Add non-alphanumeric input validation test for vpcID and fix typo (#3687)

* Add non-alphanumeric input validation test for vpcID

* Fix cert arn typo and add docs for cert arn support in IngressClassParams

Author: shraddhabang

apis/elbv2/v1beta1/ingressclassparams_types.go

@@ -86,9 +86,9 @@ type Attribute struct {
 
 // IngressClassParamsSpec defines the desired state of IngressClassParams
 type IngressClassParamsSpec struct {
-	//  CertificateARN specifies the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// CertificateArn specifies the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
 	// +optional
-	CertficateArn []string `json:"certficateArn,omitempty"`
+	CertificateArn []string `json:"certificateArn,omitempty"`
 
 	// NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams.
 	// * if absent or present but empty, it selects all namespaces.

apis/elbv2/v1beta1/zz_generated.deepcopy.go

@@ -55,8 +55,8 @@ spec:
           spec:
             description: IngressClassParamsSpec defines the desired state of IngressClassParams
             properties:
-              certficateArn:
-                description: CertificateARN specifies the ARN of the certificates
+              certificateArn:
+                description: CertificateArn specifies the ARN of the certificates
                   for all Ingresses that belong to IngressClass with this IngressClassParams.
                 items:
                   type: string

config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml

@@ -1,5 +1,5 @@
 # Certificate Discovery
-TLS certificates for ALB Listeners can be automatically discovered with hostnames from Ingress resources if the [`alb.ingress.kubernetes.io/certificate-arn`](annotations.md#certificate-arn) annotation is not specified.
+TLS certificates for ALB Listeners can be automatically discovered with hostnames from Ingress resources if the [`spec.certificateArn`](ingress_class.md#speccertificatearn) in [`IngressClassParams`](ingress_class.md#ingressclassparams-specification) or [`alb.ingress.kubernetes.io/certificate-arn`](annotations.md#certificate-arn) annotation is not specified.
 
 The controller will attempt to discover TLS certificates from the `tls` field in Ingress and `host` field in Ingress rules.
 

docs/guide/ingress/cert_discovery.md

@@ -131,6 +131,15 @@ You can use IngressClassParams to enforce settings for a set of Ingresses.
         - myVal0
         - myVal1
     ```
+    - with certificateArn
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+    name: class2048-config
+    spec:
+      certificateArn: ['arn:aws:acm:us-east-1:123456789:certificate/test-arn-1','arn:aws:acm:us-east-1:123456789:certificate/test-arn-2']
+    ```
 
 ### IngressClassParams specification
 
@@ -167,7 +176,7 @@ Cluster administrators can use the `scheme` field to restrict the scheme for all
 Cluster administrators can use the optional `inboundCIDRs` field to specify the CIDRs that are allowed to access the load balancers that belong to this IngressClass.
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/inbound-cidrs` annotation.
 
-### spec.certificateArn
+#### spec.certificateArn
 Cluster administrators can use the optional `certificateARN` field to specify the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
 
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/certificate-arn` annotation.

docs/guide/ingress/ingress_class.md

@@ -54,10 +54,9 @@ spec:
           spec:
             description: IngressClassParamsSpec defines the desired state of IngressClassParams
             properties:
-              certficateArn:
-                description:
-                  CertificateARN specifies the ARN of the certificates for
-                  all Ingresses that belong to IngressClass with this IngressClassParams.
+              certificateArn:
+                description: CertificateArn specifies the ARN of the certificates
+                  for all Ingresses that belong to IngressClass with this IngressClassParams.
                 items:
                   type: string
                 type: array

helm/aws-load-balancer-controller/crds/crds.yaml

@@ -87,5 +87,5 @@ const (
 	SvcLBSuffixLoadBalancerSecurityGroups                = "aws-load-balancer-security-groups"
 	SvcLBSuffixManageSGRules                             = "aws-load-balancer-manage-backend-security-group-rules"
 	SvcLBSuffixEnforceSGInboundRulesOnPrivateLinkTraffic = "aws-load-balancer-inbound-sg-rules-on-private-link-traffic"
-  SvcLBSuffixSecurityGroupPrefixLists                  = "aws-load-balancer-security-group-prefix-lists"
+	SvcLBSuffixSecurityGroupPrefixLists                  = "aws-load-balancer-security-group-prefix-lists"
 )

pkg/annotations/constants.go

@@ -167,8 +167,8 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 }
 
 func (t *defaultModelBuildTask) computeIngressExplicitTLSCertARNs(_ context.Context, ing *ClassifiedIngress) []string {
-	if ing.IngClassConfig.IngClassParams != nil && len(ing.IngClassConfig.IngClassParams.Spec.CertficateArn) != 0 {
-		return ing.IngClassConfig.IngClassParams.Spec.CertficateArn
+	if ing.IngClassConfig.IngClassParams != nil && len(ing.IngClassConfig.IngClassParams.Spec.CertificateArn) != 0 {
+		return ing.IngClassConfig.IngClassParams.Spec.CertificateArn
 	}
 	var rawTLSCertARNs []string
 	_ = t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixCertificateARN, &rawTLSCertARNs, ing.Ing.Annotations)

pkg/ingress/model_build_listener.go

@@ -1896,7 +1896,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 							IngClassConfig: ClassConfiguration{
 								IngClassParams: &v1beta1.IngressClassParams{
 									Spec: v1beta1.IngressClassParamsSpec{
-										CertficateArn: []string{"arn:aws:acm:us-east-1:9999999:certificate/ingress-class-certificate-arn"},
+										CertificateArn: []string{"arn:aws:acm:us-east-1:9999999:certificate/ingress-class-certificate-arn"},
 									},
 								},
 							},

pkg/ingress/model_builder_test.go

@@ -1136,6 +1136,18 @@ func Test_targetGroupBindingValidator_checkTargetGroupVpcID(t *testing.T) {
 			},
 			wantErr: errors.New("ValidationError: vpcID vpcid-123 failed to satisfy constraint: VPC Id must begin with 'vpc-' followed by 8 or 17 lowercase letters (a-f) or numbers."),
 		},
+		{
+			name: "[err] vpcID is not valid - non alphanumeric value",
+			args: args{
+				obj: &elbv2api.TargetGroupBinding{
+					Spec: elbv2api.TargetGroupBindingSpec{
+						TargetGroupARN: "tg-2",
+						VpcID:          "vpcid-@34!dv",
+					},
+				},
+			},
+			wantErr: errors.New("ValidationError: vpcID vpcid-@34!dv failed to satisfy constraint: VPC Id must begin with 'vpc-' followed by 8 or 17 lowercase letters (a-f) or numbers."),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {