adding cache for cert discovery

Author: M00nF1sh

internal/alb/ls/cert_discovery.go

@@ -0,0 +1,116 @@
+package ls
+
+import (
+	"context"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go/service/acm"
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/aws"
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/errors"
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/utils"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+const (
+	// the domain names for imported certificate will be cached for 1 minute.(cache invalidation is hard problem right? :D)
+	importedCertDomainsCacheDuration = 1 * time.Minute
+)
+
+type CertDiscovery interface {
+	// Discover will try to find valid certificates for each tlsHost.
+	Discover(ctx context.Context, tlsHosts sets.String) ([]string, error)
+}
+
+func NewACMCertDiscovery(cloud aws.CloudAPI) CertDiscovery {
+	return &acmCertDiscovery{
+		cloud:            cloud,
+		certDomainsCache: utils.NewCache(),
+	}
+}
+
+type acmCertDiscovery struct {
+	cloud            aws.CloudAPI
+	certDomainsCache utils.Cache
+}
+
+func (d *acmCertDiscovery) Discover(ctx context.Context, tlsHosts sets.String) ([]string, error) {
+	domainsByCertArn, err := d.loadDomainsForCertificates(ctx)
+	if err != nil {
+		return nil, err
+	}
+	certArns := sets.NewString()
+	for host := range tlsHosts {
+		certArnsForHost := sets.NewString()
+		for certArn, domains := range domainsByCertArn {
+			for domain := range domains {
+				if d.domainMatchesHost(domain, host) {
+					certArnsForHost.Insert(certArn)
+					break
+				}
+			}
+		}
+		if len(certArnsForHost) > 1 {
+			return nil, errors.Errorf("multiple certificate found for host: %s, certARNs: %v", host, certArnsForHost.List())
+		}
+		if len(certArnsForHost) == 0 {
+			return nil, errors.Errorf("none certificate found for host: %s", host)
+		}
+		certArns = certArns.Union(certArnsForHost)
+	}
+	return certArns.List(), nil
+}
+
+func (d *acmCertDiscovery) loadDomainsForCertificates(ctx context.Context) (map[string]sets.String, error) {
+	certSummaries, err := d.cloud.ListCertificates(ctx, &acm.ListCertificatesInput{
+		CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued}),
+	})
+	if err != nil {
+		return nil, err
+	}
+	domainsByCertArn := make(map[string]sets.String, len(certSummaries))
+	for _, certSummary := range certSummaries {
+		certArn := aws.StringValue(certSummary.CertificateArn)
+		certDomains, err := d.loadDomainsForCertificate(ctx, certArn)
+		if err != nil {
+			return nil, err
+		}
+		domainsByCertArn[certArn] = certDomains
+	}
+	d.certDomainsCache.Shrink(sets.StringKeySet(domainsByCertArn))
+	return domainsByCertArn, nil
+}
+
+func (d *acmCertDiscovery) loadDomainsForCertificate(ctx context.Context, certArn string) (sets.String, error) {
+	if domains, ok := d.certDomainsCache.Get(certArn); ok {
+		return domains.(sets.String), nil
+	}
+	certDetail, err := d.cloud.DescribeCertificate(ctx, certArn)
+	if err != nil {
+		return nil, err
+	}
+	domains := sets.NewString(aws.StringValueSlice(certDetail.SubjectAlternativeNames)...)
+	switch aws.StringValue(certDetail.Type) {
+	case acm.CertificateTypeAmazonIssued, acm.CertificateTypePrivate:
+		d.certDomainsCache.Set(certArn, domains, utils.CacheNoExpiration)
+	case acm.CertificateTypeImported:
+		d.certDomainsCache.Set(certArn, domains, importedCertDomainsCacheDuration)
+	}
+	return domains, nil
+}
+
+func (d *acmCertDiscovery) domainMatchesHost(domainName string, tlsHost string) bool {
+	if strings.HasPrefix(domainName, "*.") {
+		ds := strings.Split(domainName, ".")
+		hs := strings.Split(tlsHost, ".")
+
+		if len(ds) != len(hs) {
+			return false
+		}
+
+		return reflect.DeepEqual(ds[1:], hs[1:])
+	}
+
+	return domainName == tlsHost
+}

