Auto-add certs from ACM by hostname if none are specified via annotation #851
Conversation
* for querying ACM for certificates
* TODO: merge his unit tests back in too
* instead of crashing out with a NPE
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Hi @khyew. Thanks for your PR. I'm waiting for a kubernetes-sigs or kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
I have signed the CNCF CLA. Mister k8s-ci-robot, please re-verify me 🤖🙏 |
k8s-ci-robot
added
cncf-cla: yes
|
/assign @M00nF1sh |
|
/assign @bigkraig |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| return false | ||
| } | ||
|
|
||
| for i, dp := range ds { |
There was a problem hiding this comment.
I think it for-loop can be simplied to return reflect.DeepEqual(ds[1:],hs[1:])
There was a problem hiding this comment.
That would cause it to erroneously return true for the following trivial case:
ds := []string{"google", "com"}
hs := []string{"facebook", "com"}
There was a problem hiding this comment.
i don't think so, since you already have two precondition before:
- strings.HasPrefix(domainName, "*."), ensures ds begins with "*",
- if len(ds) != len(hs), ensures hs is at least 1. (so hs[1:] is safe).
use reflect.DeepEqual(ds[1:], hs[1:]) after the two condition seems easier to read 🤣
There was a problem hiding this comment.
oh whoops, I missed the pre-condition. Good catch.
There was a problem hiding this comment.
Oh I see, strings.Split("*.", ".") actually evaluates to ["*", ""] which is size 2, so if ds and hs are equal then they are both at least size 2 and ds[1:] and hs[1:] will be safe operations.
| } | ||
|
|
||
| func uniqueHosts(ingress *extensions.Ingress) []string { | ||
| var result []string |
There was a problem hiding this comment.
I think all these set operations via seen trick can be simplified via sets.NewString()
| @@ -250,3 +264,76 @@ func (controller *defaultController) buildDefaultActions(ctx context.Context, op | |||
| } | |||
| return buildActions(ctx, authCfg, options.IngressAnnos, backend, options.TGGroup) | |||
| } | |||
|
|
|||
| // inferCertARNs retrieves a set of certificates from ACM that matches the ingress' hosts list | |||
There was a problem hiding this comment.
it will be better to make inferCertArns an member function of controller, so it don't need to pass singtons like (acmsvc aws.ACMAPI) around.
Alternatively, i sugges make the signature below:
func (controller *defaultController) inferCertARNs(ctx context.Context, ingress *extension.Ingress)
So
- the log object can be extracted within inferCertARNs.
- We can pass context to ListCertificates to carry timeout info in the future.
|
Thanks so much for make this change 😄 There also should be works to be do in future PRs:
|
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: khyew, M00nF1sh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@M00nF1sh I was in the middle of addressing the PR fixes that you proposed. Do you still want me to submit them (by cutting a branch and opening a new PR)? |
That would be awesome 😄 . I merged this since it's just some nitpicks. |
|
Unfortunately I'm having difficulty building the project now. |
|
umm, are you based on the new master branch(i bump dependencies two commits ago), and using a go version that supports modules? |
|
Module support shouldn't be a problem. Worked fine before I pulled master to get up-to-date today. |
|
Hold on, I'm going to |
|
i think you can try do the following:
|
|
There is no vendor directory in the repo. I deleted the package cache (the entire contents of ~/go/pkg/) but that didn't resolve the problem. According to the results of the bisect, commit a28d0d0 is the first to introduce the issues so I assume it's related to bumping dependency versions. When I try to build from that commit, I get the same error that I posted. When I build from the previous commit, it succeeds without issues. |
|
Update: deleting the actual module cache directory worked. My $GOPATH is set to |
|
There is some bugs in go's module support. Seems multiple cocurrent gets via go module might corrupt the module directory. I guess that's what you encountered 😄 |
(I'm picking up a PR from @cv that was lost when the master branch of this project was re-based: #600)
This change adds a fallback behaviour to the controller's handling of TLS certificates. If the ingress spec has a HTTPS listener but no
alb.ingress.kubernetes.io/certificate-arnannotation is found, then the controller will attempt to attach certificates from ACM that best match what is required by the listener. Matching is done via the listeners'spec.rules[].hostentries, as well as any hostnames inspec.tls.hosts[]. Wildcard certificates are correctly matched.e.g.
If I have successfully issued a cert for
*.cv.dev.example.comand forwebsite.qifan.example.com, then the following ingress spec will attach both certs to all listeners of the ALB:Potential TODOs:
When multiple certs are attached to a listener, the correct certificate will be used via SNI. Clients that do not support SNI will use the default cert, which is chosen arbitrarily. The controller should instead try to attach the "best" cert as the default for a particular listener.
ALBs only support 25 certificate attachments per load balancer (https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/). There is no specific messaging for users whose ingress specs exceed this limitation.