feat: classic elb fix for TLS issues

There is an issue when creating clusters (or upgrading clusters) with
kubernetes versions v1.30+ and using a classic elb with an SSL health
check (which the default for new clusters).

The problem is that Kubernetes v1.30+ switched to Go 1.22 which removed
the RSA ciphers. This then causes the ELB health check to fail.

There are a number of workarounds including manually specifying the
cipher suites to use for the api server.

This commit does the following:

- Adds warnings to the AWSCluster webhook to alert users that:
  - their cluster is using a classic elb and this is now deprecated
  - their cluster is using the default health check protocol which warnings
  previously SSL and that now the default has changed to TCP.
- Will update the health check to TCP if the load balancer is "classic"
  and the health check protocol is not set.

Signed-off-by: Richard Case <[email protected]>

Author: richardcase

api/v1beta2/awscluster_webhook.go

@@ -33,6 +33,11 @@ import (
 	"sigs.k8s.io/cluster-api/util/annotations"
 )
 
+const (
+	warningClassicELB                = "%s load balancer is using a classic elb which is deprecated & support will be removed in a future release, please consider using another type of load balancer instead"
+	warningHealthCheckProtocolNotSet = "healthcheck protocol is not set, the default value has changed from SSL to TCP. Health checks for existing clusters will be updated to TCP"
+)
+
 // log is for logging in this package.
 var _ = ctrl.Log.WithName("awscluster-resource")
 
@@ -53,15 +58,23 @@ var (
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AWSCluster) ValidateCreate() (admission.Warnings, error) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
 
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 	allErrs = append(allErrs, r.validateNetwork()...)
-	allErrs = append(allErrs, r.validateControlPlaneLBs()...)
 
-	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+	warnings, errs := r.validateControlPlaneLBs()
+	if len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+	if len(warnings) > 0 {
+		allWarnings = append(allWarnings, warnings...)
+	}
+
+	return allWarnings, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
@@ -72,6 +85,7 @@ func (r *AWSCluster) ValidateDelete() (admission.Warnings, error) {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
 func (r *AWSCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
 
 	allErrs = append(allErrs, r.validateGCTasksAnnotation()...)
 
@@ -139,7 +153,23 @@ func (r *AWSCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, err
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 
-	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+	if r.Spec.ControlPlaneLoadBalancer != nil {
+		if r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "primary control plane"))
+		}
+	}
+
+	if r.Spec.SecondaryControlPlaneLoadBalancer != nil {
+		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "secondary control plane"))
+		}
+	}
+
+	if r.Spec.ControlPlaneLoadBalancer == nil || r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol == nil {
+		allWarnings = append(allWarnings, fmt.Sprintf("%s. Existing load balancers will be updates", warningHealthCheckProtocolNotSet))
+	}
+
+	return allWarnings, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
 func (r *AWSCluster) validateControlPlaneLoadBalancerUpdate(oldlb, newlb *AWSLoadBalancerSpec) field.ErrorList {
@@ -180,16 +210,6 @@ func (r *AWSCluster) validateControlPlaneLoadBalancerUpdate(oldlb, newlb *AWSLoa
 					newlb.Name, "field is immutable"),
 			)
 		}
-
-		// Block the update for Protocol :
-		// - if it was not set in old spec but added in new spec
-		// - if it was set in old spec but changed in new spec
-		if !cmp.Equal(newlb.HealthCheckProtocol, oldlb.HealthCheckProtocol) {
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "healthCheckProtocol"),
-					newlb.HealthCheckProtocol, "field is immutable once set"),
-			)
-		}
 	}
 
 	return allErrs
@@ -301,8 +321,21 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 	return allErrs
 }
 
-func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
+func (r *AWSCluster) validateControlPlaneLBs() (admission.Warnings, field.ErrorList) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
+
+	if r.Spec.ControlPlaneLoadBalancer != nil && r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+		allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "primary control plane"))
+
+		if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol == nil {
+			allWarnings = append(allWarnings, warningHealthCheckProtocolNotSet)
+		}
+
+		if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol != nil && *r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol == ELBProtocolSSL {
+			allWarnings = append(allWarnings, "loadbalancer is using a classic elb with SSL health check, this causes issues with ciper suites with kubernetes v1.30+")
+		}
+	}
 
 	// If the secondary is defined, check that the name is not empty and different from the primary.
 	// Also, ensure that the secondary load balancer is an NLB
@@ -322,6 +355,9 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType != LoadBalancerTypeNLB {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secondaryControlPlaneLoadBalancer", "loadBalancerType"), r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType, "secondary control plane load balancer must be a Network Load Balancer"))
 		}
+		if r.Spec.SecondaryControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeClassic {
+			allWarnings = append(allWarnings, fmt.Sprintf(warningClassicELB, "secondary control plane"))
+		}
 	}
 
 	// Additional listeners are only supported for NLBs.
@@ -378,7 +414,7 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 	}
 
-	return allErrs
+	return allWarnings, allErrs
 }
 
 func (r *AWSCluster) validateIngressRule(rule IngressRule) field.ErrorList {

pkg/cloud/services/elb/loadbalancer.go

@@ -545,6 +545,14 @@ func (s *Service) reconcileClassicLoadBalancer() error {
 			}
 		}
 
