Skip to content

Commit 6857d83

Browse files
committed
Allow the same certificate to be specified for both the default and SNI certificate
1 parent de50bdd commit 6857d83

File tree

2 files changed

+306
-2
lines changed

2 files changed

+306
-2
lines changed

pkg/ingress/model_builder.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -313,12 +313,22 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
313313
var mergedSSLPolicy *string
314314

315315
var mergedTLSCerts []string
316+
317+
// Set the default cert as the first cert
318+
// This process allows the same certificate to be specified for both the default certificate and the SNI certificate.
319+
for _, cfg := range listenPortConfigs {
320+
if len(cfg.listenPortConfig.tlsCerts) > 0 {
321+
mergedTLSCerts = append(mergedTLSCerts, cfg.listenPortConfig.tlsCerts[0])
322+
break
323+
}
324+
}
325+
316326
mergedTLSCertsSet := sets.NewString()
317327

318328
var mergedMtlsAttributesProvider *types.NamespacedName
319329
var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
320330

321-
for _, cfg := range listenPortConfigs {
331+
for i, cfg := range listenPortConfigs {
322332
if mergedProtocolProvider == nil {
323333
mergedProtocolProvider = &cfg.ingKey
324334
mergedProtocol = cfg.listenPortConfig.protocol
@@ -361,7 +371,12 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
361371
}
362372
}
363373

364-
for _, cert := range cfg.listenPortConfig.tlsCerts {
374+
for j, cert := range cfg.listenPortConfig.tlsCerts {
375+
// Ignore the first cert as it is the default cert
376+
// Default cert is already added to the mergedTLSCerts
377+
if i == 0 && j == 0 {
378+
continue
379+
}
365380
if mergedTLSCertsSet.Has(cert) {
366381
continue
367382
}

