kubernetes-sigs · k8s-ci-robot · Feb 25, 2021 · Feb 19, 2021
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -29,6 +29,7 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 |[alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id)|string|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/shield-advanced-protection](#shield-advanced-protection)|boolean|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/listen-ports](#listen-ports)|json|'[{"HTTP": 80}]' \| '[{"HTTPS": 443}]'|Ingress|Merge|
+|[alb.ingress.kubernetes.io/ssl-redirect](#ssl-redirect)|integer|N/A|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/inbound-cidrs](#inbound-cidrs)|stringList|0.0.0.0/0, ::/0|Ingress|Exclusive|
 |[alb.ingress.kubernetes.io/certificate-arn](#certificate-arn)|stringList|N/A|Ingress|Merge|
 |[alb.ingress.kubernetes.io/ssl-policy](#ssl-policy)|string|ELBSecurityPolicy-2016-08|Ingress|Exclusive|
@@ -117,6 +118,22 @@ Traffic Listening can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}, {"HTTP": 8080}, {"HTTPS": 8443}]'
         ```
+
+- <a name="ssl-redirect">`alb.ingress.kubernetes.io/ssl-redirect`</a> enables SSLRedirect and specifies the SSL port that redirects to.
+
+    !!!note "Merge Behavior"
+        `ssl-redirect` is exclusive across all Ingresses in IngressGroup.
+
+        - Once defined on a single Ingress, it impacts every Ingress within IngressGroup.
+
+    !!!note ""
+        - Once enabled SSLRedirect, every HTTP listener will be configured with default action which redirects to HTTPS, other rules will be ignored.
+        - The SSL port that redirects to must exists on LoadBalancer. See [alb.ingress.kubernetes.io/listen-ports](#listen-ports) for the listen ports configuration.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/ssl-redirect: '443'
+        ```
 
 - <a name="ip-address-type">`alb.ingress.kubernetes.io/ip-address-type`</a> specifies the [IP address type](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#ip-address-type) of ALB.
 

diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -19,6 +19,7 @@ const (
 	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
 	IngressSuffixSecurityGroups               = "security-groups"
 	IngressSuffixListenPorts                  = "listen-ports"
+	IngressSuffixSSLRedirect                  = "ssl-redirect"
 	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
 	IngressSuffixCertificateARN               = "certificate-arn"
 	IngressSuffixSSLPolicy                    = "ssl-policy"

diff --git a/pkg/ingress/model_build_actions.go b/pkg/ingress/model_build_actions.go
@@ -2,6 +2,7 @@ package ingress
 
 import (
 	"context"
+	"fmt"
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
@@ -241,3 +242,14 @@ func (t *defaultModelBuildTask) build404Action(_ context.Context) elbv2model.Act
 		},
 	}
 }
+
+func (t *defaultModelBuildTask) buildSSLRedirectAction(_ context.Context, sslRedirectConfig SSLRedirectConfig) elbv2model.Action {
+	return elbv2model.Action{
+		Type: elbv2model.ActionTypeRedirect,
+		RedirectConfig: &elbv2model.RedirectActionConfig{
+			Port:       awssdk.String(fmt.Sprintf("%v", sslRedirectConfig.SSLPort)),
+			Protocol:   awssdk.String(string(elbv2model.ProtocolHTTPS)),
+			StatusCode: sslRedirectConfig.StatusCode,
+		},
+	}
+}
diff --git a/pkg/ingress/model_build_actions_test.go b/pkg/ingress/model_build_actions_test.go
@@ -248,3 +248,39 @@ func Test_defaultModelBuildTask_buildAuthenticateOIDCAction(t *testing.T) {
 		})
 	}
 }
+
+func Test_defaultModelBuildTask_buildSSLRedirectAction(t *testing.T) {
+	type args struct {
+		sslRedirectConfig SSLRedirectConfig
+	}
+	tests := []struct {
+		name string
+		args args
+		want elbv2model.Action
+	}{
+		{
+			name: "SSLRedirect to 443 with 301",
+			args: args{
+				sslRedirectConfig: SSLRedirectConfig{
+					SSLPort:    443,
+					StatusCode: "HTTP_301",
+				},
+			},
+			want: elbv2model.Action{
+				Type: elbv2model.ActionTypeRedirect,
+				RedirectConfig: &elbv2model.RedirectActionConfig{
+					Port:       awssdk.String("443"),
