Skip to content

Commit e5d625f

Browse files
shethyogita83shethyogita83
authored
fixed the mTLS bug (#3717)
* fixed the mTLS bug #3715 * addressed comments * addressed comments * added tests * updated tests * updated tests * updated fix * updated annotation * fixed the mTLS bug #3715 addressed comments addressed comments added tests updated tests updated tests updated fix updated annotation fixed broken tests
1 parent 756fc5d commit e5d625f

File tree

6 files changed

+174
-80
lines changed

6 files changed

+174
-80
lines changed

docs/guide/ingress/annotations.md

+58-55
Original file line numberDiff line numberDiff line change
@@ -14,51 +14,51 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
1414
- Merge: such annotation can be specified on all Ingresses within IngressGroup, and will be merged together.
1515

1616
## Annotations
17-
| Name | Type |Default|Location|MergeBehavior|
18-
|-------------------------------------------------------------------------------------------------------|-----------------------------|-------|--------|------|
19-
| [alb.ingress.kubernetes.io/load-balancer-name](#load-balancer-name) | string |N/A|Ingress|Exclusive|
20-
| [alb.ingress.kubernetes.io/group.name](#group.name) | string |N/A|Ingress|N/A|
21-
| [alb.ingress.kubernetes.io/group.order](#group.order) | integer |0|Ingress|N/A|
22-
| [alb.ingress.kubernetes.io/tags](#tags) | stringMap |N/A|Ingress,Service|Merge|
23-
| [alb.ingress.kubernetes.io/ip-address-type](#ip-address-type) | ipv4 \| dualstack \| dualstack-without-public-ipv4 |ipv4|Ingress|Exclusive|
24-
| [alb.ingress.kubernetes.io/scheme](#scheme) | internal \| internet-facing |internal|Ingress|Exclusive|
25-
| [alb.ingress.kubernetes.io/subnets](#subnets) | stringList |N/A|Ingress|Exclusive|
26-
| [alb.ingress.kubernetes.io/security-groups](#security-groups) | stringList |N/A|Ingress|Exclusive|
27-
| [alb.ingress.kubernetes.io/manage-backend-security-group-rules](#manage-backend-security-group-rules) | boolean |N/A|Ingress|Exclusive|
28-
| [alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool) | string |N/A|Ingress|Exclusive|
29-
| [alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes) | stringMap |N/A|Ingress|Exclusive|
30-
| [alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn) | string |N/A|Ingress|Exclusive|
31-
| [alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id) | string |N/A|Ingress|Exclusive|
32-
| [alb.ingress.kubernetes.io/shield-advanced-protection](#shield-advanced-protection) | boolean |N/A|Ingress|Exclusive|
33-
| [alb.ingress.kubernetes.io/listen-ports](#listen-ports) | json |'[{"HTTP": 80}]' \| '[{"HTTPS": 443}]'|Ingress|Merge|
34-
| [alb.ingress.kubernetes.io/ssl-redirect](#ssl-redirect) | integer |N/A|Ingress|Exclusive|
35-
| [alb.ingress.kubernetes.io/inbound-cidrs](#inbound-cidrs) | stringList |0.0.0.0/0, ::/0|Ingress|Exclusive|
36-
| [alb.ingress.kubernetes.io/security-group-prefix-lists](#security-group-prefix-lists) | stringList |pl-00000000, pl-1111111|Ingress|Exclusive|
37-
| [alb.ingress.kubernetes.io/certificate-arn](#certificate-arn) | stringList |N/A|Ingress|Merge|
38-
| [alb.ingress.kubernetes.io/ssl-policy](#ssl-policy) | string |ELBSecurityPolicy-2016-08|Ingress|Exclusive|
39-
| [alb.ingress.kubernetes.io/target-type](#target-type) | instance \| ip |instance|Ingress,Service|N/A|
40-
| [alb.ingress.kubernetes.io/backend-protocol](#backend-protocol) | HTTP \| HTTPS |HTTP|Ingress,Service|N/A|
41-
| [alb.ingress.kubernetes.io/backend-protocol-version](#backend-protocol-version) | string | HTTP1 |Ingress,Service|N/A|
42-
| [alb.ingress.kubernetes.io/target-group-attributes](#target-group-attributes) | stringMap |N/A|Ingress,Service|N/A|
43-
