Run(region, func(t *testing.T) {
+			cfg := GetEcsConfig(region)
+			cfg.AccessKeyId = ptr.To("foo")
+			cfg.AccessKeySecret = ptr.To("bar")
+
+			client, err := ecs20140526.NewClient(cfg)
+			assert.NoError(t, err)
+			assert.Equal(t, ep, *client.Endpoint)
+		})
+	}
+	testEp(t, "cn-hangzhou", "ecs-cn-hangzhou.aliyuncs.com") // use SDK defaults by default
+
+	t.Run("vpc", func(t *testing.T) {
+		t.Setenv("ALIBABA_CLOUD_NETWORK_TYPE", "vpc")
+		for _, region := range vpcRegions {
+			testEp(t, region, "ecs-vpc."+region+".aliyuncs.com")
+		}
+		// The only region in public cloud that don't have VPC endpoint
+		testEp(t, "cn-hangzhou-finance", "ecs.aliyuncs.com")
+	})
+
+	t.Run("public", func(t *testing.T) {
+		t.Setenv("ALIBABA_CLOUD_NETWORK_TYPE", "public")
+		for _, region := range vpcRegions {
+			testEp(t, region, "ecs."+region+".aliyuncs.com")
+		}
+		// Also don't have regional public endpoint
+		testEp(t, "cn-hangzhou-finance", "ecs.aliyuncs.com")
+	})
+}