pkg/ingress/model_builder_test.go

Lines changed: 289 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1003,6 +1003,295 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
10031003
}
10041004
}
10051005
}
1006+
}`,
1007+
},
1008+
{
1009+
name: "Ingress - using acm and internet-facing case with the same acm certificate for default and sni listener",
1010+
env: env{
1011+
svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
1012+
},
1013+
fields: fields{
1014+
resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternetFacingLB},
1015+
listLoadBalancersCalls: []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
1016+
enableBackendSG: true,
1017+
},
1018+
args: args{
1019+
ingGroup: Group{
1020+
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
1021+
Members: []ClassifiedIngress{
1022+
{
1023+
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
1024+
Namespace: "ns-1",
1025+
Name: "ing-1",
1026+
Annotations: map[string]string{
1027+
"alb.ingress.kubernetes.io/scheme": "internet-facing",
1028+
"alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:us-east-1:9999999:certificate/11111111,arn:aws:acm:us-east-1:9999999:certificate/33333333,arn:aws:acm:us-east-1:9999999:certificate/22222222,,arn:aws:acm:us-east-1:9999999:certificate/11111111",
1029+
"alb.ingress.kubernetes.io/mutual-authentication": `[{"port":443,"mode":"off"}]`,
1030+
},
1031+
},
1032+
Spec: networking.IngressSpec{
1033+
Rules: []networking.IngressRule{
1034+
{
1035+
Host: "app-1.example.com",
1036+
IngressRuleValue: networking.IngressRuleValue{
1037+
HTTP: &networking.HTTPIngressRuleValue{
1038+
Paths: []networking.HTTPIngressPath{
1039+
{
1040+
Path: "/svc-1",
1041+
Backend: networking.IngressBackend{
1042+
Service: &networking.IngressServiceBackend{
1043+
Name: ns_1_svc_1.Name,
1044+
Port: networking.ServiceBackendPort{
1045+
Name: "http",
1046+
},
1047+
},
1048+
},
1049+
},
1050+
{
1051+
Path: "/svc-2",
1052+
Backend: networking.IngressBackend{
1053+
Service: &networking.IngressServiceBackend{
1054+
Name: ns_1_svc_2.Name,
1055+
Port: networking.ServiceBackendPort{
1056+
Name: "http",
1057+
},
1058+
},
1059+
},
1060+
},
1061+
},
1062+
},
1063+
},
1064+
},
1065+
{
1066+
Host: "app-2.example.com",
1067+
IngressRuleValue: networking.IngressRuleValue{
1068+
HTTP: &networking.HTTPIngressRuleValue{
1069+
Paths: []networking.HTTPIngressPath{
1070+
{
1071+
Path: "/svc-3",
1072+
Backend: networking.IngressBackend{
1073+
Service: &networking.IngressServiceBackend{
1074+
Name: ns_1_svc_3.Name,
1075+
Port: networking.ServiceBackendPort{
1076+
Name: "https",
1077+
},
1078+
},
1079+
},
1080+
},
1081+
},
1082+
},
1083+
},
1084+
},
1085+
},
1086+
},
1087+
},
1088+
},
1089+
},
1090+
},
1091+
},
1092+
wantStackPatch: `
1093+
{
1094+
"resources": {
1095+
"AWS::EC2::SecurityGroup": {
1096+
"ManagedLBSecurityGroup": {
1097+
"spec": {
1098+
"ingress": [
1099+
{
1100+
"fromPort": 443,
1101+
"ipProtocol": "tcp",
1102+
"ipRanges": [
1103+
{
1104+
"cidrIP": "0.0.0.0/0"
1105+
}
1106+
],
1107+
"toPort": 443
1108+
}
1109+
]
1110+
}
1111+
}
1112+
},
1113+
"AWS::ElasticLoadBalancingV2::Listener": {
1114+
"443": {
1115+
"spec": {
1116+
"certificates": [
1117+
{
1118+
"certificateARN": "arn:aws:acm:us-east-1:9999999:certificate/11111111"
1119+
},
1120+
{
1121+
"certificateARN": "arn:aws:acm:us-east-1:9999999:certificate/33333333"
1122+
},
1123+
{
1124+
"certificateARN": "arn:aws:acm:us-east-1:9999999:certificate/22222222"
1125+
},
1126+
{
1127+
"certificateARN": "arn:aws:acm:us-east-1:9999999:certificate/11111111"
1128+
}
1129+
],
1130+
"defaultActions": [
1131+
{
1132+
"fixedResponseConfig": {
1133+
"contentType": "text/plain",
1134+
"statusCode": "404"
1135+
},
1136+
"type": "fixed-response"
1137+
}
1138+
],
1139+
"loadBalancerARN": {
1140+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN"
1141+
},
1142+
"port": 443,
1143+
"protocol": "HTTPS",
1144+
"sslPolicy": "ELBSecurityPolicy-2016-08",
1145+
"mutualAuthentication" : {
1146+
"mode" : "off",
1147+
"trustStoreArn": ""
1148+
}
1149+
}
1150+
},
1151+
"80": null
1152+
},
1153+
"AWS::ElasticLoadBalancingV2::ListenerRule": {
1154+
"443:1": {
1155+
"spec": {
1156+
"actions": [
1157+
{
1158+
"forwardConfig": {
1159+
"targetGroups": [
1160+
{
1161+
"targetGroupARN": {
1162+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/ns-1/ing-1-svc-1:http/status/targetGroupARN"
1163+
}
1164+
}
1165+
]
1166+
},
1167+
"type": "forward"
1168+
}
1169+
],
1170+
"conditions": [
1171+
{
1172+
"field": "host-header",
1173+
"hostHeaderConfig": {
1174+
"values": [
1175+
"app-1.example.com"
1176+
]
1177+
}
1178+
},
1179+
{
1180+
"field": "path-pattern",
1181+
"pathPatternConfig": {
1182+
"values": [
1183+
"/svc-1"
1184+
]
1185+
}
1186+
}
1187+
],
1188+
"listenerARN": {
1189+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN"
1190+
},
1191+
"priority": 1
1192+
}
1193+
},
1194+
"443:2": {
1195+
"spec": {
1196+
"actions": [
1197+
{
1198+
"forwardConfig": {
1199+
"targetGroups": [
1200+
{
1201+
"targetGroupARN": {
1202+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/ns-1/ing-1-svc-2:http/status/targetGroupARN"
1203+
}
1204+
}
1205+
]
1206+
},
1207+
"type": "forward"
1208+
}
1209+
],
1210+
"conditions": [
1211+
{
1212+
"field": "host-header",
1213+
"hostHeaderConfig": {
1214+
"values": [
1215+
"app-1.example.com"
1216+
]
1217+
}
1218+
},
1219+
{
1220+
"field": "path-pattern",
1221+
"pathPatternConfig": {
1222+
"values": [
1223+
"/svc-2"
1224+
]
1225+
}
1226+
}
1227+
],
1228+
"listenerARN": {
1229+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN"
1230+
},
1231+
"priority": 2
1232+
}
1233+
},
1234+
"443:3": {
1235+
"spec": {
1236+
"actions": [
1237+
{
1238+
"forwardConfig": {
1239+
"targetGroups": [
1240+
{
1241+
"targetGroupARN": {
1242+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/ns-1/ing-1-svc-3:https/status/targetGroupARN"
1243+
}
1244+
}
1245+
]
1246+
},
1247+
"type": "forward"
1248+
}
1249+
],
1250+
"conditions": [
1251+
{
1252+
"field": "host-header",
1253+
"hostHeaderConfig": {
1254+
"values": [
1255+
"app-2.example.com"
1256+
]
1257+
}
1258+
},
1259+
{
1260+
"field": "path-pattern",
1261+
"pathPatternConfig": {
1262+
"values": [
1263+
"/svc-3"
1264+
]
1265+
}
1266+
}
1267+
],
1268+
"listenerARN": {
1269+
"$ref": "#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN"
1270+
},
1271+
"priority": 3
1272+
}
1273+
},
1274+
"80:1": null,
1275+
"80:2": null,
1276+
"80:3": null
1277+
},
1278+
"AWS::ElasticLoadBalancingV2::LoadBalancer": {
1279+
"LoadBalancer": {
1280+
"spec": {
1281+
"name": "k8s-ns1-ing1-159dd7a143",
1282+
"scheme": "internet-facing",
1283+
"subnetMapping": [
1284+
{
1285+
"subnetID": "subnet-c"
1286+
},
1287+
{
1288+
"subnetID": "subnet-d"
1289+
}
1290+
]
1291+
}
1292+
}
1293+
}
1294+
}
10061295
}`,
10071296
},
10081297
{

0 commit comments

Comments
 (0)