wip: classic elb fix for TLS issues

richardcase · richardcase · commit 68dbdef0704d · 2025-02-11T15:27:39.000Z
Signed-off-by: Richard Case &lt;richard.case@outlook.com&gt;
diff --git a/api/v1beta2/awscluster_webhook.go b/api/v1beta2/awscluster_webhook.go
@@ -33,6 +33,11 @@ import (
 	"sigs.k8s.io/cluster-api/util/annotations"
 )
 
+const (
+	warningClassicELB                = "%s load balancer is using a classic elb which is deprecated, please consider using nlb instead"
+	warningHealthCheckProtocolNotSet = "healthcheck protocol is not set, the default value has changed from SSL to TCP"
+)
+
 // log is for logging in this package.
 var _ = ctrl.Log.WithName("awscluster-resource")
 
@@ -53,15 +58,23 @@ var (
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AWSCluster) ValidateCreate() (admission.Warnings, error) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
 
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 	allErrs = append(allErrs, r.validateNetwork()...)
-	allErrs = append(allErrs, r.validateControlPlaneLBs()...)
 
-	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+	warnings, errs := r.validateControlPlaneLBs()
+	if len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+	if len(warnings) > 0 {
+		allWarnings = append(allWarnings, warnings...)
+	}
+
+	return allWarnings, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
@@ -72,6 +85,7 @@ func (r *AWSCluster) ValidateDelete() (admission.Warnings, error) {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AWSCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
 
 	allErrs = append(allErrs, r.validateGCTasksAnnotation()...)
 
@@ -139,7 +153,23 @@ func (r *AWSCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, err
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 
-	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+	if r.Spec.ControlPlaneLoadBalancer != nil {
+		if r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "primary control plane"))
+		}
+	}
+
+	if r.Spec.SecondaryControlPlaneLoadBalancer != nil {
+		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "secondary control plane"))
+		}
+	}
+
+	if r.Spec.ControlPlaneLoadBalancer == nil || r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol == nil {
+		allWarnings = append(allWarnings, fmt.Sprintf("%s. Existing load balancers will be updates", warningHealthCheckProtocolNotSet))
+	}
+
+	return allWarnings, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
 func (r *AWSCluster) validateControlPlaneLoadBalancerUpdate(oldlb, newlb *AWSLoadBalancerSpec) field.ErrorList {
@@ -180,16 +210,6 @@ func (r *AWSCluster) validateControlPlaneLoadBalancerUpdate(oldlb, newlb *AWSLoa
 					newlb.Name, "field is immutable"),
 			)
 		}
-
-		// Block the update for Protocol :
-		// - if it was not set in old spec but added in new spec
-		// - if it was set in old spec but changed in new spec
-		if !cmp.Equal(newlb.HealthCheckProtocol, oldlb.HealthCheckProtocol) {
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "healthCheckProtocol"),
-					newlb.HealthCheckProtocol, "field is immutable once set"),
-			)
-		}
 	}
 
 	return allErrs
@@ -301,8 +321,21 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 	return allErrs
 }
 
-func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
+func (r *AWSCluster) validateControlPlaneLBs() (admission.Warnings, field.ErrorList) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
+
+	if r.Spec.ControlPlaneLoadBalancer != nil && r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+		allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "primary control plane"))
+
+		if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol == nil {
+			allWarnings = append(allWarnings, warningHealthCheckProtocolNotSet)
+		}
+
+		if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol != nil && *r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol != ELBProtocolSSL {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "healthcheckProtocol"), r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol, "loadbalancer is using a classic elb with SSL health check, this causes issues with ciper suites, please use TCP instead"))
+		}
+	}
 
 	// If the secondary is defined, check that the name is not empty and different from the primary.
 	// Also, ensure that the secondary load balancer is an NLB
@@ -322,6 +355,9 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType != LoadBalancerTypeNLB {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secondaryControlPlaneLoadBalancer", "loadBalancerType"), r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType, "secondary control plane load balancer must be a Network Load Balancer"))
 		}
+		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "secondary control plane"))
+		}
 	}
 
 	// Additional listeners are only supported for NLBs.
@@ -378,7 +414,7 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 	}
 
-	return allErrs
+	return allWarnings, allErrs
 }
 
 func (r *AWSCluster) validateIngressRule(rule IngressRule) field.ErrorList {
diff --git a/pkg/cloud/services/elb/loadbalancer.go b/pkg/cloud/services/elb/loadbalancer.go
@@ -545,6 +545,14 @@ func (s *Service) reconcileClassicLoadBalancer() error {
 			}
 		}
 
