add SSL cert discovery

Author: M00nF1sh

pkg/build/builder.go

@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	api "sigs.k8s.io/aws-alb-ingress-controller/pkg/apis/ingress/v1alpha1"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/auth"
+	"sigs.k8s.io/aws-alb-ingress-controller/pkg/build/tls"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/cloud"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/ingress"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
@@ -78,9 +79,11 @@ func (b *defaultBuilder) buildListenersAndLBSG(ctx context.Context, stack *LoadB
 	defaultActionsByPort := map[int64][]api.ListenerAction{}
 	rulesByPort := map[int64][]api.ListenerRule{}
 
+	annoCertBuilder := tls.NewAnnotationCertificateBuilder(b.annotationParser)
+	inferACMCertBuilder := tls.NewInferACMCertificateBuilder(b.cloud)
 	for _, ing := range ingGroup.ActiveMembers {
 		tlsPolicy := b.buildIngressTLSPolicy(ctx, ing)
-		tlsCerts, err := b.buildIngressTLSCerts(ctx, ing)
+		tlsCerts, err := annoCertBuilder.Build(ctx, ing)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -104,6 +107,14 @@ func (b *defaultBuilder) buildListenersAndLBSG(ctx context.Context, stack *LoadB
 					tlsPolicyByPort[port] = tlsPolicy
 				}
 
+				if len(tlsCerts) == 0 {
+					var err error
+					tlsCerts, err = inferACMCertBuilder.Build(ctx, ing)
+					if err != nil {
+						return nil, nil, err
+					}
+				}
+
 				// maintain original order for tlsCertsByPort[port], since we use the first cert as default listener certificate.
 				existingTLSCertSet := sets.NewString(tlsCertsByPort[port]...)
 				for _, cert := range tlsCerts {

pkg/build/listener.go

@@ -9,15 +9,6 @@ import (
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
 )
 
-// build the TLS Cert list for specified Ingress.
-func (b *defaultBuilder) buildIngressTLSCerts(ctx context.Context, ing *extensions.Ingress) ([]string, error) {
-	var rawTLSCerts []string
-	_ = b.annotationParser.ParseStringSliceAnnotation(k8s.AnnotationSuffixCertificateARN, &rawTLSCerts, ing.Annotations)
-
-	// TODO(@M00nF1sh): Cert Discovery
-	return rawTLSCerts, nil
-}
-
 func (b *defaultBuilder) buildIngressTLSPolicy(ctx context.Context, ing *extensions.Ingress) string {
 	var tlsPolicy string
 	_ = b.annotationParser.ParseStringAnnotation(k8s.AnnotationSuffixSSLPolicy, &tlsPolicy, ing.Annotations)

pkg/build/tls/annotation_certificate.go

@@ -0,0 +1,24 @@
+package tls
+
+import (
+	"context"
+	extensions "k8s.io/api/extensions/v1beta1"
+	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
+)
+
+func NewAnnotationCertificateBuilder(annotationParser k8s.AnnotationParser) CertificateBuilder {
+	return &annotationCertificateBuilder{
+		annotationParser: annotationParser,
+	}
+}
+
+type annotationCertificateBuilder struct {
+	annotationParser k8s.AnnotationParser
+}
+
+func (b *annotationCertificateBuilder) Build(ctx context.Context, ing *extensions.Ingress) ([]string, error) {
+	var rawTLSCerts []string
+	_ = b.annotationParser.ParseStringSliceAnnotation(k8s.AnnotationSuffixCertificateARN, &rawTLSCerts, ing.Annotations)
+
+	return rawTLSCerts, nil
+}