+					Protocol:   awssdk.String("HTTPS"),
+					StatusCode: "HTTP_301",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t1 *testing.T) {
+			task := &defaultModelBuildTask{}
+			got := task.buildSSLRedirectAction(context.Background(), tt.args.sslRedirectConfig)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go
@@ -49,6 +49,10 @@ func (t *defaultModelBuildTask) buildListenerSpec(ctx context.Context, lbARN cor
 }
 
 func (t *defaultModelBuildTask) buildListenerDefaultActions(ctx context.Context, protocol elbv2model.Protocol, ingList []*networking.Ingress) ([]elbv2model.Action, error) {
+	if t.sslRedirectConfig != nil && protocol == elbv2model.ProtocolHTTP {
+		return []elbv2model.Action{t.buildSSLRedirectAction(ctx, *t.sslRedirectConfig)}, nil
+	}
+
 	ingsWithDefaultBackend := make([]*networking.Ingress, 0, len(ingList))
 	for _, ing := range ingList {
 		if ing.Spec.Backend != nil {

diff --git a/pkg/ingress/model_build_listener_rules.go b/pkg/ingress/model_build_listener_rules.go
@@ -12,6 +12,10 @@ import (
 )
 
 func (t *defaultModelBuildTask) buildListenerRules(ctx context.Context, lsARN core.StringToken, port int64, protocol elbv2model.Protocol, ingList []*networking.Ingress) error {
+	if t.sslRedirectConfig != nil && protocol == elbv2model.ProtocolHTTP {
+		return nil
+	}
+
 	var rules []Rule
 	for _, ing := range ingList {
 		for _, rule := range ing.Spec.Rules {

diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go
@@ -3,6 +3,7 @@ package ingress
 import (
 	"context"
 	awssdk "github.com/aws/aws-sdk-go/aws"
+	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1beta1"
@@ -136,8 +137,9 @@ type defaultModelBuildTask struct {
 	ruleOptimizer          RuleOptimizer
 	logger                 logr.Logger
 
-	ingGroup Group
-	stack    core.Stack
+	ingGroup          Group
+	sslRedirectConfig *SSLRedirectConfig
+	stack             core.Stack
 
 	defaultTags                               map[string]string
 	defaultIPAddressType                      elbv2model.IPAddressType
@@ -194,6 +196,11 @@ func (t *defaultModelBuildTask) run(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+
+	t.sslRedirectConfig, err = t.buildSSLRedirectConfig(ctx, listenPortConfigByPort)
+	if err != nil {
+		return err
+	}
 	for port, cfg := range listenPortConfigByPort {
 		ingList := ingListByPort[port]
 		ls, err := t.buildListener(ctx, lb.LoadBalancerARN(), port, cfg, ingList)
@@ -276,3 +283,36 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		tlsCerts:       mergedTLSCerts.List(),
 	}, nil
 }
+
+// buildSSLRedirectConfig computes the SSLRedirect config for the IngressGroup. Returns nil if there is no SSLRedirect configured.
+func (t *defaultModelBuildTask) buildSSLRedirectConfig(ctx context.Context, listenPortConfigByPort map[int64]listenPortConfig) (*SSLRedirectConfig, error) {
+	explicitSSLRedirectPorts := sets.Int64{}
+	for _, ing := range t.ingGroup.Members {
+		var rawSSLRedirectPort int64
+		exists, err := t.annotationParser.ParseInt64Annotation(annotations.IngressSuffixSSLRedirect, &rawSSLRedirectPort, ing.Annotations)
+		if err != nil {
+			return nil, errors.Wrapf(err, "ingress: %v", k8s.NamespacedName(ing))
+		}
+		if exists {
+			explicitSSLRedirectPorts.Insert(rawSSLRedirectPort)
+		}
+	}
+
+	if len(explicitSSLRedirectPorts) == 0 {
+		return nil, nil
+	}
+	if len(explicitSSLRedirectPorts) > 1 {
+		return nil, errors.Errorf("conflicting sslRedirect port: %v", explicitSSLRedirectPorts.List())
+	}
+	rawSSLRedirectPort, _ := explicitSSLRedirectPorts.PopAny()
+	if listenPortConfig, ok := listenPortConfigByPort[rawSSLRedirectPort]; !ok {
+		return nil, errors.Errorf("listener does not exist for SSLRedirect port: %v", rawSSLRedirectPort)
+	} else if listenPortConfig.protocol != elbv2model.ProtocolHTTPS {
+		return nil, errors.Errorf("listener protocol non-SSL for SSLRedirect port: %v", rawSSLRedirectPort)
+	}
+
+	return &SSLRedirectConfig{
+		SSLPort:    rawSSLRedirectPort,
+		StatusCode: elbv2sdk.RedirectActionStatusCodeEnumHttp301,
+	}, nil
+}