+		if !cmp.Equal(spec.HealthCheck, apiELB.HealthCheck) {
+			s.scope.Debug("Reconciling health check for apiserver load balancer", "health-check", spec.HealthCheck)
+			err := s.configureHealthCheck(apiELB.Name, spec.HealthCheck)
+			if err != nil {
+				return err
+			}
+		}
+
 		if err := s.reconcileELBTags(apiELB, spec.Tags); err != nil {
 			return errors.Wrapf(err, "failed to reconcile tags for apiserver load balancer %q", apiELB.Name)
 		}
@@ -587,6 +595,22 @@ func (s *Service) reconcileClassicLoadBalancer() error {
 	return nil
 }
 
+func (s *Service) configureHealthCheck(name string, healthCheck *infrav1.ClassicELBHealthCheck) error {
+	if _, err := s.ELBClient.ConfigureHealthCheck(&elb.ConfigureHealthCheckInput{
+		LoadBalancerName: aws.String(name),
+		HealthCheck: &elb.HealthCheck{
+			Target:             aws.String(healthCheck.Target),
+			Interval:           aws.Int64(int64(healthCheck.Interval.Seconds())),
+			Timeout:            aws.Int64(int64(healthCheck.Timeout.Seconds())),
+			HealthyThreshold:   aws.Int64(healthCheck.HealthyThreshold),
+			UnhealthyThreshold: aws.Int64(healthCheck.UnhealthyThreshold),
+		},
+	}); err != nil {
+		return errors.Wrapf(err, "failed to configure health check for classic load balancer: %s", name)
+	}
+	return nil
+}
+
 func (s *Service) deleteAPIServerELB() error {
 	s.scope.Debug("Deleting control plane load balancer")
 
diff --git a/test/e2e/data/e2e_conf.yaml b/test/e2e/data/e2e_conf.yaml
@@ -17,7 +17,7 @@ images:
   - name: gcr.io/k8s-staging-cluster-api/capa-manager:e2e
     loadBehavior: mustLoad
 