pkg/build/tls/infer_acm_certificate.go

@@ -0,0 +1,137 @@
+package tls
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/acm"
+	"github.com/pkg/errors"
+	extensions "k8s.io/api/extensions/v1beta1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"reflect"
+	"sigs.k8s.io/aws-alb-ingress-controller/pkg/cloud"
+	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
+	"strings"
+	"sync"
+)
+
+func NewInferACMCertificateBuilder(cloud cloud.Cloud) CertificateBuilder {
+	return &inferACMCertificateBuilder{
+		cloud: cloud,
+	}
+}
+
+// inferACMCertificateBuilder
+type inferACMCertificateBuilder struct {
+	cloud cloud.Cloud
+
+	domainNamesByCertMutex sync.Mutex
+	domainNamesByCert      map[string][]string
+}
+
+// If TLS Certificate can be found for some or all hosts in Ingress, these certificate will be returned.
+// If multiple TLS Certificate are found for same host, an error will be returned.
+func (b *inferACMCertificateBuilder) Build(ctx context.Context, ing *extensions.Ingress) ([]string, error) {
+	var tlsHosts = extractIngressTLSHosts(ing)
+	if len(tlsHosts) == 0 {
+		return nil, nil
+	}
+
+	if err := b.loadDomainNamesByCert(ctx); err != nil {
+		return nil, err
+	}
+
+	certARNsForIng := sets.NewString()
+	for host := range tlsHosts {
+		certARNsForHost := sets.NewString()
+		for certArn, domainNames := range b.domainNamesByCert {
+			for _, domain := range domainNames {
+				if isACMCertDomainMatchesTLSHost(domain, host) {
+					certARNsForHost.Insert(certArn)
+					break
+				}
+			}
+		}
+		ingKey := k8s.NamespacedName(ing).String()
+		if len(certARNsForHost) > 1 {
+			return nil, errors.Errorf("multiple certificate found for host: %s, ingress: %s", host, ingKey)
+		}
+		if len(certARNsForHost) == 0 {
+			return nil, errors.Errorf("none certificate found for host: %s, ingress: %s", host, ingKey)
+		}
+		certARNsForIng = certARNsForIng.Union(certARNsForHost)
+	}
+	return certARNsForIng.List(), nil
+}
+
+func (b *inferACMCertificateBuilder) loadDomainNamesByCert(ctx context.Context) error {
+	if b.domainNamesByCert != nil {
+		return nil
+	}
+	b.domainNamesByCertMutex.Lock()
+	defer b.domainNamesByCertMutex.Unlock()
+	if b.domainNamesByCert != nil {
+		return nil
+	}
+
+	certs, err := b.cloud.ACM().ListCertificatesAsList(ctx, &acm.ListCertificatesInput{
+		CertificateStatuses: aws.StringSlice([]string{acm.CertificateStatusIssued}),
+	})
+	if err != nil {
+		return err
+	}
+
+	domainNamesByCert := make(map[string][]string, len(certs))
+	for _, cert := range certs {
+		certArn := aws.StringValue(cert.CertificateArn)
+		domainNames, err := b.lookupCertificateDomainNames(ctx, certArn)
+		if err != nil {
+			return err
+		}
+		domainNamesByCert[certArn] = domainNames
+	}
+	b.domainNamesByCert = domainNamesByCert
+	return nil
+}
+
+// lookupCertificateDomainNames lookup the domainNames for certificate from aws ACM API.
+func (b *inferACMCertificateBuilder) lookupCertificateDomainNames(ctx context.Context, certArn string) ([]string, error) {
+	resp, err := b.cloud.ACM().DescribeCertificateWithContext(ctx, &acm.DescribeCertificateInput{
+		CertificateArn: aws.String(certArn),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return aws.StringValueSlice(resp.Certificate.SubjectAlternativeNames), nil
+}
+
+// extractIngressTLSHosts extracts TLS HostNames from ingress.
+func extractIngressTLSHosts(ing *extensions.Ingress) sets.String {
+	hosts := sets.NewString()
+
+	for _, r := range ing.Spec.Rules {
+		if len(r.Host) != 0 {
+			hosts.Insert(r.Host)
+		}
+	}
+
+	for _, t := range ing.Spec.TLS {
+		hosts.Insert(t.Hosts...)
+	}
+
+	return hosts
+}
+
+func isACMCertDomainMatchesTLSHost(certDomain string, tlsHost string) bool {
+	if strings.HasPrefix(certDomain, "*.") {
+		ds := strings.Split(certDomain, ".")
+		hs := strings.Split(tlsHost, ".")
+
+		if len(ds) != len(hs) {
+			return false
+		}
+
+		return reflect.DeepEqual(ds[1:], hs[1:])
+	}
+
+	return certDomain == tlsHost
+}

