Show ALB DNS name as cert gen target for aws byoc (#915)

* Show ALB DNS name as cert gen target for aws byoc

* update nix sha

* Do not load LB dns name from client side

* Keep old ServiceID in protobuf as some old state files still has it

* update nix hash

* Update spacing

* Remove unused alb functions

* Update nix sha

---------

Co-authored-by: Edward J <[email protected]>

Author: edwardrf

pkgs/defang/cli.nix

@@ -7,7 +7,7 @@ buildGoModule {
   pname = "defang-cli";
   version = "git";
   src = ../../src;
-  vendorHash = "sha256-AWdzmP3mLe1GtDCjnk+misSWgYnp1kduh/GaiaJhK6A=";
+  vendorHash = "sha256-of8K2h3gYoOdxHmBDXKiRfm35YeVE5R4WOy0pcSim4c=";
 
   subPackages = [ "cmd/cli" ];
 

src/go.mod

@@ -11,7 +11,7 @@ require (
 	cloud.google.com/go/secretmanager v1.14.2
 	cloud.google.com/go/storage v1.46.0
 	github.com/AlecAivazis/survey/v2 v2.3.7
-	github.com/aws/aws-sdk-go-v2 v1.32.4
+	github.com/aws/aws-sdk-go-v2 v1.32.6
 	github.com/aws/aws-sdk-go-v2/config v1.26.6
 	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.6
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.4
@@ -22,7 +22,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/servicequotas v1.25.5
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
-	github.com/aws/smithy-go v1.22.0
+	github.com/aws/smithy-go v1.22.1
 	github.com/awslabs/goformation/v7 v7.13.1
 	github.com/bufbuild/connect-go v1.10.0
 	github.com/compose-spec/compose-go/v2 v2.4.3
@@ -103,8 +103,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.16
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect

src/go.sum

@@ -46,8 +46,8 @@ github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migc
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE=
-github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2 v1.32.6 h1:7BokKRgRPuGmKkFMhEg/jSul+tB9VvXhcViILtfG8b4=
+github.com/aws/aws-sdk-go-v2 v1.32.6/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
 github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
@@ -56,10 +56,10 @@ github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5g
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 h1:s/fF4+yDQDoElYhfIVvSNyeCydfbuTKzhxSXDXCPasU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25/go.mod h1:IgPfDv5jqFIzQSNbUEMoitNooSMXjRSDkhXv8jiROvU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 h1:ZntTCl5EsYnhN/IygQEUugpdwbhdkom9uHcbCftiGgA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25/go.mod h1:DBdPrgeocww+CSl1C8cEV8PN1mHMBhuCDLpXezyvWkE=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 h1:5oE2WzJE56/mVveuDZPJESKlg/00AaS2pY2QZcnxg4M=
@@ -94,8 +94,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
-github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
+github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/awslabs/goformation/v7 v7.13.1 h1:QlPn8qwNCqYhrb4GW8kLjT4j1J49n5Qh/anpurCHxUA=
 github.com/awslabs/goformation/v7 v7.13.1/go.mod h1:FTCFMNesubEX0LAd6kIR+YkDD1U+5UaMbXtgPUgsck0=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=

src/pkg/cli/cert.go

@@ -89,12 +89,7 @@ func GenerateLetsEncryptCert(ctx context.Context, project *compose.Project, clie
 	for _, serviceInfo := range services.Services {
 		if service, ok := project.Services[serviceInfo.Service.Name]; ok && service.DomainName != "" && serviceInfo.ZoneId == "" {
 			cnt++
-			targets := []string{serviceInfo.PublicFqdn}
-			for i, endpoint := range serviceInfo.Endpoints {
-				if service.Ports[i].Mode == compose.Mode_INGRESS {
-					targets = append(targets, endpoint)
-				}
-			}
+			targets := getDomainTargets(serviceInfo, service)
 			term.Debugf("Found service %v with domain %v and targets %v", service.Name, service.DomainName, targets)
 			generateCert(ctx, service.DomainName, targets, client)
 		}
@@ -106,6 +101,20 @@ func GenerateLetsEncryptCert(ctx context.Context, project *compose.Project, clie
 	return nil
 }
 