| [alb.ingress.kubernetes.io/healthcheck-port](#healthcheck-port) | integer \| traffic-port |traffic-port|Ingress,Service|N/A|
44-
| [alb.ingress.kubernetes.io/healthcheck-protocol](#healthcheck-protocol) | HTTP \| HTTPS |HTTP|Ingress,Service|N/A|
45-
| [alb.ingress.kubernetes.io/healthcheck-path](#healthcheck-path) | string |/ \| /AWS.ALB/healthcheck |Ingress,Service|N/A|
46-
| [alb.ingress.kubernetes.io/healthcheck-interval-seconds](#healthcheck-interval-seconds) | integer |'15'|Ingress,Service|N/A|
47-
| [alb.ingress.kubernetes.io/healthcheck-timeout-seconds](#healthcheck-timeout-seconds) | integer |'5'|Ingress,Service|N/A|
48-
| [alb.ingress.kubernetes.io/healthy-threshold-count](#healthy-threshold-count) | integer |'2'|Ingress,Service|N/A|
49-
| [alb.ingress.kubernetes.io/unhealthy-threshold-count](#unhealthy-threshold-count) | integer |'2'|Ingress,Service|N/A|
50-
| [alb.ingress.kubernetes.io/success-codes](#success-codes) | string |'200' \| '12' |Ingress,Service|N/A|
51-
| [alb.ingress.kubernetes.io/auth-type](#auth-type) | none\|oidc\|cognito |none|Ingress,Service|N/A|
52-
| [alb.ingress.kubernetes.io/auth-idp-cognito](#auth-idp-cognito) | json |N/A|Ingress,Service|N/A|
53-
| [alb.ingress.kubernetes.io/auth-idp-oidc](#auth-idp-oidc) | json |N/A|Ingress,Service|N/A|
54-
| [alb.ingress.kubernetes.io/auth-on-unauthenticated-request](#auth-on-unauthenticated-request) | authenticate\|allow\|deny |authenticate|Ingress,Service|N/A|
55-
| [alb.ingress.kubernetes.io/auth-scope](#auth-scope) | string |openid|Ingress,Service|N/A|
56-
| [alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie) | string |AWSELBAuthSessionCookie|Ingress,Service|N/A|
57-
| [alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout) | integer |'604800'|Ingress,Service|N/A|
58-
| [alb.ingress.kubernetes.io/actions.${action-name}](#actions) | json |N/A|Ingress|N/A|
59-
| [alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions) | json |N/A|Ingress|N/A|
60-
| [alb.ingress.kubernetes.io/target-node-labels](#target-node-labels) | stringMap |N/A|Ingress,Service|N/A|
61-
| [alb.ingress.kubernetes.io/mutual-authentication](#mutual-authentication) | json |'[{"port": 443, "mode": "off"}]'|Ingress|Exclusive|
17+
| Name | Type |Default| Location | MergeBehavior |
18+
|-------------------------------------------------------------------------------------------------------|-----------------------------|------|-----------------|-----------|
19+
| [alb.ingress.kubernetes.io/load-balancer-name](#load-balancer-name) | string |N/A| Ingress | Exclusive |
20+
| [alb.ingress.kubernetes.io/group.name](#group.name) | string |N/A| Ingress | N/A |
21+
| [alb.ingress.kubernetes.io/group.order](#group.order) | integer |0| Ingress | N/A |
22+
| [alb.ingress.kubernetes.io/tags](#tags) | stringMap |N/A| Ingress,Service | Merge |
23+
| [alb.ingress.kubernetes.io/ip-address-type](#ip-address-type) | ipv4 \| dualstack \| dualstack-without-public-ipv4 |ipv4| Ingress | Exclusive |
24+
| [alb.ingress.kubernetes.io/scheme](#scheme) | internal \| internet-facing |internal| Ingress | Exclusive |
25+
| [alb.ingress.kubernetes.io/subnets](#subnets) | stringList |N/A| Ingress | Exclusive |
26+
| [alb.ingress.kubernetes.io/security-groups](#security-groups) | stringList |N/A| Ingress | Exclusive |
27+
| [alb.ingress.kubernetes.io/manage-backend-security-group-rules](#manage-backend-security-group-rules) | boolean |N/A| Ingress | Exclusive |
28+
| [alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool) | string |N/A| Ingress | Exclusive |
29+
| [alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes) | stringMap |N/A| Ingress | Exclusive |
30+
| [alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn) | string |N/A| Ingress | Exclusive |