pkg/build/tls/interfaces.go

@@ -0,0 +1,11 @@
+package tls
+
+import (
+	"context"
+	extensions "k8s.io/api/extensions/v1beta1"
+)
+
+// CertificateBuilder is responsible for constructing TLSCertificates for Ingress.
+type CertificateBuilder interface {
+	Build(ctx context.Context, ing *extensions.Ingress) ([]string, error)
+}

pkg/cloud/acm.go

@@ -0,0 +1,38 @@
+package cloud
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/acm"
+	"github.com/aws/aws-sdk-go/service/acm/acmiface"
+)
+
+// ACM is an wrapper around original ACMAPI with additional convenient APIs.
+type ACM interface {
+	acmiface.ACMAPI
+
+	ListCertificatesAsList(ctx context.Context, input *acm.ListCertificatesInput) ([]*acm.CertificateSummary, error)
+}
+
+func NewACM(session *session.Session) ACM {
+	return &defaultACM{
+		acm.New(session),
+	}
+}
+
+var _ ACM = (*defaultACM)(nil)
+
+type defaultACM struct {
+	acmiface.ACMAPI
+}
+
+func (c *defaultACM) ListCertificatesAsList(ctx context.Context, input *acm.ListCertificatesInput) ([]*acm.CertificateSummary, error) {
+	var result []*acm.CertificateSummary
+	if err := c.ListCertificatesPagesWithContext(ctx, input, func(output *acm.ListCertificatesOutput, _ bool) bool {
+		result = append(result, output.CertificateSummaryList...)
+		return true
+	}); err != nil {
+		return nil, err
+	}
+	return result, nil
+}

pkg/cloud/cloud.go

@@ -7,6 +7,7 @@ import (
 )
 
 type Cloud interface {
+	ACM() ACM
 	ELBV2() ELBV2
 	EC2() EC2
 	RGT() RGT
@@ -18,6 +19,7 @@ type Cloud interface {
 type defaultCloud struct {
 	config Config
 
+	acm   ACM
 	elbv2 ELBV2
 	ec2   EC2
 	rgt   RGT
@@ -48,12 +50,17 @@ func New(cfg Config) (Cloud, error) {
 	session = session.Copy(&aws.Config{Region: aws.String(cfg.Region)})
 	return &defaultCloud{
 		config: cfg,
+		acm:    NewACM(session),
 		elbv2:  NewELBV2(session),
 		ec2:    NewEC2(session),
 		rgt:    NewRGT(session),
 	}, nil
 }
 
+func (c *defaultCloud) ACM() ACM {
+	return c.acm
+}
+
 func (c *defaultCloud) ELBV2() ELBV2 {
 	return c.elbv2
 }

pkg/controller/endpointbinding/controller.go

@@ -30,7 +30,7 @@ func Initialize(mgr manager.Manager, cloud cloud.Cloud, ebRepo backend.EndpointB
 	return nil
 }
 