+		if !cmp.Equal(spec.HealthCheck, apiELB.HealthCheck) {
+			s.scope.Debug("Reconciling health check for apiserver load balancer", "health-check", spec.HealthCheck)
+			err := s.configureHealthCheck(apiELB.Name, spec.HealthCheck)
+			if err != nil {
+				return err
+			}
+		}
+
 		if err := s.reconcileELBTags(apiELB, spec.Tags); err != nil {
 			return errors.Wrapf(err, "failed to reconcile tags for apiserver load balancer %q", apiELB.Name)
 		}
@@ -587,6 +595,22 @@ func (s *Service) reconcileClassicLoadBalancer() error {
 	return nil
 }
 
+func (s *Service) configureHealthCheck(name string, healthCheck *infrav1.ClassicELBHealthCheck) error {
+	if _, err := s.ELBClient.ConfigureHealthCheck(&elb.ConfigureHealthCheckInput{
+		LoadBalancerName: aws.String(name),
+		HealthCheck: &elb.HealthCheck{
+			Target:             aws.String(healthCheck.Target),
+			Interval:           aws.Int64(int64(healthCheck.Interval.Seconds())),
+			Timeout:            aws.Int64(int64(healthCheck.Timeout.Seconds())),
+			HealthyThreshold:   aws.Int64(healthCheck.HealthyThreshold),
+			UnhealthyThreshold: aws.Int64(healthCheck.UnhealthyThreshold),
+		},
+	}); err != nil {
+		return errors.Wrapf(err, "failed to configure health check for classic load balancer: %s", name)
+	}
+	return nil
+}
+
 func (s *Service) deleteAPIServerELB() error {
 	s.scope.Debug("Deleting control plane load balancer")
 
@@ -1732,7 +1756,7 @@ func (s *Service) createTargetGroup(ln infrav1.Listener, tags map[string]string)
 
 func (s *Service) getHealthCheckTarget() string {
 	controlPlaneELB := s.scope.ControlPlaneLoadBalancer()
-	protocol := &infrav1.ELBProtocolSSL
+	protocol := &infrav1.ELBProtocolTCP
 	if controlPlaneELB != nil && controlPlaneELB.HealthCheckProtocol != nil {
 		protocol = controlPlaneELB.HealthCheckProtocol
 		if protocol.String() == infrav1.ELBProtocolHTTP.String() || protocol.String() == infrav1.ELBProtocolHTTPS.String() {

pkg/cloud/services/elb/loadbalancer_test.go

@@ -1572,7 +1572,8 @@ func TestReconcileTargetGroupsAndListeners(t *testing.T) {
 							Port:        aws.Int64(infrav1.DefaultAPIServerPort),
 							Protocol:    aws.String("TCP"),
 						},
-					}}, nil)
+					},
+				}, nil)
 			},
 			check: func(t *testing.T, tgs []*elbv2.TargetGroup, listeners []*elbv2.Listener, err error) {
 				t.Helper()
@@ -2332,7 +2333,8 @@ func TestReconcileV2LB(t *testing.T) {
 								Matcher:            &elbv2.Matcher{},
 								TargetGroupArn:     aws.String(tgArn),
 								TargetGroupName:    aws.String("targetGroup"),
-							}},
+							},
+						},
 					}, nil)
 				m.ModifyLoadBalancerAttributes(&elbv2.ModifyLoadBalancerAttributesInput{
 					LoadBalancerArn: aws.String(elbArn),
@@ -2341,7 +2343,8 @@ func TestReconcileV2LB(t *testing.T) {
 							Key:   aws.String("load_balancing.cross_zone.enabled"),
 							Value: aws.String("false"),
 						},
-					}}).
+					},
+				}).
 					Return(&elbv2.ModifyLoadBalancerAttributesOutput{}, nil)
 
 				m.CreateTargetGroup(helpers.PartialMatchCreateTargetGroupInput(t, &elbv2.CreateTargetGroupInput{
@@ -2443,7 +2446,8 @@ func TestReconcileV2LB(t *testing.T) {
 							Port:        aws.Int64(infrav1.DefaultAPIServerPort),
 							Protocol:    aws.String("TCP"),
 						},
-					}}, nil)
+					},
+				}, nil)
 				m.DescribeLoadBalancerAttributes(&elbv2.DescribeLoadBalancerAttributesInput{LoadBalancerArn: aws.String(elbArn)}).Return(
 					&elbv2.DescribeLoadBalancerAttributesOutput{
 						Attributes: []*elbv2.LoadBalancerAttribute{
@@ -3484,7 +3488,7 @@ func TestGetHealthCheckProtocol(t *testing.T) {
 		{
 			"default case",
 			&infrav1.AWSLoadBalancerSpec{},
-			"SSL:6443",
+			"TCP:6443",
 		},
 		{
 			"protocol http",

test/e2e/data/e2e_conf.yaml

@@ -17,7 +17,7 @@ images:
   - name: gcr.io/k8s-staging-cluster-api/capa-manager:e2e
     loadBehavior: mustLoad
 
