addressed comments

docs/guide/ingress/annotations.md

@@ -791,6 +791,7 @@ TLS support can be controlled with the following annotations:
 - <a name="mutual-authentication">`alb.ingress.kubernetes.io/mutual-authentication`</a>  specifies the mutual authentication configuration that should be assigned to the Application Load Balancer secure listener ports. See [Mutual authentication with TLS](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html) in the AWS documentation for more details.
 
     !!!note "Configuration Options"
+        - This annotation is not applicable for Outposts, Local Zones or Wavelength zones.
         - `port: listen port ` 
             - Must be a HTTPS port specified by [listen-ports](#listen-ports).
         - `mode: "off" (default) | "passthrough" | "verify"`
@@ -800,6 +801,7 @@ TLS support can be controlled with the following annotations:
             - Both ARN and Name of trustStore are supported values.
             - `trustStore` is required when mode is `verify`.
         - `ignoreClientCertificateExpiry : true | false (default)`
+        - Once the Mutual Authentication is set, to turn it off, you will have to explicitly pass in this annotation with `mode : "off"`.
 
     !!!example
         - [listen-ports](#listen-ports) specifies four HTTPS ports: `80, 443, 8080, 8443`

pkg/ingress/model_build_listener.go

@@ -4,11 +4,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
-	"strings"
-
 	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"k8s.io/utils/strings/slices"
+	"net"
+	"strings"
 
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/pkg/errors"
@@ -20,7 +19,6 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
-	networking2 "sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 )
 
 func (t *defaultModelBuildTask) buildListener(ctx context.Context, lbARN core.StringToken, port int64, config listenPortConfig, ingList []ClassifiedIngress) (*elbv2model.Listener, error) {
@@ -274,29 +272,11 @@ type MutualAuthenticationConfig struct {
 }
 
 func (t *defaultModelBuildTask) computeIngressMutualAuthentication(ctx context.Context, ing *ClassifiedIngress) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) {
-
-
-	subnetsSelector := ing.IngClassConfig.IngClassParams.Spec.Subnets
-	subnets, _ := t.subnetsResolver.ResolveViaSelector(ctx, subnetsSelector)
-	azInfoProvider := networking2.NewDefaultAZInfoProvider(t.ec2Client, t.logger)
-
-	isMtlsNotSupportedForSelectedSubnets, zoneType := networking2.IsMtlsNotSupportedForSelectedSubnets(ctx, subnets, azInfoProvider)
-
 	var rawMtlsConfigString string
 	if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixMutualAuthentication, &rawMtlsConfigString, ing.Ing.Annotations); !exists {
-		// If both Ingress annotation is missing mutual-authentication config, and the subnet is in Local Zone or Wavelength zone or Outpost, then return nil as API doesn't support MutualAuthentication parameter for these zones
-		if isMtlsNotSupportedForSelectedSubnets {
-			return nil, nil
-		}
-		// If both Ingress annotation is missing mutual-authentication config, return default mutualAuthentication mode
-		return map[int64]*elbv2model.MutualAuthenticationAttributes{443: {
-			Mode: string(elbv2model.MutualAuthenticationOffMode),
-		}}, nil
-
-	}
-	if isMtlsNotSupportedForSelectedSubnets {
-		return nil, errors.Errorf("Mutual authentication annotation is not applicable for selected subnets because the selected subnets are in %s", zoneType)
+		return nil, nil
 	}
+
 	var ingressAnnotationEntries []MutualAuthenticationConfig
 
 	if err := json.Unmarshal([]byte(rawMtlsConfigString), &ingressAnnotationEntries); err != nil {

pkg/networking/utils.go

@@ -1,11 +1,9 @@
 package networking
 
 import (
-	"context"
-	"net/netip"
-
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	ec2sdk "github.com/aws/aws-sdk-go/service/ec2"
+	"net/netip"
 )
 
 // ParseCIDRs will parse CIDRs in string format into parsed IPPrefix
@@ -74,41 +72,3 @@ func GetSubnetAssociatedIPv6CIDRs(subnet *ec2sdk.Subnet) ([]netip.Prefix, error)
 	}
 	return ipv6CIDRs, nil
 }
-
-func IsMtlsNotSupportedForSelectedSubnets(ctx context.Context, subnets []*ec2sdk.Subnet, azInfoProvider *defaultAZInfoProvider) (bool, string) {
-	const (
-		zoneTypeLocalZone      string = "local-zone"
-		zoneTypeWavelengthZone string = "wavelength-zone"
-		outPostSubnet          string = "outpost"
-	)
-
-	isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone := false
-	zoneType := ""
-	var azIds []string
-
-	for _, subnet := range subnets {
-		if subnet.OutpostArn != nil && len(*subnet.OutpostArn) != 0 {
-			isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone = true
-			zoneType = outPostSubnet
-			break
-		}
-
-		azIds = append(azIds, awssdk.StringValue(subnet.AvailabilityZoneId))
-
-	}
-
-	azsInfo, _ := azInfoProvider.FetchAZInfos(ctx, azIds)
-
-	for _, azInfo := range azsInfo {
-		if azInfo.ZoneType != nil && (awssdk.StringValue(azInfo.ZoneType) == zoneTypeLocalZone || awssdk.StringValue(azInfo.ZoneType) == zoneTypeWavelengthZone) {
-			isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone = true
-			zoneType = zoneTypeLocalZone
-			if awssdk.StringValue(azInfo.ZoneType) == zoneTypeWavelengthZone {
-				zoneType = zoneTypeWavelengthZone
-			}
-			break
-		}
-	}
-
-	return isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone, zoneType
-}