-## PLEASE KEEP THESE UP TO DATE WITH THE COMPONENTS
+  ## PLEASE KEEP THESE UP TO DATE WITH THE COMPONENTS
 
   # Cluster API v1beta1 Preloads
   - name: quay.io/jetstack/cert-manager-cainjector:v1.15.1
@@ -123,7 +123,17 @@ providers:
         files:
           - sourcePath: "./shared/v1beta1_provider/metadata.yaml"
           - sourcePath: "./infrastructure-aws/capi-upgrades/v1beta1/cluster-template.yaml"
-      - name: v2.0.99
+      - name: "v2.7.1"
+        value: "https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/download/v2.7.1/infrastructure-components.yaml"
+        type: "url"
+        contract: v1beta2
+        replacements:
+          - old: --metrics-addr=127.0.0.1:8080
+            new: --metrics-addr=:8080
+        files:
+          - sourcePath: "./shared/v1beta2_provider/v2.7/metadata.yaml"
+          - sourcePath: "./infrastructure-aws/withoutclusterclass/generated/cluster-template-classicelb-upgrade.yaml"
+      - name: v9.9.99
         # Use manifest from source files
         value: ../../../config/default
         # Do not add contract field for v1beta1 --> v1beta2 clusterctl upgrades test to work.
@@ -223,7 +233,7 @@ intervals:
   default/wait-failed-machine-status: ["2m", "10s"]
   default/wait-infra-subnets: ["5m", "30s"]
   default/wait-machine-pool-nodes: ["40m", "10s"]
-  default/wait-machine-pool-upgrade: [ "50m", "10s" ]
+  default/wait-machine-pool-upgrade: ["50m", "10s"]
   default/wait-create-identity: ["1m", "10s"]
   default/wait-job: ["10m", "10s"]
   default/wait-deployment-ready: ["5m", "10s"]
diff --git a/test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/kustomization.yaml b/test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../default
+
+patches:
+  - path: nocontrolplane.yaml
+    target:
+      group: infrastructure.cluster.x-k8s.io
+      kind: AWSCluster
+      version: v1beta2
diff --git a/test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/nocontrolplane.yaml b/test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/nocontrolplane.yaml
@@ -0,0 +1,2 @@
+- op: remove
+  path: /spec/controlPlaneLoadBalancer
diff --git a/test/e2e/data/shared/v1beta2_provider/metadata.yaml b/test/e2e/data/shared/v1beta2_provider/metadata.yaml
@@ -41,3 +41,27 @@ releaseSeries:
   - major: 2
     minor: 0
     contract: v1beta1
+  - major: 2
+    minor: 1
+    contract: v1beta1
+  - major: 2
+    minor: 2
+    contract: v1beta1
+  - major: 2
+    minor: 3
+    contract: v1beta1
+  - major: 2
+    minor: 4
+    contract: v1beta1
+  - major: 2
+    minor: 5
+    contract: v1beta1
+  - major: 2
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 7
+    contract: v1beta1
+  - major: 9
+    minor: 9
+    contract: v1beta1
diff --git a/test/e2e/data/shared/v1beta2_provider/v2.7/metadata.yaml b/test/e2e/data/shared/v1beta2_provider/v2.7/metadata.yaml
@@ -0,0 +1,64 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+releaseSeries:
+  - major: 0
+    minor: 4
+    contract: v1alpha2
+  - major: 0
+    minor: 5
+    contract: v1alpha3
+  - major: 0
+    minor: 6
+    contract: v1alpha3
+  - major: 0
+    minor: 7
+    contract: v1alpha4
+  - major: 1
+    minor: 0
+    contract: v1beta1
+  - major: 1
+    minor: 1
+    contract: v1beta1
+  - major: 1
+    minor: 2
+    contract: v1beta1
+  - major: 1
+    minor: 3
+    contract: v1beta1
+  - major: 1
+    minor: 4
+    contract: v1beta1
+  - major: 1
+    minor: 5
+    contract: v1beta1
+  - major: 1
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 0
+    contract: v1beta1
+  - major: 2
+    minor: 1
+    contract: v1beta1
+  - major: 2
+    minor: 2
+    contract: v1beta1
+  - major: 2
+    minor: 3
+    contract: v1beta1
+  - major: 2
+    minor: 4
+    contract: v1beta1
+  - major: 2
+    minor: 5
+    contract: v1beta1
+  - major: 2
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 7
+    contract: v1beta1
diff --git a/test/e2e/shared/aws_helpers.go b/test/e2e/shared/aws_helpers.go
@@ -24,12 +24,14 @@ import (
 	"fmt"
 	"strings"
 
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/service/elb"
 	rgapi "github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 )
@@ -164,3 +166,28 @@ func DescribeResourcesByTags(input DescribeResourcesByTagsInput) (*DescribeResou
 
 	return output, nil
 }
+
+type CheckClassicElbHealthCheckInput struct {
+	AWSSession       client.ConfigProvider
+	LoadBalancerName string
+	ExpectedTarget   string
+}
+
+func CheckClassicElbHealthCheck(input CheckClassicElbHealthCheckInput) {
+	Byf("Checking the health check for the classic load balancer %s", input.LoadBalancerName)
+
+	elbSvc := elb.New(input.AWSSession)
+
+	out, err := elbSvc.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{
+		LoadBalancerNames: []*string{
+			aws.String(input.LoadBalancerName),
+		},
+	})
+	Expect(err).NotTo(HaveOccurred(), "failed to get list of load balancers")
+	Expect(out.LoadBalancerDescriptions).NotTo(BeEmpty(), "no load balancers found")
+	lb := out.LoadBalancerDescriptions[0]
+
+	Expect(lb.HealthCheck.Target).ToNot(BeNil(), "health check target is nil")
+
+	Expect(*lb.HealthCheck.Target).To(BeEquivalentTo(input.ExpectedTarget), "health check target does not match expected target")
+}
diff --git a/test/e2e/shared/common.go b/test/e2e/shared/common.go
@@ -162,10 +162,10 @@ func DumpMachine(ctx context.Context, e2eCtx *E2EContext, machine infrav1.AWSMac
 	}
 	machineLogBase := path.Join(logPath, "instances", machine.Namespace, machine.Name)
 	metaLog := path.Join(machineLogBase, "instance.log")
-	if err := os.MkdirAll(filepath.Dir(metaLog), 0750); err != nil {
+	if err := os.MkdirAll(filepath.Dir(metaLog), 0o750); err != nil {
 		fmt.Fprintf(GinkgoWriter, "Couldn't create directory for file: path=%q, err=%s\n", metaLog, err)
 	}
-	f, err := os.OpenFile(metaLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) //nolint:gosec
+	f, err := os.OpenFile(metaLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644) //nolint:gosec
 	if err != nil {
 		return
 	}
@@ -238,7 +238,7 @@ func ConditionalIt(conditionFn ConditionFn, text string, body func()) bool {
 
