feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591)

Author: the-technat

controllers/ingress/group_controller.go

@@ -60,7 +60,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager, controllerConfig.FeatureGates,
 		cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags,
 		controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, backendSGProvider, sgResolver,
-		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
+		controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, elbv2TaggingManager,
 		controllerConfig, ingressTagPrefix, logger)

docs/deploy/configurations.md

@@ -71,6 +71,7 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |aws-max-retries                        | int                             | 10              | Maximum retries for AWS APIs |
 |aws-region                             | string                          | [instance metadata](#instance-metadata)   | AWS Region for the kubernetes cluster |
 |aws-vpc-id                             | string                          | [instance metadata](#instance-metadata)   | AWS VPC ID for the Kubernetes cluster |
+|allowed-certificate-authority-arns     | stringList                      | []              | Specify an optional list of CA ARNs to filter on in cert discovery (empty means all CAs are allowed) |
 |backend-security-group                 | string                          |                 | Backend security group id to use for the ingress rules on the worker node SG|
 |cluster-name                           | string                          |                 | Kubernetes cluster name|
 |default-ssl-policy                     | string                          | ELBSecurityPolicy-2016-08 | Default SSL Policy that will be applied to all Ingresses or Services that do not have the SSL Policy annotation |

helm/aws-load-balancer-controller/templates/deployment.yaml

@@ -159,6 +159,9 @@ spec:
         {{- if .Values.serviceTargetENISGTags }}
         - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }}
         {{- end }}
+        {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }}
+        - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }}
+        {{- end }}
         {{- if or .Values.env .Values.envSecretName }}
         env:
         {{- if .Values.env}}

helm/aws-load-balancer-controller/values.yaml

@@ -350,6 +350,9 @@ controllerConfig:
   # NLBHealthCheckAdvancedConfig: true
   # ALBSingleSubnet: false
 
+certDiscovery: 
+  allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope
+
 # objectSelector for webhook
 objectSelector:
   matchExpressions:

pkg/config/ingress_config.go

@@ -9,6 +9,7 @@ const (
 	flagIngressMaxConcurrentReconciles       = "ingress-max-concurrent-reconciles"
 	flagTolerateNonExistentBackendService    = "tolerate-non-existent-backend-service"
 	flagTolerateNonExistentBackendAction     = "tolerate-non-existent-backend-action"
+	flagAllowedCAArns                        = "allowed-certificate-authority-arns"
 	defaultIngressClass                      = "alb"
 	defaultDisableIngressClassAnnotation     = false
 	defaultDisableIngressGroupNameAnnotation = false
@@ -42,6 +43,9 @@ type IngressConfig struct {
 	// TolerateNonExistentBackendAction specifies whether to allow rules that reference a backend action that does not
 	// exist. In this case, requests to that rule will result in a 503 error.
 	TolerateNonExistentBackendAction bool
+
+	// AllowedCertificateAuthoritiyARNs contains a list of all CAs to consider when discovering certificates for ingress resources
+	AllowedCertificateAuthorityARNs []string
 }
 
 // BindFlags binds the command line flags to the fields in the config object
@@ -58,4 +62,5 @@ func (cfg *IngressConfig) BindFlags(fs *pflag.FlagSet) {
 		"Tolerate rules that specify a non-existent backend service")
 	fs.BoolVar(&cfg.TolerateNonExistentBackendAction, flagTolerateNonExistentBackendAction, defaultTolerateNonExistentBackendAction,
 		"Tolerate rules that specify a non-existent backend action")
+	fs.StringSliceVar(&cfg.AllowedCertificateAuthorityARNs, flagAllowedCAArns, []string{}, "Specify an optional list of CA ARNs to filter on in cert discovery")
 }

pkg/ingress/cert_discovery.go

@@ -2,7 +2,13 @@ package ingress
 
 import (
 	"context"
+	"slices"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/aws/aws-sdk-go/aws"
+	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/acm"
 	"github.com/go-logr/logr"
 	"github.com/google/go-cmp/cmp"
@@ -11,9 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/cache"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
-	"strings"
-	"sync"
-	"time"
 )
 