-## PLEASE KEEP THESE UP TO DATE WITH THE COMPONENTS
+  ## PLEASE KEEP THESE UP TO DATE WITH THE COMPONENTS
 
   # Cluster API v1beta1 Preloads
   - name: quay.io/jetstack/cert-manager-cainjector:v1.15.1
@@ -123,7 +123,17 @@ providers:
         files:
           - sourcePath: "./shared/v1beta1_provider/metadata.yaml"
           - sourcePath: "./infrastructure-aws/capi-upgrades/v1beta1/cluster-template.yaml"
-      - name: v2.0.99
+      - name: "v2.7.1"
+        value: "https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/download/v2.7.1/infrastructure-components.yaml"
+        type: "url"
+        contract: v1beta2
+        replacements:
+          - old: --metrics-addr=127.0.0.1:8080
+            new: --metrics-addr=:8080
+        files:
+          - sourcePath: "./shared/v1beta2_provider/v2.7/metadata.yaml"
+          - sourcePath: "./infrastructure-aws/withoutclusterclass/generated/cluster-template-classicelb-upgrade.yaml"
+      - name: v9.9.99
         # Use manifest from source files
         value: ../../../config/default
         # Do not add contract field for v1beta1 --> v1beta2 clusterctl upgrades test to work.
@@ -208,6 +218,8 @@ variables:
   EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION: "true"
   EXP_EXTERNAL_RESOURCE_GC: "true"
   GC_WORKLOAD: "../../data/gcworkload.yaml"
+  CLASSICELB_TEST_KUBERNETES_VERSION_FROM: "v1.29.9"
+  CLASSICELB_TEST_KUBERNETES_VERSION_TO: "v1.30.8"
 
 intervals:
   default/wait-cluster: ["35m", "10s"]
@@ -223,8 +235,10 @@ intervals:
   default/wait-failed-machine-status: ["2m", "10s"]
   default/wait-infra-subnets: ["5m", "30s"]
   default/wait-machine-pool-nodes: ["40m", "10s"]
-  default/wait-machine-pool-upgrade: [ "50m", "10s" ]
+  default/wait-machine-pool-upgrade: ["50m", "10s"]
   default/wait-create-identity: ["1m", "10s"]
   default/wait-job: ["10m", "10s"]
   default/wait-deployment-ready: ["5m", "10s"]
   default/wait-loadbalancer-ready: ["5m", "30s"]
+  default/wait-classic-elb-health-check-short: ["1m", "10s"]
+  default/wait-classic-elb-health-check-long: ["10m", "10s"]

test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../default
+
+patches:
+  - path: nocontrolplane.yaml
+    target:
+      group: infrastructure.cluster.x-k8s.io
+      kind: AWSCluster
+      version: v1beta2

test/e2e/data/infrastructure-aws/withoutclusterclass/kustomize_sources/classicelb-upgrade/nocontrolplane.yaml

@@ -0,0 +1,2 @@
+- op: remove
+  path: /spec/controlPlaneLoadBalancer

test/e2e/data/shared/v1beta2_provider/metadata.yaml

@@ -41,3 +41,27 @@ releaseSeries:
   - major: 2
     minor: 0
     contract: v1beta1
+  - major: 2
+    minor: 1
+    contract: v1beta1
+  - major: 2
+    minor: 2
+    contract: v1beta1
+  - major: 2
+    minor: 3
+    contract: v1beta1
+  - major: 2
+    minor: 4
+    contract: v1beta1
+  - major: 2
+    minor: 5
+    contract: v1beta1
+  - major: 2
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 7
+    contract: v1beta1
+  - major: 9
+    minor: 9
+    contract: v1beta1

test/e2e/data/shared/v1beta2_provider/v2.7/metadata.yaml

@@ -0,0 +1,64 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+releaseSeries:
+  - major: 0
+    minor: 4
+    contract: v1alpha2
+  - major: 0
+    minor: 5
+    contract: v1alpha3
+  - major: 0
+    minor: 6
+    contract: v1alpha3
+  - major: 0
+    minor: 7
+    contract: v1alpha4
+  - major: 1
+    minor: 0
+    contract: v1beta1
+  - major: 1
+    minor: 1
+    contract: v1beta1
+  - major: 1
+    minor: 2
+    contract: v1beta1
+  - major: 1
+    minor: 3
+    contract: v1beta1
+  - major: 1
+    minor: 4
+    contract: v1beta1
+  - major: 1
+    minor: 5
+    contract: v1beta1
+  - major: 1
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 0
+    contract: v1beta1
+  - major: 2
+    minor: 1
+    contract: v1beta1
+  - major: 2
+    minor: 2
+    contract: v1beta1
+  - major: 2
+    minor: 3
+    contract: v1beta1
+  - major: 2
+    minor: 4
+    contract: v1beta1
+  - major: 2
+    minor: 5
+    contract: v1beta1
+  - major: 2
+    minor: 6
+    contract: v1beta1
+  - major: 2
+    minor: 7
+    contract: v1beta1