Skip to content

Commit ab021ab

Browse files
1ms-ms1ms-ms
committed
feat: add ssl redirect to IngressClassParams
1 parent 5199c55 commit ab021ab

File tree

8 files changed

+1420
-5
lines changed

8 files changed

+1420
-5
lines changed

apis/elbv2/v1beta1/ingressclassparams_types.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,11 @@ type IngressClassParamsSpec struct {
140140

141141
// SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.
142142
// +optional
143-
SSLPolicy string `json:"sslPolicy,omitEmpty"`
143+
SSLPolicy string `json:"sslPolicy,omitempty"`
144+
145+
// SSLRedirectPort specifies the SSL Redirect Port for all Ingresses that belong to IngressClass with this IngressClassParams.
146+
// +optional
147+
SSLRedirectPort string `json:"sslRedirectPort,omitempty"`
144148

145149
// Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.
146150
// +optional

config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,10 @@ spec:
226226
description: SSLPolicy specifies the SSL Policy for all Ingresses
227227
that belong to IngressClass with this IngressClassParams.
228228
type: string
229+
sslRedirectPort:
230+
description: SSLRedirectPort specifies the SSL Redirect Port for all
231+
Ingresses that belong to IngressClass with this IngressClassParams.
232+
type: string
229233
subnets:
230234
description: Subnets defines the subnets for all Ingresses that belong
231235
to IngressClass with this IngressClassParams.

config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml

Lines changed: 383 additions & 0 deletions
Large diffs are not rendered by default.

config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml

Lines changed: 339 additions & 0 deletions
Large diffs are not rendered by default.

config/crd/gateway/gateway.k8s.aws_targetgroupconfigurations.yaml

Lines changed: 475 additions & 0 deletions
Large diffs are not rendered by default.

helm/aws-load-balancer-controller/crds/crds.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,10 @@ spec:
225225
description: SSLPolicy specifies the SSL Policy for all Ingresses
226226
that belong to IngressClass with this IngressClassParams.
227227
type: string
228+
sslRedirectPort:
229+
description: SSLRedirectPort specifies the SSL Redirect Port for all
230+
Ingresses that belong to IngressClass with this IngressClassParams.
231+
type: string
228232
subnets:
229233
description: Subnets defines the subnets for all Ingresses that belong
230234
to IngressClass with this IngressClassParams.

pkg/ingress/model_builder.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -450,6 +450,15 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
450450
func (t *defaultModelBuildTask) buildSSLRedirectConfig(ctx context.Context, listenPortConfigByPort map[int32]listenPortConfig) (*SSLRedirectConfig, error) {
451451
explicitSSLRedirectPorts := sets.Int32{}
452452
for _, member := range t.ingGroup.Members {
453+
if member.IngClassConfig.IngClassParams != nil && member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort != "" {
454+
sslRedirectPort, err := strconv.ParseInt(member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort, 10, 32)
455+
if err != nil {
456+
return nil, nil
457+
}
458+
explicitSSLRedirectPorts.Insert(int32(sslRedirectPort))
459+
continue
460+
}
461+
453462
var rawSSLRedirectPort int32
454463
exists, err := t.annotationParser.ParseInt32Annotation(annotations.IngressSuffixSSLRedirect, &rawSSLRedirectPort, member.Ing.Annotations)
455464
if err != nil {