 const (
@@ -33,7 +36,7 @@ type CertDiscovery interface {
 }
 
 // NewACMCertDiscovery constructs new acmCertDiscovery
-func NewACMCertDiscovery(acmClient services.ACM, logger logr.Logger) *acmCertDiscovery {
+func NewACMCertDiscovery(acmClient services.ACM, allowedCAARNs []string, logger logr.Logger) *acmCertDiscovery {
 	return &acmCertDiscovery{
 		acmClient: acmClient,
 		logger:    logger,
@@ -44,6 +47,7 @@ func NewACMCertDiscovery(acmClient services.ACM, logger logr.Logger) *acmCertDis
 		certDomainsCache:            cache.NewExpiring(),
 		importedCertDomainsCacheTTL: defaultImportedCertDomainsCacheTTL,
 		privateCertDomainsCacheTTL:  defaultPrivateCertDomainsCacheTTL,
+		allowedCAARNs:               allowedCAARNs,
 	}
 }
 
@@ -59,6 +63,7 @@ type acmCertDiscovery struct {
 	certARNsCache               *cache.Expiring
 	certARNsCacheTTL            time.Duration
 	certDomainsCache            *cache.Expiring
+	allowedCAARNs               []string
 	importedCertDomainsCacheTTL time.Duration
 	privateCertDomainsCacheTTL  time.Duration
 }
@@ -102,7 +107,10 @@ func (d *acmCertDiscovery) loadDomainsForAllCertificates(ctx context.Context) (m
 		if err != nil {
 			return nil, err
 		}
-		domainsByCertARN[certARN] = certDomains
+		if len(certDomains) > 0 {
+			domainsByCertARN[certARN] = certDomains
+		}
+
 	}
 	return domainsByCertARN, nil
 }
@@ -143,14 +151,20 @@ func (d *acmCertDiscovery) loadDomainsForCertificate(ctx context.Context, certAR
 		return nil, err
 	}
 	certDetail := resp.Certificate
-	domains := sets.NewString(aws.StringValueSlice(certDetail.SubjectAlternativeNames)...)
-	switch aws.StringValue(certDetail.Type) {
-	case acm.CertificateTypeImported:
-		d.certDomainsCache.Set(certARN, domains, d.importedCertDomainsCacheTTL)
-	case acm.CertificateTypeAmazonIssued, acm.CertificateTypePrivate:
-		d.certDomainsCache.Set(certARN, domains, d.privateCertDomainsCacheTTL)
+
+	// check if cert is issued from an allowed CA
+	if len(d.allowedCAARNs) == 0 || slices.Contains(d.allowedCAARNs, awssdk.StringValue(certDetail.CertificateAuthorityArn)) {
+		domains := sets.NewString(aws.StringValueSlice(certDetail.SubjectAlternativeNames)...)
+		switch aws.StringValue(certDetail.Type) {
+		case acm.CertificateTypeImported:
+			d.certDomainsCache.Set(certARN, domains, d.importedCertDomainsCacheTTL)
+		case acm.CertificateTypeAmazonIssued, acm.CertificateTypePrivate:
+			d.certDomainsCache.Set(certARN, domains, d.privateCertDomainsCacheTTL)
+		}
+		return domains, nil
 	}
-	return domains, nil
+	return sets.String{}, nil
+
 }
 
 func (d *acmCertDiscovery) domainMatchesHost(domainName string, tlsHost string) bool {

pkg/ingress/model_builder.go

@@ -44,8 +44,8 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR
 	trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager, featureGates config.FeatureGates,
 	vpcID string, clusterName string, defaultTags map[string]string, externalManagedTags []string, defaultSSLPolicy string, defaultTargetType string,
 	backendSGProvider networkingpkg.BackendSGProvider, sgResolver networkingpkg.SecurityGroupResolver,
-	enableBackendSG bool, disableRestrictedSGRules bool, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
-	certDiscovery := NewACMCertDiscovery(acmClient, logger)
+	enableBackendSG bool, disableRestrictedSGRules bool, allowedCAARNs []string, enableIPTargetType bool, logger logr.Logger) *defaultModelBuilder {
+	certDiscovery := NewACMCertDiscovery(acmClient, allowedCAARNs, logger)
 	ruleOptimizer := NewDefaultRuleOptimizer(logger)
 	return &defaultModelBuilder{
 		k8sClient:                k8sClient,