-func watchClusterEvents(c controller.Controller, cache cache.Cache, ebRepo backend.EndpointBindingRepo) error {
+func watchClusterEvents(c controller.Controller, _ cache.Cache, ebRepo backend.EndpointBindingRepo) error {
 	if err := watchEndpointBindingRepo(c, ebRepo); err != nil {
 		return err
 	}

pkg/controller/endpointbinding/reconciler.go

@@ -54,8 +54,7 @@ func (r *ReconcileEndpointBinding) Reconcile(request reconcile.Request) (reconci
 
 	desiredTargets, err := r.endpointResolver.Resolve(ctx, svcKey, eb.Spec.ServicePort, eb.Spec.TargetType)
 	if err != nil {
-		// TODO: (Fix this)
-		return reconcile.Result{}, nil
+		return reconcile.Result{}, err
 	}
 
 	tgArn := eb.Spec.TargetGroup.TargetGroupARN

pkg/controller/ingress/eventhandlers/ingress.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	extensions "k8s.io/api/extensions/v1beta1"
 	"k8s.io/client-go/util/workqueue"
+	"reflect"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/ingress"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/k8s"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -32,8 +33,14 @@ func (h *enqueueRequestsForIngressEvent) Create(e event.CreateEvent, queue workq
 
 // Update is called in response to an update event -  e.g. Pod Updated.
 func (h *enqueueRequestsForIngressEvent) Update(e event.UpdateEvent, queue workqueue.RateLimitingInterface) {
-	h.enqueueIfIngressClassMatched(e.ObjectOld.(*extensions.Ingress), queue)
-	h.enqueueIfIngressClassMatched(e.ObjectNew.(*extensions.Ingress), queue)
+	ingOld := e.ObjectOld.(*extensions.Ingress)
+	ingNew := e.ObjectNew.(*extensions.Ingress)
+	if reflect.DeepEqual(ingOld.Annotations, ingNew.Annotations) && reflect.DeepEqual(ingOld.Spec, ingNew.Spec) {
+		return
+	}
+
+	h.enqueueIfIngressClassMatched(ingOld, queue)
+	h.enqueueIfIngressClassMatched(ingNew, queue)
 }
 
 // Delete is called in response to a delete event - e.g. Pod Deleted.

pkg/controller/ingress/reconciler.go

@@ -3,7 +3,7 @@ package ingress
 import (
 	"context"
 	"encoding/json"
-	"fmt"
+	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	extensions "k8s.io/api/extensions/v1beta1"
 	"sigs.k8s.io/aws-alb-ingress-controller/pkg/build"
@@ -76,20 +76,18 @@ func (r *ReconcileIngress) Reconcile(request reconcile.Request) (reconcile.Resul
 		return reconcile.Result{}, err
 	}
 
-	logging.FromContext(ctx).Info("successfully built model", "groupID", group.ID.String())
-
 	payload, err := json.Marshal(model)
-	fmt.Println(string(payload))
+	logging.FromContext(ctx).Info("successfully built model", "groupID", groupID.String(),
+		"model", string(payload))
 
-	lbDNS, err := r.modelDeployer.Deploy(ctx, model)
-	if err != nil {
+	if err := r.modelDeployer.Deploy(ctx, &model); err != nil {
 		return reconcile.Result{}, err
 	}
 	logging.FromContext(ctx).Info("successfully deployed model", "groupID", group.ID.String())
 
-	if lbDNS != "" {
+	if model.LoadBalancer != nil {
 		for _, ing := range group.ActiveMembers {
-			if err := r.updateIngressStatus(ctx, ing, lbDNS); err != nil {
+			if err := r.updateIngressStatus(ctx, ing, model.LoadBalancer.Status.DNSName); err != nil {
 				return reconcile.Result{}, err
 			}
 		}
@@ -116,6 +114,10 @@ func (r *ReconcileIngress) updateIngressStatus(ctx context.Context, ingress *ext
 				Hostname: lbDNS,
 			},
 		}
+		if err := r.client.Status().Update(ctx, ingress); err != nil {
+			return errors.Wrapf(err, "failed to update ingress:%v", ingress)
+		}
+
 		return r.client.Status().Update(ctx, ingress)
 	}
 	return nil