From a0cf1a834f7946bde36e3df0e0008fe72493f834 Mon Sep 17 00:00:00 2001 From: changhyuni Date: Mon, 2 Sep 2024 02:00:04 +0900 Subject: [PATCH] inboud_security_groups Add referencing existing security groups for inbound traffic Add referencing existing security groups for inbound traffic Add inboud security groups Add inboud security group Add annotation Add annotations Add annotationsss Add annotationssss Add annotationsssss --- docs/guide/ingress/annotations.md | 18 +++ pkg/annotations/constants.go | 100 ++++++++------ pkg/ingress/model_build_listener.go | 31 ++++- pkg/ingress/model_build_managed_sg.go | 12 ++ pkg/ingress/model_builder.go | 15 +++ pkg/ingress/model_builder_test.go | 182 ++++++++++++++++++++------ 6 files changed, 275 insertions(+), 83 deletions(-) diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md index 90e110c14b..d89c98078e 100644 --- a/docs/guide/ingress/annotations.md +++ b/docs/guide/ingress/annotations.md @@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations: ``` alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24 ``` +- `alb.ingress.kubernetes.io/inbound-security-groups` specifies the SecurtityGroups that are allowed to access LoadBalancer. + + !!!note "Merge Behavior" + `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port. + + - the `inbound-security-groups` will only impact the ports defined for that Ingress. + - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress. + + !!!warning "" + this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified. + + !!!tip "" + Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute. + + !!!example + ``` + alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2 + ``` - `alb.ingress.kubernetes.io/security-group-prefix-lists` specifies the managed prefix lists that are allowed to access LoadBalancer. diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go index 493e0427ef..43afa8c0cd 100644 --- a/pkg/annotations/constants.go +++ b/pkg/annotations/constants.go @@ -1,53 +1,64 @@ package annotations const ( + // AnnotationCheckPoint is the annotation used to store a checkpoint for resources. + // It contains an opaque value that represents the last known reconciled state. + AnnotationCheckPoint = "elbv2.k8s.aws/checkpoint" + + // AnnotationCheckPointTimestamp is the annotation used to store the last checkpointed time. The value is stored in seconds. + AnnotationCheckPointTimestamp = AnnotationCheckPoint + "-timestamp" + // IngressClass IngressClass = "kubernetes.io/ingress.class" AnnotationPrefixIngress = "alb.ingress.kubernetes.io" // Ingress annotation suffixes - IngressSuffixLoadBalancerName = "load-balancer-name" - IngressSuffixGroupName = "group.name" - IngressSuffixGroupOrder = "group.order" - IngressSuffixTags = "tags" - IngressSuffixIPAddressType = "ip-address-type" - IngressSuffixScheme = "scheme" - IngressSuffixSubnets = "subnets" - IngressSuffixCustomerOwnedIPv4Pool = "customer-owned-ipv4-pool" - IngressSuffixLoadBalancerAttributes = "load-balancer-attributes" - IngressSuffixWAFv2ACLARN = "wafv2-acl-arn" - IngressSuffixWAFACLID = "waf-acl-id" - IngressSuffixWebACLID = "web-acl-id" // deprecated, use "waf-acl-id" instead. - IngressSuffixShieldAdvancedProtection = "shield-advanced-protection" - IngressSuffixSecurityGroups = "security-groups" - IngressSuffixListenPorts = "listen-ports" - IngressSuffixSSLRedirect = "ssl-redirect" - IngressSuffixInboundCIDRs = "inbound-cidrs" - IngressSuffixCertificateARN = "certificate-arn" - IngressSuffixSSLPolicy = "ssl-policy" - IngressSuffixTargetType = "target-type" - IngressSuffixBackendProtocol = "backend-protocol" - IngressSuffixBackendProtocolVersion = "backend-protocol-version" - IngressSuffixTargetGroupAttributes = "target-group-attributes" - IngressSuffixHealthCheckPort = "healthcheck-port" - IngressSuffixHealthCheckProtocol = "healthcheck-protocol" - IngressSuffixHealthCheckPath = "healthcheck-path" - IngressSuffixHealthCheckIntervalSeconds = "healthcheck-interval-seconds" - IngressSuffixHealthCheckTimeoutSeconds = "healthcheck-timeout-seconds" - IngressSuffixHealthyThresholdCount = "healthy-threshold-count" - IngressSuffixUnhealthyThresholdCount = "unhealthy-threshold-count" - IngressSuffixSuccessCodes = "success-codes" - IngressSuffixAuthType = "auth-type" - IngressSuffixAuthIDPCognito = "auth-idp-cognito" - IngressSuffixAuthIDPOIDC = "auth-idp-oidc" - IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request" - IngressSuffixAuthScope = "auth-scope" - IngressSuffixAuthSessionCookie = "auth-session-cookie" - IngressSuffixAuthSessionTimeout = "auth-session-timeout" - IngressSuffixTargetNodeLabels = "target-node-labels" - IngressSuffixManageSecurityGroupRules = "manage-backend-security-group-rules" - IngressSuffixMutualAuthentication = "mutual-authentication" - IngressSuffixSecurityGroupPrefixLists = "security-group-prefix-lists" + IngressSuffixLoadBalancerName = "load-balancer-name" + IngressSuffixGroupName = "group.name" + IngressSuffixGroupOrder = "group.order" + IngressSuffixTags = "tags" + IngressSuffixIPAddressType = "ip-address-type" + IngressSuffixScheme = "scheme" + IngressSuffixSubnets = "subnets" + IngressSuffixCustomerOwnedIPv4Pool = "customer-owned-ipv4-pool" + IngressSuffixLoadBalancerAttributes = "load-balancer-attributes" + IngressSuffixWAFv2ACLARN = "wafv2-acl-arn" + IngressSuffixWAFACLID = "waf-acl-id" + IngressSuffixWebACLID = "web-acl-id" // deprecated, use "waf-acl-id" instead. + IngressSuffixShieldAdvancedProtection = "shield-advanced-protection" + IngressSuffixSecurityGroups = "security-groups" + IngressSuffixListenPorts = "listen-ports" + IngressSuffixSSLRedirect = "ssl-redirect" + IngressSuffixInboundCIDRs = "inbound-cidrs" + IngressSuffixCertificateARN = "certificate-arn" + IngressSuffixSSLPolicy = "ssl-policy" + IngressSuffixTargetType = "target-type" + IngressSuffixBackendProtocol = "backend-protocol" + IngressSuffixBackendProtocolVersion = "backend-protocol-version" + IngressSuffixTargetGroupAttributes = "target-group-attributes" + IngressSuffixHealthCheckPort = "healthcheck-port" + IngressSuffixHealthCheckProtocol = "healthcheck-protocol" + IngressSuffixHealthCheckPath = "healthcheck-path" + IngressSuffixHealthCheckIntervalSeconds = "healthcheck-interval-seconds" + IngressSuffixHealthCheckTimeoutSeconds = "healthcheck-timeout-seconds" + IngressSuffixHealthyThresholdCount = "healthy-threshold-count" + IngressSuffixUnhealthyThresholdCount = "unhealthy-threshold-count" + IngressSuffixSuccessCodes = "success-codes" + IngressSuffixAuthType = "auth-type" + IngressSuffixAuthIDPCognito = "auth-idp-cognito" + IngressSuffixAuthIDPOIDC = "auth-idp-oidc" + IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request" + IngressSuffixAuthScope = "auth-scope" + IngressSuffixAuthSessionCookie = "auth-session-cookie" + IngressSuffixAuthSessionTimeout = "auth-session-timeout" + IngressSuffixTargetNodeLabels = "target-node-labels" + IngressSuffixManageSecurityGroupRules = "manage-backend-security-group-rules" + IngressSuffixMutualAuthentication = "mutual-authentication" + IngressSuffixSecurityGroupPrefixLists = "security-group-prefix-lists" + IngressSuffixlsAttsAnnotationPrefix = "listener-attributes" + IngressLBSuffixMultiClusterTargetGroup = "multi-cluster-target-group" + IngressSuffixLoadBalancerCapacityReservation = "minimum-load-balancer-capacity" + IngressSuffixInboundSecurityGroups = "inbound-security-groups" // NLB annotation suffixes // prefixes service.beta.kubernetes.io, service.kubernetes.io @@ -88,4 +99,9 @@ const ( SvcLBSuffixManageSGRules = "aws-load-balancer-manage-backend-security-group-rules" SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic = "aws-load-balancer-inbound-sg-rules-on-private-link-traffic" SvcLBSuffixSecurityGroupPrefixLists = "aws-load-balancer-security-group-prefix-lists" + SvcLBSuffixlsAttsAnnotationPrefix = "aws-load-balancer-listener-attributes" + SvcLBSuffixMultiClusterTargetGroup = "aws-load-balancer-multi-cluster-target-group" + ScvLBSuffixEnablePrefixForIpv6SourceNat = "aws-load-balancer-enable-prefix-for-ipv6-source-nat" + ScvLBSuffixSourceNatIpv6Prefixes = "aws-load-balancer-source-nat-ipv6-prefixes" + SvcLBSuffixLoadBalancerCapacityReservation = "aws-load-balancer-minimum-load-balancer-capacity" ) diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go index 8921765850..ce0ec936c8 100644 --- a/pkg/ingress/model_build_listener.go +++ b/pkg/ingress/model_build_listener.go @@ -107,6 +107,7 @@ type listenPortConfig struct { sslPolicy *string tlsCerts []string mutualAuthentication *elbv2model.MutualAuthenticationAttributes + securityGroupIDs []string } func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) { @@ -114,10 +115,17 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing) var prefixListIDs []string t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations) + + securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing) + if err != nil { + return nil, err + } + inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing) if err != nil { return nil, err } + mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing) if err != nil { return nil, err @@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts)) for port, protocol := range listenPorts { cfg := listenPortConfig{ - protocol: protocol, - inboundCIDRv4s: inboundCIDRv4s, - inboundCIDRv6s: inboundCIDRV6s, - prefixLists: prefixListIDs, + protocol: protocol, + inboundCIDRv4s: inboundCIDRv4s, + inboundCIDRv6s: inboundCIDRV6s, + prefixLists: prefixListIDs, + securityGroupIDs: securityGroupIDs, } if protocol == elbv2model.ProtocolHTTPS { if len(explicitTLSCertARNs) == 0 { @@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing return portAndProtocols, nil } +func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) { + var rawSecurityGroups []string + if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists { + return nil, nil + } + + securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups) + if err != nil { + return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err) + } + + return securityGroupIDs, nil +} + func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) { var rawInboundCIDRs []string fromIngressClassParams := false diff --git a/pkg/ingress/model_build_managed_sg.go b/pkg/ingress/model_build_managed_sg.go index e048fc793f..17446f591c 100644 --- a/pkg/ingress/model_build_managed_sg.go +++ b/pkg/ingress/model_build_managed_sg.go @@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co }, }) } + for _, sgID := range cfg.securityGroupIDs { + permissions = append(permissions, ec2model.IPPermission{ + IPProtocol: "tcp", + FromPort: awssdk.Int64(port), + ToPort: awssdk.Int64(port), + UserIDGroupPairs: []ec2model.UserIDGroupPair{ + { + GroupID: sgID, + }, + }, + }) + } } return permissions } diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go index ec753247de..894f20ad24 100644 --- a/pkg/ingress/model_builder.go +++ b/pkg/ingress/model_builder.go @@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen var mergedMtlsAttributesProvider *types.NamespacedName var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes + var mergedSecurityGroupProvider *types.NamespacedName + mergedSecurityGroups := sets.NewString() + for _, cfg := range listenPortConfigs { if mergedProtocolProvider == nil { mergedProtocolProvider = &cfg.ingKey @@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen } } + if len(cfg.listenPortConfig.securityGroupIDs) != 0 { + cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...) + if mergedSecurityGroupProvider == nil { + mergedSecurityGroupProvider = &cfg.ingKey + mergedSecurityGroups = cfgSecurityGroups + } else if !mergedSecurityGroups.Equal(cfgSecurityGroups) { + return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v", + *mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List()) + } + } + if cfg.listenPortConfig.sslPolicy != nil { if mergedSSLPolicyProvider == nil { mergedSSLPolicyProvider = &cfg.ingKey @@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen sslPolicy: mergedSSLPolicy, tlsCerts: mergedTLSCerts, mutualAuthentication: mergedMtlsAttributes, + securityGroupIDs: mergedSecurityGroups.List(), }, nil } diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go index 8ed6cc13fc..c9040a4b3e 100644 --- a/pkg/ingress/model_builder_test.go +++ b/pkg/ingress/model_builder_test.go @@ -3,12 +3,12 @@ package ingress import ( "context" "encoding/json" + ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types" + elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types" "testing" "time" - awssdk "github.com/aws/aws-sdk-go/aws" - ec2sdk "github.com/aws/aws-sdk-go/service/ec2" - elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2" + awssdk "github.com/aws/aws-sdk-go-v2/aws" jsonpatch "github.com/evanphx/json-patch" "github.com/go-logr/logr" "github.com/golang/mock/gomock" @@ -442,7 +442,7 @@ const baseStackJSON = ` func Test_defaultModelBuilder_Build(t *testing.T) { type resolveViaDiscoveryCall struct { - subnets []*ec2sdk.Subnet + subnets []ec2types.Subnet err error } type env struct { @@ -453,7 +453,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { err error } type describeSecurityGroupsResult struct { - securityGroups []*ec2sdk.SecurityGroup + securityGroups []ec2types.SecurityGroup err error } type fields struct { @@ -576,7 +576,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { } resolveViaDiscoveryCallForInternalLB := resolveViaDiscoveryCall{ - subnets: []*ec2sdk.Subnet{ + subnets: []ec2types.Subnet{ { SubnetId: awssdk.String("subnet-a"), CidrBlock: awssdk.String("192.168.0.0/19"), @@ -588,7 +588,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { }, } resolveViaDiscoveryCallForInternetFacingLB := resolveViaDiscoveryCall{ - subnets: []*ec2sdk.Subnet{ + subnets: []ec2types.Subnet{ { SubnetId: awssdk.String("subnet-c"), CidrBlock: awssdk.String("192.168.64.0/19"), @@ -605,14 +605,15 @@ func Test_defaultModelBuilder_Build(t *testing.T) { } tests := []struct { - name string - env env - defaultTargetType string - enableIPTargetType *bool - args args - fields fields - wantStackPatch string - wantErr string + name string + env env + defaultTargetType string + defaultLoadBalancerScheme string + enableIPTargetType *bool + args args + fields fields + wantStackPatch string + wantErr string }{ { name: "Ingress - vanilla internal", @@ -2152,9 +2153,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) { { matchedLBs: []elbv2.LoadBalancerWithTags{ { - LoadBalancer: &elbv2sdk.LoadBalancer{ + LoadBalancer: &elbv2types.LoadBalancer{ LoadBalancerArn: awssdk.String("lb-1"), - AvailabilityZones: []*elbv2sdk.AvailabilityZone{ + AvailabilityZones: []elbv2types.AvailabilityZone{ { SubnetId: awssdk.String("subnet-e"), }, @@ -2162,7 +2163,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { SubnetId: awssdk.String("subnet-f"), }, }, - Scheme: awssdk.String("internal"), + Scheme: elbv2types.LoadBalancerSchemeEnumInternal, }, Tags: map[string]string{ "elbv2.k8s.aws/cluster": "cluster-name", @@ -2170,9 +2171,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) { }, }, { - LoadBalancer: &elbv2sdk.LoadBalancer{ + LoadBalancer: &elbv2types.LoadBalancer{ LoadBalancerArn: awssdk.String("lb-2"), - AvailabilityZones: []*elbv2sdk.AvailabilityZone{ + AvailabilityZones: []elbv2types.AvailabilityZone{ { SubnetId: awssdk.String("subnet-e"), }, @@ -2180,7 +2181,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { SubnetId: awssdk.String("subnet-f"), }, }, - Scheme: awssdk.String("internal"), + Scheme: elbv2types.LoadBalancerSchemeEnumInternal, }, Tags: map[string]string{ "keyA": "valueA2", @@ -2188,9 +2189,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) { }, }, { - LoadBalancer: &elbv2sdk.LoadBalancer{ + LoadBalancer: &elbv2types.LoadBalancer{ LoadBalancerArn: awssdk.String("lb-3"), - AvailabilityZones: []*elbv2sdk.AvailabilityZone{ + AvailabilityZones: []elbv2types.AvailabilityZone{ { SubnetId: awssdk.String("subnet-e"), }, @@ -2198,7 +2199,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { SubnetId: awssdk.String("subnet-f"), }, }, - Scheme: awssdk.String("internal"), + Scheme: elbv2types.LoadBalancerSchemeEnumInternal, }, Tags: map[string]string{ "keyA": "valueA3", @@ -2339,7 +2340,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { listLoadBalancersCalls: []listLoadBalancersCall{listLoadBalancerCallForEmptyLB}, describeSecurityGroupsResult: []describeSecurityGroupsResult{ { - securityGroups: []*ec2sdk.SecurityGroup{ + securityGroups: []ec2types.SecurityGroup{ { GroupId: awssdk.String("sg-manual"), }, @@ -2478,7 +2479,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { listLoadBalancersCalls: []listLoadBalancersCall{listLoadBalancerCallForEmptyLB}, describeSecurityGroupsResult: []describeSecurityGroupsResult{ { - securityGroups: []*ec2sdk.SecurityGroup{ + securityGroups: []ec2types.SecurityGroup{ { GroupId: awssdk.String("sg-manual"), }, @@ -3628,6 +3629,108 @@ func Test_defaultModelBuilder_Build(t *testing.T) { } } } +}`, + }, + { + name: "Ingress - vanilla with default-load-balancer-scheme internet-facing", + env: env{ + svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3}, + }, + fields: fields{ + resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternetFacingLB}, + listLoadBalancersCalls: []listLoadBalancersCall{listLoadBalancerCallForEmptyLB}, + enableBackendSG: true, + }, + defaultLoadBalancerScheme: string(elbv2model.LoadBalancerSchemeInternetFacing), + args: args{ + ingGroup: Group{ + ID: GroupID{Namespace: "ns-1", Name: "ing-1"}, + Members: []ClassifiedIngress{ + { + Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-1", + Name: "ing-1", + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "app-1.example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/svc-1", + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: ns_1_svc_1.Name, + Port: networking.ServiceBackendPort{ + Name: "http", + }, + }, + }, + }, + { + Path: "/svc-2", + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: ns_1_svc_2.Name, + Port: networking.ServiceBackendPort{ + Name: "http", + }, + }, + }, + }, + }, + }, + }, + }, + { + Host: "app-2.example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/svc-3", + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: ns_1_svc_3.Name, + Port: networking.ServiceBackendPort{ + Name: "https", + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + wantStackPatch: ` +{ + "resources": { + "AWS::ElasticLoadBalancingV2::LoadBalancer": { + "LoadBalancer": { + "spec": { + "name": "k8s-ns1-ing1-159dd7a143", + "scheme": "internet-facing", + "subnetMapping": [ + { + "subnetID": "subnet-c" + }, + { + "subnetID": "subnet-d" + } + ] + } + } + } + } }`, }, } @@ -3681,6 +3784,10 @@ func Test_defaultModelBuilder_Build(t *testing.T) { if defaultTargetType == "" { defaultTargetType = "instance" } + defaultLoadBalancerScheme := tt.defaultLoadBalancerScheme + if defaultLoadBalancerScheme == "" { + defaultLoadBalancerScheme = string(elbv2model.LoadBalancerSchemeInternal) + } b := &defaultModelBuilder{ k8sClient: k8sClient, @@ -3703,8 +3810,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) { featureGates: config.NewFeatureGates(), logger: logr.New(&log.NullLogSink{}), - defaultSSLPolicy: "ELBSecurityPolicy-2016-08", - defaultTargetType: elbv2model.TargetType(defaultTargetType), + defaultSSLPolicy: "ELBSecurityPolicy-2016-08", + defaultTargetType: elbv2model.TargetType(defaultTargetType), + defaultLoadBalancerScheme: elbv2model.LoadBalancerScheme(defaultLoadBalancerScheme), } if tt.enableIPTargetType == nil { @@ -3768,7 +3876,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { ingGroup Group } type args struct { - listenPortConfigByPort map[int64]listenPortConfig + listenPortConfigByPort map[int32]listenPortConfig } tests := []struct { name string @@ -3818,7 +3926,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -3874,7 +3982,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -3933,7 +4041,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -3989,7 +4097,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -4073,7 +4181,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -4160,7 +4268,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -4253,7 +4361,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, }, @@ -4346,7 +4454,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) { }, }, args: args{ - listenPortConfigByPort: map[int64]listenPortConfig{ + listenPortConfigByPort: map[int32]listenPortConfig{ 80: { protocol: elbv2model.ProtocolHTTP, },