pkg/ingress/model_builder_test.go

Lines changed: 201 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4811,18 +4811,22 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
48114811
wantErr: nil,
48124812
},
48134813
{
4814-
name: "single Ingress with ssl-redirect annotation",
4814+
name: "single Ingress with IngressClassParam for ssl-redirect",
48154815
fields: fields{
48164816
ingGroup: Group{
48174817
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
48184818
Members: []ClassifiedIngress{
48194819
{
4820+
IngClassConfig: ClassConfiguration{
4821+
IngClassParams: &v1beta1.IngressClassParams{
4822+
Spec: v1beta1.IngressClassParamsSpec{
4823+
SSLRedirectPort: "443",
4824+
},
4825+
},
4826+
},
48204827
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
48214828
Namespace: "ns-1",
48224829
Name: "ing-1",
4823-
Annotations: map[string]string{
4824-
"alb.ingress.kubernetes.io/ssl-redirect": "443",
4825-
},
48264830
},
48274831
Spec: networking.IngressSpec{
48284832
Rules: []networking.IngressRule{
@@ -5155,6 +5159,199 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
51555159
},
51565160
wantErr: nil,
51575161
},
5162+
{
5163+
name: "multiple Ingress with one IngressClassParam for ssl-redirect",
5164+
fields: fields{
5165+
ingGroup: Group{
5166+
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
5167+
Members: []ClassifiedIngress{
5168+
{
5169+
IngClassConfig: ClassConfiguration{
5170+
IngClassParams: &v1beta1.IngressClassParams{
5171+
Spec: v1beta1.IngressClassParamsSpec{
5172+
SSLRedirectPort: "443",
5173+
},
5174+
},
5175+
},
5176+
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
5177+
Namespace: "ns-1",
5178+
Name: "ing-1",
5179+
Annotations: map[string]string{},
5180+
},
5181+
Spec: networking.IngressSpec{
5182+
Rules: []networking.IngressRule{
5183+
{
5184+
Host: "app-1.example.com",
5185+
IngressRuleValue: networking.IngressRuleValue{
5186+
HTTP: &networking.HTTPIngressRuleValue{
5187+
Paths: []networking.HTTPIngressPath{
5188+
{
5189+
Path: "/svc-1",
5190+
Backend: networking.IngressBackend{
5191+
Service: &networking.IngressServiceBackend{
5192+
Name: "svc-1",
5193+
Port: networking.ServiceBackendPort{
5194+
Name: "http",
5195+
},
5196+
},
5197+
},
5198+
},
5199+
},
5200+
},
5201+
},
5202+
},
5203+
},
5204+
},
5205+
},
5206+
},
5207+
{
5208+
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
5209+
Namespace: "ns-2",
5210+
Name: "ing-2",
5211+
},
5212+
Spec: networking.IngressSpec{
5213+
Rules: []networking.IngressRule{
5214+
{
5215+
Host: "app-2.example.com",
5216+
IngressRuleValue: networking.IngressRuleValue{
5217+
HTTP: &networking.HTTPIngressRuleValue{
5218+
Paths: []networking.HTTPIngressPath{
5219+
{
5220+
Path: "/svc-2",
5221+
Backend: networking.IngressBackend{
5222+
Service: &networking.IngressServiceBackend{
5223+
Name: "svc-2",
5224+
Port: networking.ServiceBackendPort{
5225+
Name: "http",
5226+
},
5227+
},
5228+
},
5229+
},
5230+
},
5231+
},
5232+
},
5233+
},
5234+
},
5235+
},
5236+
},
5237+
},
5238+
},
5239+
},
5240+
},
5241+
args: args{
5242+
listenPortConfigByPort: map[int32]listenPortConfig{
5243+
80: {
5244+
protocol: elbv2model.ProtocolHTTP,
5245+
},
5246+
443: {
5247+
protocol: elbv2model.ProtocolHTTPS,
5248+
},
5249+
},
5250+
},
5251+
want: &SSLRedirectConfig{
5252+
SSLPort: 443,
5253+
StatusCode: "HTTP_301",
5254+
},
5255+
wantErr: nil,
5256+
},
5257+
{
5258+
name: "multiple Ingress with SSLRedirectPort defined by both annotation and IngressClassParams",
5259+
fields: fields{
5260+
ingGroup: Group{
5261+
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
5262+
Members: []ClassifiedIngress{
5263+
{
5264+
IngClassConfig: ClassConfiguration{
5265+
IngClassParams: &v1beta1.IngressClassParams{
5266+
Spec: v1beta1.IngressClassParamsSpec{
5267+
SSLRedirectPort: "443",
5268+
},
5269+
},
5270+
},
5271+
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
5272+
Namespace: "ns-1",
5273+
Name: "ing-1",
5274+
Annotations: map[string]string{},
5275+
},
5276+
Spec: networking.IngressSpec{
5277+
Rules: []networking.IngressRule{
5278+
{
5279+
Host: "app-1.example.com",
5280+
IngressRuleValue: networking.IngressRuleValue{
5281+
HTTP: &networking.HTTPIngressRuleValue{
5282+
Paths: []networking.HTTPIngressPath{
5283+
{
5284+
Path: "/svc-1",
5285+
Backend: networking.IngressBackend{
5286+
Service: &networking.IngressServiceBackend{
5287+
Name: "svc-1",
5288+
Port: networking.ServiceBackendPort{
5289+
Name: "http",
5290+
},
5291+
},
5292+
},
5293+
},
5294+
},
5295+
},
5296+
},
5297+
},
5298+
},
5299+
},
5300+
},
5301+
},
5302+
{
5303+
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
5304+
Namespace: "ns-2",
5305+
Name: "ing-2",
5306+
Annotations: map[string]string{
5307+
"alb.ingress.kubernetes.io/ssl-redirect": "443",
5308+
},
5309+
},
5310+
Spec: networking.IngressSpec{
5311+
Rules: []networking.IngressRule{
5312+
{
5313+
Host: "app-2.example.com",
5314+
IngressRuleValue: networking.IngressRuleValue{
5315+
HTTP: &networking.HTTPIngressRuleValue{
5316+
Paths: []networking.HTTPIngressPath{
5317+
{
5318+
Path: "/svc-2",
5319+
Backend: networking.IngressBackend{
5320+
Service: &networking.IngressServiceBackend{
5321+
Name: "svc-2",
5322+
Port: networking.ServiceBackendPort{
5323+
Name: "http",
5324+
},
5325+
},
5326+
},
5327+
},
5328+
},
5329+
},
5330+
},
5331+
},
5332+
},
5333+
},
5334+
},
5335+
},
5336+
},
5337+
},
5338+
},
5339+
args: args{
5340+
listenPortConfigByPort: map[int32]listenPortConfig{
5341+
80: {
5342+
protocol: elbv2model.ProtocolHTTP,
5343+
},
5344+
443: {
5345+
protocol: elbv2model.ProtocolHTTPS,
5346+
},
5347+
},
5348+
},
5349+
want: &SSLRedirectConfig{
5350+
SSLPort: 443,
5351+
StatusCode: "HTTP_301",
5352+
},
5353+
wantErr: nil,
5354+
},
51585355
{
51595356
name: "multiple Ingress with same ssl-redirect annotation",
51605357
fields: fields{

0 commit comments

Comments
 (0)