From f6240d7a88d50bcac4053b7887ea6a8200a416e0 Mon Sep 17 00:00:00 2001 From: "yogiii@amazon.com" Date: Fri, 24 May 2024 12:19:29 -0700 Subject: [PATCH] addressed comments --- docs/guide/ingress/annotations.md | 2 ++ pkg/ingress/model_build_listener.go | 28 +++---------------- pkg/networking/utils.go | 42 +---------------------------- 3 files changed, 7 insertions(+), 65 deletions(-) diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md index 32ddf6531..be8a7df92 100644 --- a/docs/guide/ingress/annotations.md +++ b/docs/guide/ingress/annotations.md @@ -791,6 +791,7 @@ TLS support can be controlled with the following annotations: - `alb.ingress.kubernetes.io/mutual-authentication` specifies the mutual authentication configuration that should be assigned to the Application Load Balancer secure listener ports. See [Mutual authentication with TLS](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html) in the AWS documentation for more details. !!!note "Configuration Options" + - This annotation is not applicable for Outposts, Local Zones or Wavelength zones. - `port: listen port ` - Must be a HTTPS port specified by [listen-ports](#listen-ports). - `mode: "off" (default) | "passthrough" | "verify"` @@ -800,6 +801,7 @@ TLS support can be controlled with the following annotations: - Both ARN and Name of trustStore are supported values. - `trustStore` is required when mode is `verify`. - `ignoreClientCertificateExpiry : true | false (default)` + - Once the Mutual Authentication is set, to turn it off, you will have to explicitly pass in this annotation with `mode : "off"`. !!!example - [listen-ports](#listen-ports) specifies four HTTPS ports: `80, 443, 8080, 8443` diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go index 1bdde0bbc..892176585 100644 --- a/pkg/ingress/model_build_listener.go +++ b/pkg/ingress/model_build_listener.go @@ -4,11 +4,10 @@ import ( "context" "encoding/json" "fmt" - "net" - "strings" - elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2" "k8s.io/utils/strings/slices" + "net" + "strings" awssdk "github.com/aws/aws-sdk-go/aws" "github.com/pkg/errors" @@ -20,7 +19,6 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/pkg/k8s" "sigs.k8s.io/aws-load-balancer-controller/pkg/model/core" elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2" - networking2 "sigs.k8s.io/aws-load-balancer-controller/pkg/networking" ) func (t *defaultModelBuildTask) buildListener(ctx context.Context, lbARN core.StringToken, port int64, config listenPortConfig, ingList []ClassifiedIngress) (*elbv2model.Listener, error) { @@ -274,29 +272,11 @@ type MutualAuthenticationConfig struct { } func (t *defaultModelBuildTask) computeIngressMutualAuthentication(ctx context.Context, ing *ClassifiedIngress) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) { - - - subnetsSelector := ing.IngClassConfig.IngClassParams.Spec.Subnets - subnets, _ := t.subnetsResolver.ResolveViaSelector(ctx, subnetsSelector) - azInfoProvider := networking2.NewDefaultAZInfoProvider(t.ec2Client, t.logger) - - isMtlsNotSupportedForSelectedSubnets, zoneType := networking2.IsMtlsNotSupportedForSelectedSubnets(ctx, subnets, azInfoProvider) - var rawMtlsConfigString string if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixMutualAuthentication, &rawMtlsConfigString, ing.Ing.Annotations); !exists { - // If both Ingress annotation is missing mutual-authentication config, and the subnet is in Local Zone or Wavelength zone or Outpost, then return nil as API doesn't support MutualAuthentication parameter for these zones - if isMtlsNotSupportedForSelectedSubnets { - return nil, nil - } - // If both Ingress annotation is missing mutual-authentication config, return default mutualAuthentication mode - return map[int64]*elbv2model.MutualAuthenticationAttributes{443: { - Mode: string(elbv2model.MutualAuthenticationOffMode), - }}, nil - - } - if isMtlsNotSupportedForSelectedSubnets { - return nil, errors.Errorf("Mutual authentication annotation is not applicable for selected subnets because the selected subnets are in %s", zoneType) + return nil, nil } + var ingressAnnotationEntries []MutualAuthenticationConfig if err := json.Unmarshal([]byte(rawMtlsConfigString), &ingressAnnotationEntries); err != nil { diff --git a/pkg/networking/utils.go b/pkg/networking/utils.go index 77bb6e054..4d9be557d 100644 --- a/pkg/networking/utils.go +++ b/pkg/networking/utils.go @@ -1,11 +1,9 @@ package networking import ( - "context" - "net/netip" - awssdk "github.com/aws/aws-sdk-go/aws" ec2sdk "github.com/aws/aws-sdk-go/service/ec2" + "net/netip" ) // ParseCIDRs will parse CIDRs in string format into parsed IPPrefix @@ -74,41 +72,3 @@ func GetSubnetAssociatedIPv6CIDRs(subnet *ec2sdk.Subnet) ([]netip.Prefix, error) } return ipv6CIDRs, nil } - -func IsMtlsNotSupportedForSelectedSubnets(ctx context.Context, subnets []*ec2sdk.Subnet, azInfoProvider *defaultAZInfoProvider) (bool, string) { - const ( - zoneTypeLocalZone string = "local-zone" - zoneTypeWavelengthZone string = "wavelength-zone" - outPostSubnet string = "outpost" - ) - - isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone := false - zoneType := "" - var azIds []string - - for _, subnet := range subnets { - if subnet.OutpostArn != nil && len(*subnet.OutpostArn) != 0 { - isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone = true - zoneType = outPostSubnet - break - } - - azIds = append(azIds, awssdk.StringValue(subnet.AvailabilityZoneId)) - - } - - azsInfo, _ := azInfoProvider.FetchAZInfos(ctx, azIds) - - for _, azInfo := range azsInfo { - if azInfo.ZoneType != nil && (awssdk.StringValue(azInfo.ZoneType) == zoneTypeLocalZone || awssdk.StringValue(azInfo.ZoneType) == zoneTypeWavelengthZone) { - isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone = true - zoneType = zoneTypeLocalZone - if awssdk.StringValue(azInfo.ZoneType) == zoneTypeWavelengthZone { - zoneType = zoneTypeWavelengthZone - } - break - } - } - - return isAnySubnetInLocalZoneOrOutPostOrWaveLengthZone, zoneType -}