31+
| [alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id) | string |N/A| Ingress | Exclusive |
32+
| [alb.ingress.kubernetes.io/shield-advanced-protection](#shield-advanced-protection) | boolean |N/A| Ingress | Exclusive |
33+
| [alb.ingress.kubernetes.io/listen-ports](#listen-ports) | json |'[{"HTTP": 80}]' \| '[{"HTTPS": 443}]'| Ingress | Merge |
34+
| [alb.ingress.kubernetes.io/ssl-redirect](#ssl-redirect) | integer |N/A| Ingress | Exclusive |
35+
| [alb.ingress.kubernetes.io/inbound-cidrs](#inbound-cidrs) | stringList |0.0.0.0/0, ::/0| Ingress | Exclusive |
36+
| [alb.ingress.kubernetes.io/security-group-prefix-lists](#security-group-prefix-lists) | stringList |pl-00000000, pl-1111111| Ingress | Exclusive |
37+
| [alb.ingress.kubernetes.io/certificate-arn](#certificate-arn) | stringList |N/A| Ingress | Merge |
38+
| [alb.ingress.kubernetes.io/ssl-policy](#ssl-policy) | string |ELBSecurityPolicy-2016-08| Ingress | Exclusive |
39+
| [alb.ingress.kubernetes.io/target-type](#target-type) | instance \| ip |instance| Ingress,Service | N/A |
40+
| [alb.ingress.kubernetes.io/backend-protocol](#backend-protocol) | HTTP \| HTTPS |HTTP| Ingress,Service | N/A |
41+
| [alb.ingress.kubernetes.io/backend-protocol-version](#backend-protocol-version) | string | HTTP1 | Ingress,Service | N/A |
42+
| [alb.ingress.kubernetes.io/target-group-attributes](#target-group-attributes) | stringMap |N/A| Ingress,Service | N/A |
43+
| [alb.ingress.kubernetes.io/healthcheck-port](#healthcheck-port) | integer \| traffic-port |traffic-port| Ingress,Service | N/A |
44+
| [alb.ingress.kubernetes.io/healthcheck-protocol](#healthcheck-protocol) | HTTP \| HTTPS |HTTP| Ingress,Service | N/A |
45+
| [alb.ingress.kubernetes.io/healthcheck-path](#healthcheck-path) | string |/ \| /AWS.ALB/healthcheck | Ingress,Service | N/A |
46+
| [alb.ingress.kubernetes.io/healthcheck-interval-seconds](#healthcheck-interval-seconds) | integer |'15'| Ingress,Service | N/A |
47+
| [alb.ingress.kubernetes.io/healthcheck-timeout-seconds](#healthcheck-timeout-seconds) | integer |'5'| Ingress,Service | N/A |
48+
| [alb.ingress.kubernetes.io/healthy-threshold-count](#healthy-threshold-count) | integer |'2'| Ingress,Service | N/A |
49+
| [alb.ingress.kubernetes.io/unhealthy-threshold-count](#unhealthy-threshold-count) | integer |'2'| Ingress,Service | N/A |
50+
| [alb.ingress.kubernetes.io/success-codes](#success-codes) | string |'200' \| '12' | Ingress,Service | N/A |
51+
| [alb.ingress.kubernetes.io/auth-type](#auth-type) | none\|oidc\|cognito |none| Ingress,Service | N/A |
52+
| [alb.ingress.kubernetes.io/auth-idp-cognito](#auth-idp-cognito) | json |N/A| Ingress,Service | N/A |
53+
| [alb.ingress.kubernetes.io/auth-idp-oidc](#auth-idp-oidc) | json |N/A| Ingress,Service | N/A |
54+
| [alb.ingress.kubernetes.io/auth-on-unauthenticated-request](#auth-on-unauthenticated-request) | authenticate\|allow\|deny |authenticate| Ingress,Service | N/A |
55+
| [alb.ingress.kubernetes.io/auth-scope](#auth-scope) | string |openid| Ingress,Service | N/A |
56+
| [alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie) | string |AWSELBAuthSessionCookie| Ingress,Service | N/A |
57+
| [alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout) | integer |'604800'| Ingress,Service | N/A |
58+
| [alb.ingress.kubernetes.io/actions.${action-name}](#actions) | json |N/A| Ingress | N/A |
59+
| [alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions) | json |N/A| Ingress | N/A |
60+
| [alb.ingress.kubernetes.io/target-node-labels](#target-node-labels) | stringMap |N/A| Ingress,Service | N/A |
61+
| [alb.ingress.kubernetes.io/mutual-authentication](#mutual-authentication) | json |N/A| Ingress |Exclusive|
6262