internal/alb/ls/cert_discovery_test.go

@@ -0,0 +1,216 @@
+package ls
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/acm"
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/aws"
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/mocks"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+type listCertificatesCall struct {
+	input  *acm.ListCertificatesInput
+	output []*acm.CertificateSummary
+	err    error
+}
+
+type describeCertificateCall struct {
+	certArn string
+	output  *acm.CertificateDetail
+	err     error
+}
+
+func Test_CertDiscovery_Discover(t *testing.T) {
+	for _, tc := range []struct {
+		name                     string
+		hosts                    []string
+		listCertificateCall      *listCertificatesCall
+		describeCertificateCalls []describeCertificateCall
+		expectedCerts            []string
+		expectedErr              string
+	}{
+		{
+			name:  "when ACM has exact match with TLS host",
+			hosts: []string{"foo.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input:  &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")}},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"foo.example.com"}),
+					},
+				},
+			},
+			expectedCerts: []string{"arn:aws:acm:us-west-2:xxx:certificate/yyy"},
+		},
+		{
+			name:  "when ACM has wildcard match with TLS host",
+			hosts: []string{"foo.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input:  &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")}},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"*.example.com"}),
+					},
+				},
+			},
+			expectedCerts: []string{"arn:aws:acm:us-west-2:xxx:certificate/yyy"},
+		},
+		{
+			name:  "when ACM has SAN domain match with TLS host",
+			hosts: []string{"foo.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input:  &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")}},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"bar.example.com", "foo.example.com"}),
+					},
+				},
+			},
+			expectedCerts: []string{"arn:aws:acm:us-west-2:xxx:certificate/yyy"},
+		},
+		{
+			name:  "when ACM has exact match with multiple TLS host",
+			hosts: []string{"foo.example.com", "bar.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input: &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{
+					{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")},
+					{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/zzz")},
+				},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"foo.example.com"}),
+					},
+				},
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/zzz",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"bar.example.com"}),
+					},
+				},
+			},
+			expectedCerts: []string{"arn:aws:acm:us-west-2:xxx:certificate/yyy", "arn:aws:acm:us-west-2:xxx:certificate/zzz"},
+		},
+		{
+			name:  "when ACM has multiple match with TLS host",
+			hosts: []string{"foo.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input: &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{
+					{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")},
+					{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/zzz")},
+				},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"foo.example.com"}),
+					},
+				},
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/zzz",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"foo.example.com"}),
+					},
+				},
+			},
+			expectedCerts: nil,
+			expectedErr:   "multiple certificate found for host: foo.example.com, certARNs: [arn:aws:acm:us-west-2:xxx:certificate/yyy arn:aws:acm:us-west-2:xxx:certificate/zzz]",
+		},
+		{
+			name:  "when ACM has no match with TLS host",
+			hosts: []string{"foo.example.com"},
+			listCertificateCall: &listCertificatesCall{
+				input: &acm.ListCertificatesInput{CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued})},
+				output: []*acm.CertificateSummary{
+					{CertificateArn: aws.String("arn:aws:acm:us-west-2:xxx:certificate/yyy")},
+				},
+			},
+			describeCertificateCalls: []describeCertificateCall{
+				{
+					certArn: "arn:aws:acm:us-west-2:xxx:certificate/yyy",
+					output: &acm.CertificateDetail{
+						SubjectAlternativeNames: aws.StringSlice([]string{"bar.example.com"}),
+					},
+				},
+			},
+			expectedCerts: nil,
+			expectedErr:   "none certificate found for host: foo.example.com",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			mockedCloud := &mocks.CloudAPI{}
+			if tc.listCertificateCall != nil {
+				mockedCloud.On("ListCertificates", ctx, tc.listCertificateCall.input).Return(tc.listCertificateCall.output, tc.listCertificateCall.err)
+			}
+			for _, call := range tc.describeCertificateCalls {
+				mockedCloud.On("DescribeCertificate", ctx, call.certArn).Return(call.output, call.err)
+			}
+
+			certDiscovery := NewACMCertDiscovery(mockedCloud)
+			certArns, err := certDiscovery.Discover(ctx, sets.NewString(tc.hosts...))
+			if tc.expectedErr != "" {
+				assert.EqualError(t, err, tc.expectedErr)
+			} else {
+				assert.Nil(t, err)
+			}
+			assert.ElementsMatch(t, certArns, tc.expectedCerts)
+		})
+	}
+}
+
+func Test_domainMatchesHost(t *testing.T) {
+	var tests = []struct {
+		domain string
+		host   string
+		want   bool
+	}{
+		{"example.com", "example.com", true},
+		{"example.com", "exampl0.com", false},
+
+		// wildcards
+		{"*.example.com", "foo.example.com", true},
+		{"*.example.com", "example.com", false},
+		{"*.exampl0.com", "foo.example.com", false},
+
+		// invalid hosts, not sure these are possible
+		{"*.*.example.com", "foo.bar.example.com", false},
+		{"foo.*.example.com", "foo.bar.example.com", false},
+	}
+
+	for _, test := range tests {
+		var msg = "should"
+		if !test.want {
+			msg = "should not"
+		}
+
+		d := &acmCertDiscovery{}
+		t.Run(fmt.Sprintf("%s %s match %s", test.domain, msg, test.host), func(t *testing.T) {
+			have := d.domainMatchesHost(test.domain, test.host)
+			if test.want != have {
+				t.Fail()
+			}
+		})
+	}
+}