Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add PrefixListsIDs field to IngressClassParams
Browse files Browse the repository at this point in the history
gdlx committed Sep 27, 2024
1 parent 84a8cf7 commit 8a2e4e3
Showing 6 changed files with 160 additions and 2 deletions.
3 changes: 3 additions & 0 deletions apis/elbv2/v1beta1/ingressclassparams_types.go
Original file line number Diff line number Diff line change
@@ -146,6 +146,9 @@ type IngressClassParamsSpec struct {
// Listeners define a list of listeners with their protocol, port and attributes.
// +optional
Listeners []Listener `json:"listeners,omitempty"`

// PrefixListsIDs defines the security group prefix lists for all Ingresses that belong to IngressClass with this IngressClassParams.
PrefixListsIDs []string `json:"PrefixListsIDs,omitempty"`
}

// +kubebuilder:object:root=true
5 changes: 5 additions & 0 deletions apis/elbv2/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
Original file line number Diff line number Diff line change
@@ -55,6 +55,12 @@ spec:
spec:
description: IngressClassParamsSpec defines the desired state of IngressClassParams
properties:
PrefixListsIDs:
description: PrefixListsIDs defines the security group prefix lists
for all Ingresses that belong to IngressClass with this IngressClassParams.
items:
type: string
type: array
certificateArn:
description: CertificateArn specifies the ARN of the certificates
for all Ingresses that belong to IngressClass with this IngressClassParams.
9 changes: 9 additions & 0 deletions docs/guide/ingress/ingress_class.md
Original file line number Diff line number Diff line change
@@ -233,3 +233,12 @@ Cluster administrators can use `loadBalancerAttributes` field to specify the [Lo

1. If `loadBalancerAttributes` is set, the attributes defined will be applied to the load balancer that belong to this IngressClass. If you specify invalid keys or values for the load balancer attributes, the controller will fail to reconcile ingresses belonging to the particular ingress class.
2. If `loadBalancerAttributes` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/load-balancer-attributes` annotation to specify the load balancer attributes.

#### spec.prefixListIDs

`prefixListIDs` is an optional setting.

Cluster administrators can use `prefixListIDs` field to specify the managed prefix lists that are allowed to access the load balancers that belong to this IngressClass. You can specify the list of prefix list IDs in the `spec.prefixListIDs` field.

1. If `prefixListIDs` is set, the prefix lists defined will be applied to the load balancer that belong to this IngressClass. If you specify invalid prefix list IDs, the controller will fail to reconcile ingresses belonging to the particular ingress class.
2. If `prefixListIDs` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/security-group-prefix-lists` annotation to specify the load balancer prefix lists.
13 changes: 11 additions & 2 deletions pkg/ingress/model_build_listener.go
Original file line number Diff line number Diff line change
@@ -126,8 +126,7 @@ type listenPortConfig struct {
func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int32]listenPortConfig, error) {
explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
var prefixListIDs []string
t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
prefixListIDs := t.computeIngressExplicitPrefixListIDs(ctx, ing)
inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
if err != nil {
return nil, err
@@ -278,6 +277,16 @@ func (t *defaultModelBuildTask) computeIngressExplicitSSLPolicy(_ context.Contex
return &rawSSLPolicy
}

func (t *defaultModelBuildTask) computeIngressExplicitPrefixListIDs(_ context.Context, ing *ClassifiedIngress) []string {
if ing.IngClassConfig.IngClassParams != nil && len(ing.IngClassConfig.IngClassParams.Spec.PrefixListsIDs) != 0 {
return ing.IngClassConfig.IngClassParams.Spec.PrefixListsIDs
}
var prefixListIDs []string
t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)

return prefixListIDs
}

type MutualAuthenticationConfig struct {
Port int32 `json:"port"`
Mode string `json:"mode"`
126 changes: 126 additions & 0 deletions pkg/ingress/model_builder_test.go
Original file line number Diff line number Diff line change
@@ -3395,6 +3395,132 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
}
}
}
}`,
},
{
name: "Ingress - ingress with managed prefix list in IngressClassParam",
env: env{
svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
},
fields: fields{
resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternalLB},
listLoadBalancersCalls: []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
enableBackendSG: true,
},
args: args{
ingGroup: Group{
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
Members: []ClassifiedIngress{
{
IngClassConfig: ClassConfiguration{
IngClassParams: &v1beta1.IngressClassParams{
Spec: v1beta1.IngressClassParamsSpec{
PrefixListsIDs: []string{
"pl-11111111",
"pl-22222222",
},
},
},
},
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-1",
Name: "ing-1",
Annotations: map[string]string{
"alb.ingress.kubernetes.io/security-group-prefix-lists": "pl-00000000",
},
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-1.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-1",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: ns_1_svc_1.Name,
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
{
Path: "/svc-2",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: ns_1_svc_2.Name,
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
{
Host: "app-2.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-3",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: ns_1_svc_3.Name,
Port: networking.ServiceBackendPort{
Name: "https",
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
wantStackPatch: `
{
"resources": {
"AWS::EC2::SecurityGroup": {
"ManagedLBSecurityGroup": {
"spec": {
"ingress": [
{
"fromPort": 80,
"ipProtocol": "tcp",
"prefixLists": [
{
"listID": "pl-11111111"
}
],
"toPort": 80
},
{
"fromPort": 80,
"ipProtocol": "tcp",
"prefixLists": [
{
"listID": "pl-22222222"
}
],
"toPort": 80
}
]
}
}
}
}
}`,
},
{

0 comments on commit 8a2e4e3

Please sign in to comment.