+func getDomainTargets(serviceInfo *defangv1.ServiceInfo, service compose.ServiceConfig) []string {
+	// Only use the ALB for aws cert gen to avoid defang domain in the middle
+	if serviceInfo.LbDnsName != "" {
+		return []string{serviceInfo.LbDnsName}
+	} else {
+		targets := []string{serviceInfo.PublicFqdn}
+		for i, endpoint := range serviceInfo.Endpoints {
+			if service.Ports[i].Mode == compose.Mode_INGRESS {
+				targets = append(targets, endpoint)
+			}
+		}
+		return targets
+	}
+}
 func generateCert(ctx context.Context, domain string, targets []string, client client.FabricClient) {
 	term.Infof("Checking DNS setup for %v", domain)
 	if err := waitForCNAME(ctx, domain, targets, client); err != nil {

src/pkg/cli/cert_test.go

@@ -10,9 +10,15 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"slices"
+	"sort"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/DefangLabs/defang/src/pkg/cli/compose"
+	defangv1 "github.com/DefangLabs/defang/src/protos/io/defang/v1"
+	composetypes "github.com/compose-spec/compose-go/v2/types"
 )
 
 type tryResult struct {
@@ -236,3 +242,72 @@ func TestHttpClient(t *testing.T) {
 		t.Fatalf("expected 2nd dns lookup after cache expiry, but got %v", mr.calls)
 	}
 }
+
+func TestGetDomainTargets(t *testing.T) {
+	tests := []struct {
+		name        string
+		serviceInfo *defangv1.ServiceInfo
+		service     compose.ServiceConfig
+		expected    []string
+	}{
+		{
+			name: "use only lb dns name when present",
+			serviceInfo: &defangv1.ServiceInfo{
+				LbDnsName:  "aws.alb.com",
+				PublicFqdn: "app.defang.app",
+				Endpoints:  []string{"8080--app.defang.app", "8081--app.defang.app"},
+			},
+			service: compose.ServiceConfig{
+				Ports: []composetypes.ServicePortConfig{
+					{Mode: compose.Mode_INGRESS},
+					{Mode: compose.Mode_INGRESS},
+				},
+			},
+			expected: []string{"aws.alb.com"},
+		},
+		{
+			name: "use only public fqdn and end points when lb dns name is empty",
+			serviceInfo: &defangv1.ServiceInfo{
+				LbDnsName:  "",
+				PublicFqdn: "app.defang.app",
+				Endpoints:  []string{"8080--app.defang.app", "8081--app.defang.app"},
+			},
+			service: compose.ServiceConfig{
+				Ports: []composetypes.ServicePortConfig{
+					{Mode: compose.Mode_INGRESS},
+					{Mode: compose.Mode_INGRESS},
+				},
+			},
+			expected: []string{"app.defang.app", "8080--app.defang.app", "8081--app.defang.app"},
+		},
+		{
+			name: "only use endpoint of ingress ports",
+			serviceInfo: &defangv1.ServiceInfo{
+				LbDnsName:  "",
+				PublicFqdn: "app.defang.app",
+				Endpoints:  []string{"8080--app.defang.app", "8081--app.defang.app"},
+			},
+			service: compose.ServiceConfig{
+				Ports: []composetypes.ServicePortConfig{
+					{Mode: compose.Mode_INGRESS},
+					{Mode: compose.Mode_HOST},
+				},
+			},
+			expected: []string{"app.defang.app", "8080--app.defang.app"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			targets := getDomainTargets(tt.serviceInfo, tt.service)
+			if len(targets) != len(tt.expected) {
+				t.Errorf("expected %v targets, got %v", len(tt.expected), len(targets))
+			}
+			sort.Strings(targets)
+			sort.Strings(tt.expected)
+			if !slices.Equal(targets, tt.expected) {
+				t.Errorf("expected %v, got %v", tt.expected, targets)
+			}
+		})
+	}
+}