6363
## IngressGroup
6464
IngressGroup feature enables you to group multiple Ingress resources together.
@@ -790,16 +790,19 @@ TLS support can be controlled with the following annotations:
790790

791791
- <a name="mutual-authentication">`alb.ingress.kubernetes.io/mutual-authentication`</a> specifies the mutual authentication configuration that should be assigned to the Application Load Balancer secure listener ports. See [Mutual authentication with TLS](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html) in the AWS documentation for more details.
792792

793-
!!!note "Configuration Options"
794-
- `port: listen port `
795-
- Must be a HTTPS port specified by [listen-ports](#listen-ports).
796-
- `mode: "off" (default) | "passthrough" | "verify"`
797-
- `verify` mode requires an existing trust store resource.
798-
- See [Create a trust store](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html#create-trust-store) in the AWS documentation for more details.
799-
- `trustStore: ARN (arn:aws:elasticloadbalancing:trustStoreArn) | Name (my-trust-store)`
800-
- Both ARN and Name of trustStore are supported values.
801-
- `trustStore` is required when mode is `verify`.
802-
- `ignoreClientCertificateExpiry : true | false (default)`
793+
!!!note
794+
- This annotation is not applicable for Outposts, Local Zones or Wavelength zones.
795+
- "Configuration Options"
796+
- `port: listen port `
797+
- Must be a HTTPS port specified by [listen-ports](#listen-ports).
798+
- `mode: "off" (default) | "passthrough" | "verify"`
799+
- `verify` mode requires an existing trust store resource.
800+
- See [Create a trust store](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html#create-trust-store) in the AWS documentation for more details.
801+
- `trustStore: ARN (arn:aws:elasticloadbalancing:trustStoreArn) | Name (my-trust-store)`
802+
- Both ARN and Name of trustStore are supported values.
803+
- `trustStore` is required when mode is `verify`.
804+
- `ignoreClientCertificateExpiry : true | false (default)`
805+
- Once the Mutual Authentication is set, to turn it off, you will have to explicitly pass in this annotation with `mode : "off"`.
803806

804807
!!!example
805808
- [listen-ports](#listen-ports) specifies four HTTPS ports: `80, 443, 8080, 8443`

pkg/deploy/elbv2/listener_manager.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -267,7 +267,7 @@ func isSDKListenerSettingsDrifted(lsSpec elbv2model.ListenerSpec, sdkLS Listener
267267
if len(lsSpec.ALPNPolicy) != 0 && !cmp.Equal(lsSpec.ALPNPolicy, awssdk.StringValueSlice(sdkLS.Listener.AlpnPolicy), cmpopts.EquateEmpty()) {
268268
return true
269269
}
270-
if !reflect.DeepEqual(desiredDefaultMutualAuthentication, sdkLS.Listener.MutualAuthentication) {
270+
if desiredDefaultMutualAuthentication != nil && !reflect.DeepEqual(desiredDefaultMutualAuthentication, sdkLS.Listener.MutualAuthentication) {
271271
return true
272272
}
273273

pkg/ingress/model_build_listener.go

+2-6
Original file line numberDiff line numberDiff line change
@@ -273,14 +273,10 @@ type MutualAuthenticationConfig struct {
273273

274274
func (t *defaultModelBuildTask) computeIngressMutualAuthentication(ctx context.Context, ing *ClassifiedIngress) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) {
275275
var rawMtlsConfigString string
276-
277-
// If both Ingress annotation is missing mutual-authentication config, return default mutualAuthentication mode
278276
if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixMutualAuthentication, &rawMtlsConfigString, ing.Ing.Annotations); !exists {
279-
return map[int64]*elbv2model.MutualAuthenticationAttributes{443: {
280-
Mode: string(elbv2model.MutualAuthenticationOffMode),
281-
}}, nil
282-
277+
return nil, nil
283278
}
279+
284280
var ingressAnnotationEntries []MutualAuthenticationConfig
285281

286282
if err := json.Unmarshal([]byte(rawMtlsConfigString), &ingressAnnotationEntries); err != nil {

0 commit comments

Comments
 (0)