 // LoadE2EConfig loads the e2econfig from the specified path.
 func LoadE2EConfig(configPath string) *clusterctl.E2EConfig {
-	//TODO: This is commented out as it assumes kubeadm and errors if its not there
+	// TODO: This is commented out as it assumes kubeadm and errors if its not there
 	// Remove localLoadE2EConfig and use the line below when this issue is resolved:
 	// https://github.com/kubernetes-sigs/cluster-api/issues/3983
 	// config := clusterctl.LoadE2EConfig(context.TODO(), clusterctl.LoadE2EConfigInput{ConfigPath: configPath})
@@ -277,3 +277,7 @@ func CreateAWSClusterControllerIdentity(k8sclient crclient.Client) {
 	}
 	_ = k8sclient.Create(context.TODO(), controllerIdentity)
 }
+
+func Byf(format string, a ...interface{}) {
+	By(fmt.Sprintf(format, a...))
+}
diff --git a/test/e2e/suites/unmanaged/helpers_test.go b/test/e2e/suites/unmanaged/helpers_test.go
diff --git a/test/e2e/suites/unmanaged/unmanaged_classic_elb_upgrade_test.go b/test/e2e/suites/unmanaged/unmanaged_classic_elb_upgrade_test.go
diff --git a/test/e2e/suites/unmanaged/unmanaged_functional_clusterclass_test.go b/test/e2e/suites/unmanaged/unmanaged_functional_clusterclass_test.go
diff --git a/test/e2e/suites/unmanaged/unmanaged_functional_test.go b/test/e2e/suites/unmanaged/unmanaged_functional_test.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+- op: remove`
	`2`	`+ path: /spec/controlPlaneLoadBalancer`
Original file line number	Diff line number	Diff line change
`@@ -162,10 +162,10 @@ func DumpMachine(ctx context.Context, e2eCtx *E2EContext, machine infrav1.AWSMac`
`162`	`162`	`}`
`163`	`163`	`machineLogBase := path.Join(logPath, "instances", machine.Namespace, machine.Name)`
`164`	`164`	`metaLog := path.Join(machineLogBase, "instance.log")`
`165`		`- if err := os.MkdirAll(filepath.Dir(metaLog), 0750); err != nil {`
	`165`	`+ if err := os.MkdirAll(filepath.Dir(metaLog), 0o750); err != nil {`
`166`	`166`	`fmt.Fprintf(GinkgoWriter, "Couldn't create directory for file: path=%q, err=%s\n", metaLog, err)`
`167`	`167`	`}`
`168`		`- f, err := os.OpenFile(metaLog, os.O_APPEND\|os.O_CREATE\|os.O_WRONLY, 0644) //nolint:gosec`
	`168`	`+ f, err := os.OpenFile(metaLog, os.O_APPEND\|os.O_CREATE\|os.O_WRONLY, 0o644) //nolint:gosec`
`169`	`169`	`if err != nil {`
`170`	`170`	`return`
`171`	`171`	`}`
`@@ -238,7 +238,7 @@ func ConditionalIt(conditionFn ConditionFn, text string, body func()) bool {`
`238`	`238`
`239`	`239`	`// LoadE2EConfig loads the e2econfig from the specified path.`
`240`	`240`	`func LoadE2EConfig(configPath string) *clusterctl.E2EConfig {`
`241`		`- //TODO: This is commented out as it assumes kubeadm and errors if its not there`
	`241`	`+ // TODO: This is commented out as it assumes kubeadm and errors if its not there`
`242`	`242`	`// Remove localLoadE2EConfig and use the line below when this issue is resolved:`
`243`	`243`	`// https://github.com/kubernetes-sigs/cluster-api/issues/3983`
`244`	`244`	`// config := clusterctl.LoadE2EConfig(context.TODO(), clusterctl.LoadE2EConfigInput{ConfigPath: configPath})`
`@@ -277,3 +277,7 @@ func CreateAWSClusterControllerIdentity(k8sclient crclient.Client) {`
`277`	`277`	`}`
`278`	`278`	`_ = k8sclient.Create(context.TODO(), controllerIdentity)`
`279`	`279`	`}`
	`280`	`+`
	`281`	`+func Byf(format string, a ...interface{}) {`
	`282`	`+ By(fmt.Sprintf(format, a...))`
	`283`	`+}`